Wikia

FOSS Community India

Setting Up A Centralised Authentication Server With Sudo Access Using LDAP

431pages on
this wiki
Talk0

ScopeEdit

This document will cover setting up a Centralized Authentication Server with SUDO access using OpenLDAP & clients to authentication from the server.

This is very practical document. This has been tested on Linux & Solaris. It will not explain what is LDAP and it's theory, as it can be easily found at various locations.

During the set up process, it was found that there is no centralized place where one can get all steps for setting up this server. One has to search at various places for minor things. Therefore, this compilation covers all the steps while setting up this server as has been defined above.

Operating Systems UsedEdit

  • Fedora Core-4 Linux
  • Solaris 9.


Setup OpenLDAP Server:Edit

Installing OpenLDAP on Solaris ServerEdit

  1. Download OpenLDAP software for Solaris 9 or 10. Gunzip it.
  2. sudo pkgadd –d <file name of openldap software>
  3. But I will prefer to download tarball from openldap.org. Then compile and install it. For more references see www.openldap.org
  4. If you install it by “pkgadd” then by default ldap’s config files, schemas will be in “/usr/local/etc/openldap” and “slapd” in /usr/local/libexec/”

Installing OpenLDAP on Linux ServerEdit

  1. Download tarball from openldap.org. Untar it, & go to that that newly created directory and give following commands:
 # ./configure
 # make
 # make install
  1. In Debian type distros you can use “apt-get install openldap” or “apt-get install slapd”
  2. Please get the detail installation procedure on www.openldap.org

Configuring OpenLDAP server:Edit

In my example:

  1. Configuration files are in ----> /usr/local/etc/openldap
  2. Database Directory ----> /var/lib/openldap
  3. “slapd” binary is in ----> /usr/local/libexec
  4. ldap binaries like ldapadd ----> /usr/local/bin/
  5. “slapadd” binary ----> /usr/local/sbin

Note: These file locations can be different for you.

  1. Changes in /usr/local/etc/openldap/slapd.conf:
 include /usr/local/etc/openldap/schema/core.schema 

It will be default. Just add below given “schema” lines

 include /usr/local/etc/openldap/schema/nis.schema
 include /usr/local/etc/openldap/schema/corba.schema
 include /usr/local/etc/openldap/schema/cosine.schema
 include /usr/local/etc/openldap/schema/dyngroup.schema
 include /usr/local/etc/openldap/schema/inetorgperson.schema
 include /usr/local/etc/openldap/schema/java.schema
 include /usr/local/etc/openldap/schema/misc.schema
 include /usr/local/etc/openldap/schema/openldap.schema
 include /usr/local/etc/openldap/schema/ppolicy.schema
 database bdb
 suffix "dc=example,dc=com"
 rootdn "cn=admin, dc=example,dc=com"
 directory /var/lib/openldap/ 

It will be default. You can change as per your need. Please create that directory

  1. Check that slapd.conf file is ok or not with following command:
 # /usr/local/libexec/slapd –T test
  1. Create people.ldif and put following entries in that:
 dn: ou=People,dc=example,dc=com
 objectClass: organizationalUnit
 ou: People
  1. Import /usr/local/etc/openldap/people.ldif offline:
 # sudo /usr/local/sbin/slapadd –l /usr/local/etc/openldap/people.ldif \
 –f /usr/local/etc/openldap/slapd.conf

Note : You can add it Online way also. After starting slapd server you need to give following command:

 # sudo /usr/local/bin/ldapadd –x –f /usr/local/etc/openldap/people.ldif \
 –D cn=admin,dc=example,dc=com –w secret
  1. Start slapd server. i.e. OpenLDAP server:
 # sudo /usr/local/libexec/slapd –f /usr/local/etc/openldap/slapd.conf

Check whether server is up or not:

 # ps –ef|grep slapd
 # netstat –an|grep 389
  1. Create Group.ldif and put following entries in that:
 dn: ou=Group,dc=example,dc=com
 objectClass: organizationalUnit
 ou: Group
  1. Import Group.ldif online:
 # sudo /usr/local/bin/ldapadd –x –f \
 /usr/local/etc/openldap/Group.ldif –D cn=admin,dc=example,dc=com \
 –w secret
  1. Creating passwd.ldif & usergroups.ldif

For this you need to download Migration tools which are developed in perl. URL is given below

Migration Tool.

Untar MigrationTools.tgz in /usr/local/etc/openldap/migrate . For our comfort create directory /usr/local/etc/openldap/ldif_files

Copy /etc/passwd & /etc/group to /usr/local/etc/openldap/

Go to /usr/local/etc/openldap/migrate and give following commands:

 # ./migrate_passwd.pl /usr/local/etc/openldap/passwd /usr/local/etc/openldap/ldif_files/passwd.ldif
 # ./migrate_group.pl /usr/local/etc/openldap/group /usr/local/etc/openldap/ldif_files/usergroups.ldif

Open passwd.ldif and do following changes in that:

Replace dc=padl to dc=example

Add below give line to each group in passwd.ldif

 objectClass: shadowAccount

Copy each user’s encrypted passwd from /etc/shadow and paste it in below given line

 userPassword: {crypt}<PASTE YOUR PASSWD from Shadow file HERE>

Check path of home directories of users and change according to it in passwd.ldif as per Open usergroups.ldif and do following changes

Replace dc=padl to dc=example

  1. Import passwd.ldif & usergroups.ldif
 # sudo /usr/local/bin/ldapadd –x –f /usr/local/etc/openldap/ldif_files \
 /usergroups.ldif –D cn=admin,dc=example,dc=com –w secret
 # sudo /usr/local/bin/ldapadd –x –f /usr/local/etc/openldap/ldif_files \
 passwd.ldif –D cn=admin,dc=example,dc=com –w secret
  1. For Sudo access via LDAP add following line to /usr/local/etc/openldap/slapd.conf
 include /usr/local/etc/openldap/schema/sudo.schema

Create /usr/local/etc/openldap/schema/sudo.schema

Put below give lines in /usr/local/etc/openldap/schema/sudo.schema

 attributetype ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser'
 DESC 'User(s) who may run sudo'
 EQUALITY caseExactIA5Match
 SUBSTR caseExactIA5SubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
 attributetype ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost'
 DESC 'Host(s) who may run sudo'
 EQUALITY caseExactIA5Match
 SUBSTR caseExactIA5SubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
 attributetype ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand'
 DESC 'Command(s) to be executed by sudo'
 EQUALITY caseExactIA5Match
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
 attributetype ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs'
 DESC 'User(s) impersonated by sudo'
 EQUALITY caseExactIA5Match
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
 attributetype ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption'
 DESC 'Options(s) followed by sudo'
 EQUALITY caseExactIA5Match
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole'
 SUP top STRUCTURAL
 DESC 'Sudoer Entries'
 MUST ( cn )
 MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $
 description ) X-ORIGIN 'SUDO' )

Note: I have created as per my requirement. You can modify as per yours.

Stop slapd server by killing it and start it by above given way. Please recheck whether it is started or not.

Create /usr/local/etc/openldap/ldif_files/sudoaccess.ldif and put following lines in it:

 dn: cn=defaults,ou=SUDOers,dc=example,dc=com
 cn: defaults
 sudoOption: ignore_dot
 sudoOption: !mail_no_user
 sudoOption: !root_sudo
 sudoOption: log_host
 sudoOption: logfile=/var/log/sudolog
 sudoOption: !syslog
 sudoOption: timestamp_timeout=10
 objectClass: top
 objectClass: sudoRole
 description: Default sudoOption's
 dn: cn=Rule1,ou=SUDOers,dc=example,dc=com
 cn: Rule1
 sudoOption: !authenticate
 objectClass: top
 objectClass: sudoRole
 sudoHost: ALL
 sudoCommand: ALL
 sudoUser: ALL
 description: Allowed without password for ALL users
  1. Import /usr/local/etc/openldap/ldif_files/sudoaccess.ldif :
 # sudo /usr/local/bin/ldapadd –x –f \
 /usr/local/etc/openldap/ldif_files/sudoaccess.ldif –D \
 cn=admin,dc=example,dc=com –w secret
  1. Our OpenLDAP server is ready now. Check with “slapcat” & “ldapsearch”

Setup Client to get authentication from LDAP Server:Edit

For Linux:Edit

  1. In RedHat you can use authconfig. In that you have to just specify type of authentication as LDAP. And set proper server and base DN.

OR

  1. Please replace below given lines in /etc/nsswitch.conf

Old Values:

 passwd:files
 group: files

New Values:

 passwd: ldap files
 group: ldap files
  1. Just change in /etc/nsswitch.conf as give above. And do changes in /etc/ldap.conf
 BASE   dc=example,dc=com
 URI  ldap://10.27.6.67:389

Please uncomment following lines

 nss_base_passwd  ou=People,dc=example,dc=com?one
 nss_base_shadow  ou=People,dc=example,dc=com?one
 nss_base_group  ou=Group,dc=example,dc=com?one
  1. Need to do changes in /etc/pam.d/login:

First please check LDAP module is available or not.

 # ls -l /lib/security/pam_ldap.so

Then do following changes in /etc/pam.d/login

 auth   required  pam_securetty.so 
 auth   sufficient   pam_ldap.so
 auth   required   pam_stack.so service=system-auth
 auth   required   pam_nologin.so
 account  sufficient   pam_ldap.so
 account  required   pam_stack.so service=system-auth
 password  sufficient   pam_ldap.so
 password  required   pam_stack.so service=system-auth
 session  sufficient   pam_ldap.so
 session  required  pam_stack.so service=system-auth
 session  optional  pam_console.so
 session  required  /lib/security/pam_limits.so
  1. For Sudo access you need to recompile & install sudo by below give way:

Untar tarball of sudo and in that directory:

 # sudo ./configure –prefix=/usr/local/sudo –with-ldap –with-ldap-conf-file=/etc/sudo.ldap
 # sudo make
 # sudo make install

It will install new sudo in /usr/local/sudo. Now we need to use /usr/local/sudo/bin/sudo every time.

Create /etc/sudo.ldap. Put following lines in that file:

 host <server IP/hostname>
 sudoers_base ou=SUDOers,dc=example,dc=com

For Solaris:Edit

  1. Use following commands:
 # ldapclient manual -a defaultSearchBase=dc=example,dc=com \
 -a domainName=test.example.com \
 -a defaultServerList=<IP of LDAP server>:389

To check use:

 # ldaplist
  1. Please replace below given lines in /etc/nsswitch.conf

Old Values:

 passwd: files
 group: files

New Values:

 passwd: ldap files
 group: ldap files
  1. Create User’s Home directories as per path given in LDAP server configs and set permissions properly.
  2. Changes in /etc/pam.conf
 login   auth   requisite   pam_authtok_get.so.1
 login   auth   required   pam_dhkeys.so.1
 login   auth   sufficient   pam_ldap.so.1
 login   auth   required   pam_unix_auth.so.1
 login   auth   required   pam_dial_auth.so.1
 #other   auth   requisite   pam_authtok_get.so.1
 other   auth   required   pam_dhkeys.so.1
 other   auth   sufficient   pam_ldap.so.1
 other   auth   required   pam_unix_auth.so.1
 #
 # Account management
 login   account   requisite   pam_roles.so.1
 login   account   required   pam_projects.so.1
 login   account   sufficient   pam_ldap.so.1
 #other   account   requisite   pam_roles.so.1
 other   account   required   pam_projects.so.1
 other   account   sufficient   pam_ldap.so.1
 other   account   required   pam_unix_account.so.1
 #
 # Password management
 other   password   sufficient   pam_ldap.so.1
 other   password   required   pam_dhkeys.so.1
 other   password   requisite   pam_authtok_get.so.1
 other   password   requisite   pam_authtok_check.so.1
 other   password   required   pam_authtok_store.so.1
  1. Now try logging in by different users.
  2. For Sudo access you need to recompile & install sudo by below give way:

Untar tarball of sudo and in that directory:

 # sudo ./configure –prefix=/usr/local/sudo –with-ldap \
 –with-ldap-conf-file=/etc/sudo.ldap
 # sudo make
 # sudo make install

It will install new sudo in /usr/local/sudo. Now we need to use /usr/local/sudo/bin/sudo every time.

Create /etc/sudo.ldap. Put following lines in that file:

 host <server ip/hostname>
 sudoers_base ou=SUDOers,dc=example,dc=com
  1. Now check sudo access for all user.

Note: In centralized authentication we can setup user’s home directories on one server and share it with NFS. And on client we will mount it. It will be better as there are not much processes running in home directory so not to worry about CPU usage in NFS and It will be very useful in uploads also.

Around Wikia's network

Random Wiki