1 / 27

Why store accounts in LDAP

Software Required. An LDAP server (OpenLDAP)Pam_ldap - PAM module that allows PAM to authenticate against an LDAP databaseNss_ldap - NSS modules that allows NSS to pull user information from an LDAP databaseAll this software is easily obtainable from every major distribution. Steps. Get the data

rosa
Download Presentation

Why store accounts in LDAP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Why store accounts in LDAP? Every piece of data associated with a user is stored in their LDAP record Easy maintenance of user accounts Wide variety of tools to analyze and edit the data Central database Can be access remotely from many systems

    2. Software Required An LDAP server (OpenLDAP) Pam_ldap - PAM module that allows PAM to authenticate against an LDAP database Nss_ldap - NSS modules that allows NSS to pull user information from an LDAP database All this software is easily obtainable from every major distribution

    3. Steps Get the data in LDAP Configure PAM to use the LDAP data for authentications Configure NSS to use the LDAP data for passwd/group databases

    4. Getting the Data in LDAP The posixAccount objectClass stores all the information that is normally found in the /etc/passwd file

    5. Example PosixAccount Entry dn: cn=Brian Alliet,ou=People,dc=brianweb,dc=net objectClass: person objectClass: posixAccount cn: Brian Alliet uid: brian uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/brian loginShell: /bin/bash gecos: Brian Alliet userPassword:: XXXXXX

    6. Populating the LDAP database Use GQ Scripts to Automatically convert /etc/passwd to LDAP Manually creating new LDIF files (not recommended) XXX FIXME

    7. GQ Screenshot

    8. PAM Stand for “Pluggable Authentication Modules” Used to allow authentication sources to be added or modified on the system without rebuilding all the programs that require authentication.

    9. pam.conf login auth required pam_unix.so login account required pam_unix.so login password required pam_permit.so login session required pam_permit.so

    10. pam.conf with LDAP added login auth sufficient pam_unix.so login auth required pam_ldap.so try_first_pass login account required pam_unix.so login password required pam_permit.so login session required pam_permit.so

    11. Pam_ldap config file Contains the hostname of the LDAP server Contains the LDAP tree to look under for accounts Contains the query used to map usernames to LDAP records

    12. Ldap.conf base dc=brianweb,dc=net uri ldap://myldap_server/ pam_filter objectclass=posixAccount pam_min_uid 1000

    13. Diagram of PAM w/ pam_ldap

    14. One more probem! Pam_ldap allows pam to authenticate against an LDAP database but it doesn’t allow apps to do UID/GID mapping against LDAP Users still need entries in /etc/passwd

    15. Solution - nss_ldap NSS module to allow NSS to lookup passwd information from LDAP Uses the same client configuration file as pam_ldap, so no additional configuration required Needs to be added to /etc/nsswitch.conf

    16. Nsswitch.conf Similar to pam.conf Used by the system to find the databases used to retrieve user account info (the stuff in passwd) as well as several other databses Each line specifies a database List of services (and the order to consult the in) appears after the database

    17. Nsswitch.conf - before and after # Before passwd: files group: files # After passwd: files ldap group: files ldap

    18. Diagram of NSS w/ nss_ldap

    19. Problems with this simple Setup No redundancy If your LDAP server goes down nobody can log in Can be solved by adding additional LDAP servers and configuring replication between them

    20. Problems with this simple Setup No encryption All data flows over the network in clear text Can be solved by configuring pam_ldap and pam_nss to use TLS (successor to SSL).

    21. Other Applications Once this infrastructure is in place it can be built on and integrated with more programs Postfix (MTA) Apache (Web Server) Custom Applications Countless others

    22. Postfix LDAP can be used for nearly anything in postfix. Any part of the configuration that involves mapping a key to a value can be done with an LDAP query

    23. LDAP Entry containing Mail Aliases # Brian Alliet, People, brianweb.net dn: cn=Brian cn: Brian Alliet cn: Brian Alliet uid: brian mailAcceptingAddress: webmaster@brianweb.net mailAcceptingAddress: webmaster@brian-web.com mailAcceptingAddress: webmaster@alliet.com mailAcceptingAddress: info@brian-web.com mailAcceptingAddress: info@brianweb.net mailAcceptingAddress: info@alliet.com mailAcceptingAddress: hostmaster@brianweb.net mailAcceptingAddress: hostmaster@brian-web.com mailAcceptingAddress: hostmaster@the-glow.net

    24. Postfix Configuration ldap_virtual_server_host = ldap_host ldap_virtual_bind = ldap_virtual_search_base = dc=myco,dc=net ldap_virtual_query_filter = (&(objectclass=posixAccount) (mailAcceptingAddress=%s)) ldap_virtual_result_attribute = uid

    25. Apache LDAP integration Apache can use LDAP for User authentication Different authentication configurations can be used for each directory

    26. Apache Configuration Example <Location "/mp3/"> AuthName "Brian's MP3s" AuthType Basic AuthLDAPURL ldap://localhost/ou=People,dc=brianweb,dc=net Require valid-user Options +Indexes </Location>

    27. Custom Applications

More Related