+++ /dev/null
-
-
-# central usermanagement
-
-...using ldap and kerberos
-
-
-# motivation
-
-warum:
-
-* skaliert
-* sicherheit
-* komfort (single sign on)
-warum nicht:
-
-* fehlerquelle komplexitaet
-* gefahr single point of failure / break in
--> infrastruktur!
-
-
-# theorie
-
-recommended reading:
-
-* [[http://www.openinput.com/auth-howto/index.html|http://www.openinput.com/auth-howto/index.html]]
-* [[http://www.pdc.kth.se/heimdal/|http://www.pdc.kth.se/heimdal/]]
-* [[http://www.openldap.org/doc/admin23/|http://www.openldap.org/doc/admin23/]]
-architektur:
-
-* trusted third party, der KDC. hat gemeinsames secret mit allen hosts/services/usern. "principals". generiert auf anfrage ticket mit zeit, ip, und welcher user zu welchem service.
-design decisions:
-
-* keine passwoerter im ldap, alles via kerberos, rueckwaertskompatibilitaet via pam_krb, nicht sasl oder pam_ldap.
-* kerberos datenbank im ldap, keine seperate replikation noetig (nur mit heimdal).
-* eigene ldap range fuer uid/groupid, root und systemuser bleiben lokal falls das netzwerk spinnt.
-
-# required software
-
-zutaten am server:
-
-* heimdal kerberos (ldap), alternativen: mit, shishi
-* openldap, alternativ: mysql, postgresql
-* wohlgepflegtes dns und reverse-dns
-* schwer empfohlen: replikation und redundanz
-
-[[!format txt """
-sudo aptitude install slapd heimdal-kdc
-"""]]
-zutaten am host:
-
-* libnss-ldap
-* pam-krb5
-* sasl mit gssapi provider
-* richtige zeit, zb. openntpd (kann aber nicht stratum faken fuer windows)
-* kerberized client/serversoftware (zb. openssh, apache2)
-
-[[!format txt """
-sudo aptitude install libnss-ldap libpam-krb5 libsasl2-gssapi-mit heimdal-clients
-"""]]
-
-# vorbereitung: domain name service
-
-config im dns (da gibts uebrigens auch welche mit ldap/sql backend ;):
-
-aka "srv records rock! - for kerberos but not for ldap :("
-
-config file /etc/krb5.conf auf allen hosts ident!
-
-was ist ein "canonical hostname"?
-
-zonefile mm-karton.com (snippet):
-[[!format txt """
-$ORIGIN mm-karton.com.
-kerberos A 10.128.0.24
-kerberos-1 A 10.128.0.25
-ldap CNAME srv-vie-26.vie.mm-karton.com.
-ldap-1 CNAME srv-vie-27.vie.mm-karton.com.
-
-_kerberos TXT "MM-KARTON.COM"
-_kerberos-master._tcp SRV 10 1 88 kerberos
-_kerberos-master._udp SRV 10 1 88 kerberos
-_kpasswd._udp SRV 10 1 464 kerberos
-_kerberos-adm._tcp SRV 10 1 749 kerberos
-_kerberos._tcp SRV 10 1 88 kerberos
-_kerberos._udp SRV 10 1 88 kerberos
-_kerberos._tcp SRV 20 1 88 kerberos-1
-_kerberos._udp SRV 20 1 88 kerberos-1
-
-_ldap._tcp SRV 10 1 88 ldap
-_ldap._tcp SRV 20 1 88 ldap-1
-"""]]
-zonefile mm-karton.net (snippet), afaik heimdal specific:
-[[!format txt """
-_kerberos TXT "MM-KARTON.COM"
-"""]]
-
-# config am server
-
-/etc/ldap/slapd.conf
-
-
-[[!format txt """
-# This is the main slapd configuration file. See slapd.conf(5) for more
-# info on the configuration options.
-
-#######################################################################
-# Global Directives:
-
-include /etc/ldap/schema/core.schema
-include /etc/ldap/schema/cosine.schema
-include /etc/ldap/schema/nis.schema
-include /etc/ldap/schema/inetorgperson.schema
-
-include /etc/ldap/schema/hdb.schema
-
-
-TLSCACertificateFile /etc/ldap/ca_crt.pem
-TLSCertificateFile /etc/ldap/ldap.mm-karton.com_crt.pem
-TLSCertificateKeyFile /etc/ldap/ldap.mm-karton.com_key.pem
-TLSCipherSuite HIGH:MEDIUM:+SSLv2
-
-
-pidfile /var/run/slapd/slapd.pid
-argsfile /var/run/slapd/slapd.args
-
-loglevel 0
-
-modulepath /usr/lib/ldap
-moduleload back_bdb
-moduleload syncprov
-
-# The maximum number of entries that is returned for a search operation
-sizelimit 500
-
-
-
-
-#######################################################################
-# Specific Backend Directives for bdb:
-
-backend bdb
-checkpoint 512 30
-
-
-
-#######################################################################
-# main database
-database bdb
-suffix "dc=mm-karton,dc=com"
-rootdn "cn=ldapmaster@mm-karton.com,dc=mm-karton,dc=com"
-
-directory "/var/lib/ldap"
-dbconfig set_cachesize 0 33554432 0
-lastmod on
-
-
-index objectClass eq
-index cn,uid,displayName eq,sub,pres
-index krb5PrincipalName eq
-index associatedDomain pres,eq,sub
-index entryUUID,default,entryCSN eq
-
-
-# needed for syncrepl
-overlay syncprov
-syncprov-checkpoint 100 10
-syncprov-sessionlog 100
-
-limits dn.exact="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
-
-
-
-
-
-
-#######################################################################
-# sasl config
-
-sasl-secprops minssf=0
-security simple_bind=64
-
-sasl-regexp
- uid=(.+),cn=.+,cn=auth
- ldap:///dc=mm-karton,dc=com??sub?(|(uid=$1)(krb5PrincipalName=$1@MM-KARTON.COM))
-sasl-regexp "=0" "cn=ldapmaster@mm-karton.com,dc=mm-karton,dc=com"
-
-
-
-
-#######################################################################
-# access control
-
-# needed for certain auth stuff
-access to dn.base="" by * read
-access to dn.base="cn=Subschema" by * read
-
-access to attrs=krb5PrincipalName
- by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
- by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
- by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
- by anonymous auth
-
-access to attrs=userPassword
- by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
- by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
- by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
- by anonymous auth
-
-
-
-# Kerberos attributes only accessible to root/ldapmaster and the superadmins
-access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmName
- by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
- by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
- by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
- by * none
-
-
-
-# user info readable for nssproxy user
-access to dn.subtree="ou=users,dc=mm-karton,dc=com"
- by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
- by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
- by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
- by dn="uid=nssproxy,dc=mm-karton,dc=com" read
-access to dn.subtree="ou=groups,dc=mm-karton,dc=com"
- by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
- by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
- by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
- by dn="uid=nssproxy,dc=mm-karton,dc=com" read
-access to attrs=uid,uidNumber,gidNumber,gecos,homeDirectory,loginShell,memberUid
- by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
- by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
- by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
- by dn="uid=nssproxy,dc=mm-karton,dc=com" read
-
-
-
-# all the rest
-access to dn.subtree="dc=mm-karton,dc=com"
- by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
- by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
- by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
-"""]]
-/etc/default/slapd
-[[!format txt """
-# Default location of the slapd.conf file
-SLAPD_CONF=
-
-# System account to run the slapd server under. If empty the server
-# will run as root.
-SLAPD_USER="openldap"
-
-# System group to run the slapd server under. If empty the server will
-# run in the primary group of its user.
-SLAPD_GROUP="openldap"
-
-# Path to the pid file of the slapd server. If not set the init.d script
-# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf)
-SLAPD_PIDFILE=
-
-# Configure if the slurpd daemon should be started. Possible values:
-# - yes: Always start slurpd
-# - no: Never start slurpd
-# - auto: Start slurpd if a replica option is found in slapd.conf (default)
-SLURPD_START=auto
-
-# slapd normally serves ldap only on all TCP-ports 389. slapd can also
-# service requests on TCP-port 636 (ldaps) and requests via unix
-# sockets.
-# Example usage:
-SLAPD_SERVICES="ldap://10.128.4.36/ ldapi:///"
-
-# Additional options to pass to slapd and slurpd
-SLAPD_OPTIONS=""
-SLURPD_OPTIONS=""
-
-export KRB5_KTNAME="FILE:/etc/ldap/ldap.keytab"
-
-[ -L /var/run/ldapi ] || ln -s /var/run/slapd/ldapi /var/run/ldapi
-"""]]
-/etc/heimdal-kdc/kadmin.acl
-[[!format txt """
-lefant/admin@MM-KARTON.COM all
-"""]]
-/etc/heimdal-kdc/kdc.conf
-[[!format txt """
-[kdc]
- database = {
- realm = MM-KARTON.COM
- dbname = ldap:dc=mm-karton,dc=com
- mkey_file = /var/lib/heimdal-kdc/m-key
- acl_file = /etc/heimdal-kdc/kadmind.acl
- }
- addresses = 10.128.0.24
-"""]]
-
-[[!format txt """
-$ sudo kadmin -l
-init MY.REALM
-add lefant/admin
-"""]]
-
-# config am host
-
-/etc/libnss-ldap.conf
-[[!format txt """
-BASE dc=mm-karton, dc=com
-URI ldap://ldap.mm-karton.com/,ldap://ldap-1.mm-karton.com/
-
-ldap_version 3
-ssl start_tls
-tls_cacertfile /etc/ssl/certs/mmagca_crt.pem
-
-binddn uid=nssproxy,dc=mm-karton,dc=com
-bindpw XXXXXXXX
-
-scope sub
-pam_filter objectClass=posixAccount
-nss_base_passwd ou=users,dc=mm-karton,dc=com
-nss_base_group ou=groups,dc=mm-karton,dc=com
-
-# Search timelimit
-timelimit 10
-
-# Bind/connect timelimit
-bind_timelimit 2
-
-pam_min_uid 10000
-pam_max_uid 11000
-
-nss_reconnect_tries 1
-nss_reconnect_sleeptime 1
-nss_reconnect_maxsleeptime 2
-nss_reconnect_maxconntries 3
-nss_initgroups_ignoreusers arpwatch,asterisk,backup,bin,bind,clamav,cricket,daemon,Debian-exim,debianmirror,dovecot,fetchmail,ftp,games,gnats,identd,irc,list,lp,mail,man,messagebus,mysql,nagios,news,nobody,ntp,ntpd,nut,openvpn,pdns,proftpd,proxy,puppet,root,smmsp,smmta,smsd,snmp,snort,sshd,statd,sync,sys,uucp,www-data,zope
-"""]]
-/etc/nsswitch.conf
-[[!format txt """
-passwd: files ldap
-group: files ldap
-shadow: files
-
-hosts: files dns
-networks: files
-
-protocols: db files
-services: db files
-ethers: db files
-rpc: db files
-
-netgroup: nis
-"""]]
-/etc/krb5.conf
-[[!format txt """
-[libdefaults]
- default_realm = MM-KARTON.COM
- dns_lookup_realm = yes
-
-[logging]
- default = SYSLOG:NOTICE:DAEMON
- kdc = FILE:/var/log/kdc.log
- kadmind = FILE:/var/log/kadmind.log
-
-[appdefaults]
- pam = {
- ticket_lifetime = 10h
- renew_lifetime = 10h
- forwardable = true
- proxiable = false
- retain_after_close = false
- minimum_uid = 0
- debug = false
- }
-
-[domain_realm]
- srv-pof-30.pof.mmk.mmdom.net = MM-KARTON.COM
-
-[realms]
- MMK.MMDOM.NET = {
- kdc = DC-VIE-50
- kpasswd_server = DC-VIE-50
- auth_to_local_names = {
- lefant = invaliduser
- unki = invaliduser
- }
- }
- MM-KARTON.COM = {
- admin_server = kerberos.mm-karton.com
- auth_to_local = RULE:[1:$1@$0](^.*@MMK.MMDOM.NET$)s/@MMK.MMDOM.NET//
- auth_to_local = DEFAULT
- }
-"""]]
-/etc/pam.d/common-account
-[[!format txt """
-account required pam_access.so
-account sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000
-account sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000
-account required pam_unix.so
-"""]]
-/etc/pam.d/common-auth
-[[!format txt """
-auth optional pam_group.so
-auth sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000 try_first_pass
-auth sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000 try_first_pass
-auth required pam_unix.so try_first_pass
-"""]]
-/etc/pam.d/common-session
-[[!format txt """
-session required pam_mkhomedir.so umask=0022 skel=/etc/mmskel
-session sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000
-session sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000
-session required pam_unix.so
-"""]]
-restrict logins to certain users:
-
-/etc/security/access.conf
-[[!format txt """
-# first, to avoid delays when network is still unavailable
-+:ALL:LOCAL
-+:root:ALL
-
-# remote users and groups
-+:bofh:ALL
-
-# deny everything else
--:ALL:ALL
-"""]]
-/etc/adduser.conf (snippet)
-[[!format txt """
-# FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically
-# allocated user accounts/groups.
-FIRST_UID=1000
-LAST_UID=19999
-"""]]
-ldap client config (administration):
-
-/etc/ldap/ldap.conf
-[[!format txt """
-BASE dc=mm-karton, dc=com
-URI ldap://ldap.mm-karton.com/
-ssl start_tls
-tls_cacert /etc/ssl/certs/ca_crt.pem
-"""]]
-ldapwhoami, ldapsearch
-
-sudo, nopasswd, weil solches haben wir ja nicht...
-
-/etc/sudoers
-[[!format txt """
-lefant ALL=(ALL) NOPASSWD:ALL
-"""]]
-
-# single sign on fuer applikationen (gssapi support, das grosse fragezeichen)
-
-/etc/ssh/sshd_config (snippet)
-[[!format txt """
-GSSAPIAuthentication yes
-GSSAPIKeyExchange yes
-"""]]
-/etc/ssh/ssh_config (snippet)
-[[!format txt """
-host *
- GSSAPIAuthentication yes
- GSSAPIDelegateCredentials yes
- GSSAPITrustDns yes
-"""]]
-firefox: out-of-the-box!
-
-apache: (apt-get install libapache2-mod-auth-kerb) config snippet
-[[!format txt """
- <Location />
- AuthType Kerberos
- AuthName "MM Login (use windows login *without* mm\ prefix)"
- KrbServiceName HTTP
- Krb5Keytab /etc/apache2/keytab
- KrbAuthRealms MMK.MMDOM.NET MM-KARTON.COM
- AuthGroupFile /etc/wwwusers
- Require group NocUsers
- Order deny,allow
- Deny from all
- Allow from noc.mm-karton.com
- Satisfy any
- </Location>
-"""]]
-
-# misc stuff
-
-* tcpdump
-* strace
-* $HOME/.k5login
\ No newline at end of file