Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Goals
Replace NIS with something secure
Weakly crypted passwords (and everything else) sent over the network in the clear Difficult to firewall No system authentication
Other Options
Copy local passwd file
Error-prone Requires root-level trust between clients and server
NIS+
Complicated Limited client support Dead
LDAP
LDAP is a directory access protocol Up to the implementation to use whatever backend it wants LDAP can be used to store any form of information, but designed for directories
Small bits of data Mostly read access
Goals Revisited
Security
Clients authenticate server Encrypt data in transit Simplify firewalling
Administration
Easy to configure Easy to maintain
LDAP Security
Authentication
LDAP clients authenticate server by ensuring server has an SSL certificate signed by a CA they trust
Encryption
SSL
Access control
ACLs based on Kerberos principal user authenticates with Useful for non-NIS data like home phone number
Client support
nss_ldap module for any OS which supports Name Service Switch (Solaris or GNU) BIND IRS (NSS work-alike from BIND 8)
Why Kerberos
LDAP is designed for public information
ACLs can protect userPassword, but
Kerberos Basics
Kerberos
Stores username/password pairs
Usernames are called principals Kerberos database equivalent to /etc/shadow
Passwords, encrypted or not, are almost never sent across the network Server encrypts keys with users password, other folks cant decrypt/use them without the password
Kerberos
When user authenticates, they are given a ticket
Tickets are generally good for 8 hours Useful for things like authenticated NFS, IMAP, etc.
Terms
Principal
name/instance@realm Examples
jheiss@EXAMPLE.COM jheiss/admin host/foobar.example.com ldap/ldap1.example.com
Realm
Typically domain name in all caps
Service
User
LDAP Basics
Schemas
LDAP uses schemas to define what attributes an object can and must have
posixAccount object class corresponds to an entry in a passwd file posixGroup corresponds to a group
Schema Examples
attributetype ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' ) DESC 'RFC1274: user identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) )
Distinguished Names
Each object in the LDAP directory has a DN
uid=jheiss,ou=people,dc=example,dc=com cn=users,ou=group,dc=example,dc=com
Alphabet Soup
LDAP
Lightweight Directory Access Protocol
SASL
Simple Authentication and Security Layer
GSSAPI
Generic Security Services Application Programming Interface
PAM
Pluggable Authentication Module
NSS
Name Service Switch
Kerberos Implementation
Software
Servers
Kerberos
MIT (Recommended) Heimdal SEAM
Clients
pam_krb5
Included with Red Hat, FreeBSD, Solaris, possibly others Open Source versions available from Red Hat (recommended), Linux PAM project
See references
Kerberos Servers
Edit /etc/krb5.conf
Realm, servers Generally identical on all Kerberized systems in realm
Edit /var/kerberos/krb5kdc/kdc.conf
Realm Needed on KDCs only
/usr/kerberos/sbin/kadmin.local q addprinc jheiss/admin Add additional principals as needed with kadmin Logs
/var/log/krb5kdc.log /var/log/kadmind.log
Kerberos Replication
Create host principals for slave KDCs
addprinc randkey host/hostname
Configure init to start kpropd -S on slave KDCs Add cronjob on master KDC to dump database and run kprop regularly
See references for link to example script
749/tcp
Clients -> master KDC Password changes, add/change/delete principals
754/tcp
Master KDC -> Slave KDCs Database replication
Kerberos Client
Copy /etc/krb5.conf from server
/etc/krb5/krb5.conf on Solaris using SEAM
Solaris
SEAM See references for example pam.conf
Testing
As user:
kinit klist
Kerberos Management
kadmin
addprinc delprinc listprincs ktadd ktremove
ktutil
rkt list quit
PAM
PAM configured to change password in Kerberos
Non-PAM
Users need to use kpasswd
LDAP Implementation
Software
Servers
Kerberos OpenSSL SASL (1.x until OpenLDAP 2.1.x is available) OpenLDAP
Clients
All of the above plus nss_ldap and pam_krb5
LDAPS
636/tcp
LDAP Replication
slurpd watches for changes, pushes to replicas Acts as LDAP client, and thus needs Kerberos ticket, not keytab
Need cronjob to keep ticket current
Replicas must have ACLs which allow modification by whatever principal slurpd is configured to use
LDIF Example
dn: dc=example,dc=com objectclass: organization o: Example, Inc. dn: ou=people,dc=example,dc=com objectclass: organizationalUnit ou: People dn: uid=jheiss,ou=people,dc=example,dc=com objectClass: posixAccount commonName: Jason Heiss surname: Heiss uid: jheiss userPassword: {KERBEROS}jheiss@EXAMPLE.COM loginShell: /bin/bash uidNumber: 500 gidNumber: 100 homeDirectory: /home/jheiss
Testing Server
Test in stages
kinit ldapsearch -H ldap://hostname/ -x ldapsearch -H ldaps://hostname/ -x ldapsearch -H ldap://hostname/ -ZZ -x ldapsearch -H ldap://hostname/ ldapsearch -H ldaps://hostname/ ldapsearch -H ldap://hostname/ -ZZ
LDAP Clients
Install nss_ldap Edit /etc/ldap.conf
host base ssl tls_checkpeer tls_cacertfile ldap1.example.com ldap2.example.com dc=example,dc=com start_tls yes /etc/ssl/ca-cert.pem
Edit /etc/openldap/ldap.conf
URI ldaps://ldap1.example.com/ ldaps://ldap2.example.com/ BASE dc=example,dc=com
Testing Client
ldapsearch
Makes sure /etc/openldap/ldap.conf is setup properly and that connection to server is good
Troubleshooting
Sample error messages
ldap_sasl_interactive_bind_s: Local error
ldap/hostname service principal not setup User doesnt have ticket or ticket has expired
Controlling Access
Linux
Add to /etc/pam.d/whatever account required /lib/security/pam_access.so Edit /etc/security/access.conf
See /usr/share/doc/pam-*/txts/README.pam_access for syntax
Solaris
Add entries to /etc/project after removing default entries (except user.root) user.username:uid::::
LDAP Management
OpenLDAP tools
ldapadd, ldapmodify, ldapdelete Not very user friendly
Jasons tools
ldapcat, ldapedit, ldapposixadd Useful for folks used to NIS
Support
Kerberos
comp.protocols.kerberos
OpenLDAP
echo subscribe | mail openldap-softwarerequest@openldap.org
nss_ldap
echo subscribe | mail nssldaprequest@padl.com
References
http://ofb.net/~jheiss/krbldap/
Kerberos replication script Sample SEAM pam.conf Examples of integrating Kerberos management into existing tools Sample slapd.conf Sample nss_ldap and OpenLDAP ldap.confs Sample LDIF List of OpenLDAP error messages LDAP tools and sample Net::LDAP code
References
Friendly Kerberos introduction:
http://web.mit.edu/kerberos/www/dialogue.html
References
Kerberos
MIT: http://web.mit.edu/kerberos/www/ Heimdal: http://www.pdc.kth.se/heimdal/ SEAM: http://www.sun.com/software/solaris/ds/dsseam/
Encryption modules necessary for Kerberized NFS:
http://www.sun.com/software/solaris/encryption/download.html
References
pam_krb5
Red Hat
/usr/share/doc/pam_krb5-*/README on a Red Hat box