System Authentication using LDAP
or
My Adventures through RFC2307
Brad Marshall
brad.marshall@member.sage-au.org.au
http://quark.humbug.org.au/
(page 1)
System Authentication using LDAP
More and more users into network
- Many users x many machines = lots of password changes
Needed centralized authentication solution
Wanted to integrate easily with existing network
(page 2)
Options for Authentication
Options
- NIS / NIS+
- Custom scripts
- Replication password files
- LDAP
(page 3)
Why LDAP?
NIS / NIS+
- Not supported well under Linux
Custom scripts
- Not real maintainable
- Don't get advantage of others using it
- Non-standard
Replicating password files
- Need procedures for changing passwords
- Do it right, or change is overwritten
- Replication delays
- Confusion
(page 4)
Background
Plugged In is a Java development consulting business
See ``Linux in a Commercial Environment'' - SAGE-AU'98
Everyone has a Linux box
Everyone has an account on all boxes
(page 5)
What is LDAP
Lightweight Directory Access Protocol
Directory service (RFC1777)
Stores attribute based data
Optimized for reading
Hierarchical data structure
Client-server model
Consistent view of data
- Answers request
- Refer to server with answer
Based on entries
- Collection of attributes
- Has a distinguished name (DN)
(page 6)
LDAP Structure
Entries referenced by distinguished name - DN (RFC1779)
Can be referenced by relative distinguished name - RDN
Top level or base (RFC2377)
- Use DNS domainname - eg dc=pisoftware,dc=com
Object class
- Determines schema rules the entry must obey
- Required attributes
- Allowed attributes
- Describes what type of object
- domain
- posixAccount
- posixGroup
- etc
(page 7)
What is LDIF
LDAP Data Interchange Format
- Represents LDAP entries in text
- Human readable format
- Allows easy modification of data
ldbmcat converts ldbm database to ldif
ldif2ldbm converts ldif back to ldbm database
(page 8)
Example User Schema
dn: uid=bmarshal,ou=People,dc=pisoftware,dc=com
uid: bmarshal
cn: Brad Marshall
objectclass: account
objectclass: posixAccount
objectclass: top
loginshell: /bin/bash
uidnumber: 500
gidnumber: 120
homedirectory: /mnt/home/bmarshal
gecos: Brad Marshall,,,,
userpassword: {crypt}KDnOoUYN7Neac
(page 9)
Example Group Schema
dn: cn=sysadmin,ou=Group,dc=pisoftware,dc=com
objectclass: posixGroup
objectclass: top
cn: sysadmin
gidnumber: 160
memberuid: bmarshal
memberuid: dwood
memberuid: jparker
(page 10)
Search filters
Criteria for attributes
Directory base to search
Prefix notation
Eg
- (|(uid=bmarshal)(uid=jparker)
See RFC2254 for more details
(page 11)
Schema
Describes data layout
People in ou=People
- dn is uid=,ou=People,dc=pisoftware,dc=com
- objectClass of posixAccount
- userid in uid attribute
- primary group number in gidnumber attribute
- password in userpassword attribute
- home directory in homedirectory attribute
Groups in ou=Group
- dn is cn=,ou=Group,dc=pisoftware,dc=com
- objectClass of posixGroup
- group id number in gidnumber attribute
- group members in memberuid attribute
- memberuid attribute for each member
- group name in cn attribute
(page 12)
Implementation
Uses RFC2307
Applications query LDAP server
- PAM (Pluggable Authentication Modules)
- NSS (Name Service Switch)
Eg
- login -> pam -> pam_ldap -> ldap server
(page 13)
Library calls
Library calls as defined by RFC2307
getpwnam() (&(objectClass=posixAccount)(uid=%s))
getpwuid() (&(objectClass=posixAccount)
(uidNumber=%d))
getpwent() (objectClass=posixAccount)
getspnam() (&(objectClass=shadowAccount)(uid=%s))
getspent() (objectClass=shadowAccount)
getgrnam() (&(objectClass=posixGroup)(cn=%s))
getgrgid() (&(objectClass=posixGroup)
(gidNumber=%d))
getgrent() (objectClass=posixGroup)
(page 14)
Migration
Used PADLs MigrationTools
Can migrate
- fstab
- hosts
- networks
- protocols
- rpc
- services
Initially migrated
(page 15)
LDAP Server architecture
LDAP daemon called slapd
- Choice of backend databases
- LDBM - high performance disk based db
- SHELL - db interface to unix commands
- PASSWORD - simple password file db
- Multiple database instances
- Access control
- Threaded
- Replication
Replication daemon called slurpd
- Frees slapd from worrying about hosts being down etc
- Communicates with slapd through text file
(page 16)
Server Configuration: slapd.conf
/etc/openldap/slapd.conf
include /etc/openldap/slapd.at.conf
include /etc/openldap/slapd.oc.conf
schemacheck off
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
defaultaccess read
access to attr=userpassword
by self write
by * read
access to *
by self write
by dn=".+" read
by * read
(page 17)
Server Configuration: slapd.conf cont
/etc/openldap/slapd.conf cont
database ldbm
suffix "dc=pisoftware, dc=com"
rootdn "cn=Manager, dc=pisoftware, dc=com"
rootpw {crypt}lAn4J@KmNp9
replica host=cox.staff.plugged.com.au:389
binddn="cn=Manager,dc=pisoftware,dc=com"
bindmethod=simple credentials=d0nTe1l
replogfile /var/lib/openldap/replication.log
directory /var/lib/openldap/
(page 18)
Client Configuration: ldap.conf
/etc/ldap.conf
- Symlink of /etc/openldap/ldap.conf
BASE dc=pisoftware,dc=com
HOST ldap
pam_crypt local
(page 19)
Client Configuration: PAM
/etc/pam.d/ssh
- Need similar for every app you want to use ldap
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_pwdb.so shadow nullok try_first_pass
auth required /lib/security/pam_nologin.so
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
session sufficient /lib/security/pam_ldap.so
session required /lib/security/pam_pwdb.so
(page 20)
Client Configuration: nsswitch.conf
/etc/nsswitch.conf
passwd: ldap files
shadow: ldap files
group: ldap files
(page 21)
Usage
ldappasswd
ldappasswd -W -D 'uid=bmarshal,ou=People,dc=pisoftware,dc=com' 'uid=bmarshal'
ldapmodify
ldapmodify -W -r -D "cn=Manager,dc=pisoftware,dc=com" < bmarshal.ldif
where bmarshal.ldif is ldapsearch -L 'uid=bmarshal'
ldapsearch
ldapsearch -L 'uid=*'
ldapsearch -L 'objectclass=posixGroup'
ldapsearch -L 'objectclass=posixAccount'
ldapsearch -D 'uid=bmarshal,ou=People,dc=pisoftware,dc=com' -W -L 'uid=bmarshal'
(page 22)
Future Directions
Mail
- Use ldap routing with sendmail
Web
- Use for authentication
- Contact details
(page 23)
Conclusions
Some learning curve
Definately worth it
Much easier to
- change passwords
- create accounts
Lots of expansion potential
Saves having multiple authentication databases
(page 24)
Useful Urls
PADL - http://www.padl.com/
UMich LDAP Server - http://www.umich.edu/~dirsvcs/ldap/
OpenLDAP - http://www.openldap.org/
SLAPD and SLURPD Admin Guide - http://www.umich.edu/~dirsvcs/ldap/doc/guides/slapd/
(page 25)
RFCs
RFC1777 - Lightweight Directory Access Protocol
RFC1779 - A String Representation of Distinguished Names
RFC2254 - The String Representation of LDAP Search Filters
RFC2377 - Naming Plan for Internet Directory-Enabled Applications
RFC2307 - An Approach for Using LDAP as a Network Information Service
(page 26)