Difference between revisions of "Howto Ldap Auth"
Jump to navigation
Jump to search
| (16 intermediate revisions by 5 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | {{mbox |type=warning |text=This information is out of date. [[IT Infrastructure|Up-to-date IT information can be found here]] }} | |
External services that authenticate users often use Ldap for authentication. | External services that authenticate users often use Ldap for authentication. | ||
| Line 8: | Line 8: | ||
| − | Use <code>pwgen 64</code> | + | Use <code>pwgen 64</code> to generate a password. Then create your user. |
samba-tool user create ps1-sa-servicename | samba-tool user create ps1-sa-servicename | ||
| − | |||
| − | |||
| − | |||
== Common Settings == | == Common Settings == | ||
| Line 62: | Line 59: | ||
| mail | | mail | ||
| ldap field that stores the user's email address | | ldap field that stores the user's email address | ||
| + | |- | ||
| Minimum password length | | Minimum password length | ||
| 1 | | 1 | ||
| Line 68: | Line 66: | ||
| − | * | + | * Depending on how the filter is applied, you may need to put a <code>!</code> in front to negate it. The current format filters on users that are not disabled. |
| − | * | + | * You almost always want to get debug info for ldap when setting up. There are a lot of things that can go wrong. |
| − | * | + | * Start without the filter field, add it later. |
| − | * | + | * When a service checks a password, it usually attempts to bind to samba as that user. To bind successfully, it needs to bind as user@PS1 |
| − | * | + | ** Some services apply setting different e.g. as a regex on the user, or as a template setting. |
| + | * If you try and bind to ldap with a 0 length password, it "works", sort of. There is no error, but you can't access anything substantial. This is enough to fool services into thinking that the password was correct. | ||
| + | |||
| + | == ldapsearch == | ||
| + | |||
| + | ldapsearch is a handy tool that is part of open ldap. You can query some handy information out of our ldap servers as follows if you have an account to bind with: | ||
| + | |||
| + | You may need to set LDAPTLS_REQCERT=allow before those commands. | ||
| + | |||
| + | #list laser cutter certified: | ||
| + | ldapsearch -v -x -H ldaps://bob.ad.pumpingstationone.org -b "DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Laser Engraver Certified" | ||
| + | #list domain Admins | ||
| + | ldapsearch -v -x -H ldaps://bob.ad.pumpingstationone.org -b "CN=Users,DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Domain Admins" | ||
| + | |||
| + | |||
| + | Remember you can use space.pumpingstationone.org if it is outside PS1 network. | ||
| + | |||
| + | == Apache mod_authnz_ldap == | ||
| + | |||
| + | The following example is useful for making members-only sites and web apps. See https://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html for additional information. You will also need to enable the mod_authnz_ldap and mod_ldap apache modules. | ||
| + | |||
| + | #Very important, Don't bind in cleartext. Can't be defined as part of your location or directory block, so make sure you don't skip it. | ||
| + | LDAPTrustedMode TLS | ||
| + | <Location/protected> | ||
| + | AuthName "AD Authentication" | ||
| + | AuthType Basic | ||
| + | AuthUserFile /dev/null | ||
| + | AuthBasicProvider ldap | ||
| + | #LDAP-URI will be bob.ad.pumpingstationone.org for internal apps, space.pumpingstationone.org for external apps. | ||
| + | AuthLDAPURL "ldap://[[LDAP-URI]/cn=Users,dc=ad,dc=pumpingstationone,dc=org?sAMAccountName?sub?(objectClass=*)" | ||
| + | #You should generate a new account per authenticated service. Just create a new user on the DC. | ||
| + | AuthLDAPBindDN cn=[SERVICE-ACCOUNT],cn=Users,dc=ad,dc=pumpingstationone,dc=org | ||
| + | AuthLDAPBindPassword [SERVICE-ACCOUNT-PASSWORD] | ||
| + | #Set require where appropriate, example shows "All valid users" and "Domain admins only" (commented out) | ||
| + | #Require ldap-group cn=Domain Admins,cn=users,dc=ad,dc=pumpingstationone,dc=org | ||
| + | Require valid-user | ||
| + | </Location> | ||
| + | |||
| + | == Nginx nginx-auth-ldap == | ||
| + | |||
| + | Nginx doesn't support LDAP authentication with it's default modules, so a third-party module (https://github.com/kvspb/nginx-auth-ldap) is required. More information can be found here: http://deezx.github.io/blog/2015/04/24/how-to-configure-nginx-with-ldap-authentication/ | ||
| + | |||
| + | This is not a good idea, since nginx-auth-ldap does not support STARTTLS encryption, only ldaps on port 636. A better option for those requiring nginx might be auth_pam, and pam/sssd configured to authenticate via AD. Do not use this configuration in production, or on off-site services. Only for use in development environments, authenticating with bob from the local PS1 network. | ||
| + | |||
| + | Building nginx 1.8.0 from source with LDAP support on Debian Jessie | ||
| + | |||
| + | apt-get remove nginx | ||
| + | apt-get install libldap2-dev libpcre3-dev build-essential | ||
| + | wget http://nginx.org/download/nginx-1.8.0.tar.gz | ||
| + | git clone https://github.com/kvspb/nginx-auth-ldap.git | ||
| + | tar -zxvf nginx-1.8.0.tar.gz | ||
| + | cd nginx-1.8.0 | ||
| + | ./configure --user=nginx \ | ||
| + | --group=nginx \ | ||
| + | --prefix=/etc/nginx \ | ||
| + | --sbin-path=/usr/sbin/nginx \ | ||
| + | --conf-path=/etc/nginx/nginx.conf \ | ||
| + | --pid-path=/var/run/nginx.pid \ | ||
| + | --lock-path=/var/run/nginx.lock \ | ||
| + | --error-log-path=/var/log/nginx/error.log \ | ||
| + | --http-log-path=/var/log/nginx/access.log \ | ||
| + | --with-http_gzip_static_module \ | ||
| + | --with-http_stub_status_module \ | ||
| + | --with-http_ssl_module \ | ||
| + | --with-pcre \ | ||
| + | --with-file-aio \ | ||
| + | --with-http_realip_module \ | ||
| + | --add-module=../nginx-auth-ldap \ | ||
| + | --with-ipv6 \ | ||
| + | --with-debug | ||
| + | make | ||
| + | make install | ||
| + | |||
| + | If you didn't have debian-packaged nginx installed previously, you will also want to install and configure an nginx init script/systemd service unit. | ||
| + | |||
| + | Configuring nginx: | ||
| + | * /etc/nginx/nginx.conf (add to http{} block) | ||
| + | |||
| + | ## | ||
| + | #LDAP authentication Settings | ||
| + | ## | ||
| + | |||
| + | auth_ldap_cache_enabled on; | ||
| + | auth_ldap_cache_expiration_time 10000; | ||
| + | auth_ldap_cache_size 1000; | ||
| + | ldap_server BOB { | ||
| + | url "ldap://bob.ad.pumpingstationone.org:389/cn=users,dc=ad,dc=pumpingstationone,dc=org?sAMAccountName?sub?(objectClass=*)"; | ||
| + | binddn "PS1\SERVICE-ACCOUNT"; | ||
| + | binddn_passwd "SERVICE-ACCOUNT-PASSWORD"; | ||
| + | connect_timeout 5s; | ||
| + | bind_timeout 5s; | ||
| + | request_timeout 5s; | ||
| + | satisfy any; | ||
| + | group_attribute member; | ||
| + | group_attribute_is_dn on; | ||
| + | require group "cn=Domain Admins,cn=users,dc=ad,dc=pumpingstationone,dc=org"; | ||
| + | } | ||
| + | |||
| + | * /etc/nginx/sites-available/site.conf (add to your vhost's server{} block) | ||
| + | |||
| + | auth_ldap "AD authentication"; | ||
| + | auth_ldap_servers BOB; | ||
| + | |||
| + | [[Category: Systems Group]] | ||
Latest revision as of 14:04, 1 November 2018
 | This information is out of date. Up-to-date IT information can be found here |
External services that authenticate users often use Ldap for authentication.
Create a service account
Many, but not all, services require a user account and password to do authentication.
Use pwgen 64 to generate a password. Then create your user.
samba-tool user create ps1-sa-servicename
Common Settings
| Field | Value | Description |
|---|---|---|
| server | bob.ad.pumpingstationone.org | |
| port | 389 | |
| Security | TLS or set useTLS to True | TLS is a non-port changing encryption setting. Do not deploy with this setting off or disabled. |
| BindDN | CN=ps1-sa-serviceaccount,CN=Users,DC=ad,DC=pumpingstationone,DC=org | This is the username that the ldapclient is going to bind to ldap with |
| BindDN password | xienaiK0ohchaCao7pohv9auw2ohgaixieReeY7ahngoo1uingu9Shaokohfiej7 | The password for the service account you created earlier. |
| BaseDN | CN=Users,DC=ad,DC=pumpingstationone,DC=org | This is where the user list is filtered from. |
| uid or username | sAMAccountName | Our user's difinitive username is stored in the sAMAccountName Field on the ldap object. |
| filter | (userAccountControl:1.2.840.113556.1.4.803:=2) | Filters on not disabled account. Sometimes this needs to be preceded with a ! to negate the filter.
|
| Account Suffix | @PS1 | When attempting to check password, the sAMAccountName needs the suffix appeneded to it. |
| ldap field that stores the user's email address | ||
| Minimum password length | 1 | AD lets users bind to ldap with 0 length passwords. It's fscked up, but accepted. |
- Depending on how the filter is applied, you may need to put a
!in front to negate it. The current format filters on users that are not disabled. - You almost always want to get debug info for ldap when setting up. There are a lot of things that can go wrong.
- Start without the filter field, add it later.
- When a service checks a password, it usually attempts to bind to samba as that user. To bind successfully, it needs to bind as user@PS1
- Some services apply setting different e.g. as a regex on the user, or as a template setting.
- If you try and bind to ldap with a 0 length password, it "works", sort of. There is no error, but you can't access anything substantial. This is enough to fool services into thinking that the password was correct.
ldapsearch
ldapsearch is a handy tool that is part of open ldap. You can query some handy information out of our ldap servers as follows if you have an account to bind with:
You may need to set LDAPTLS_REQCERT=allow before those commands.
#list laser cutter certified: ldapsearch -v -x -H ldaps://bob.ad.pumpingstationone.org -b "DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Laser Engraver Certified" #list domain Admins ldapsearch -v -x -H ldaps://bob.ad.pumpingstationone.org -b "CN=Users,DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Domain Admins"
Remember you can use space.pumpingstationone.org if it is outside PS1 network.
Apache mod_authnz_ldap
The following example is useful for making members-only sites and web apps. See https://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html for additional information. You will also need to enable the mod_authnz_ldap and mod_ldap apache modules.
#Very important, Don't bind in cleartext. Can't be defined as part of your location or directory block, so make sure you don't skip it.
LDAPTrustedMode TLS
<Location/protected>
AuthName "AD Authentication"
AuthType Basic
AuthUserFile /dev/null
AuthBasicProvider ldap
#LDAP-URI will be bob.ad.pumpingstationone.org for internal apps, space.pumpingstationone.org for external apps.
AuthLDAPURL "ldap://[[LDAP-URI]/cn=Users,dc=ad,dc=pumpingstationone,dc=org?sAMAccountName?sub?(objectClass=*)"
#You should generate a new account per authenticated service. Just create a new user on the DC.
AuthLDAPBindDN cn=[SERVICE-ACCOUNT],cn=Users,dc=ad,dc=pumpingstationone,dc=org
AuthLDAPBindPassword [SERVICE-ACCOUNT-PASSWORD]
#Set require where appropriate, example shows "All valid users" and "Domain admins only" (commented out)
#Require ldap-group cn=Domain Admins,cn=users,dc=ad,dc=pumpingstationone,dc=org
Require valid-user
</Location>
Nginx nginx-auth-ldap
Nginx doesn't support LDAP authentication with it's default modules, so a third-party module (https://github.com/kvspb/nginx-auth-ldap) is required. More information can be found here: http://deezx.github.io/blog/2015/04/24/how-to-configure-nginx-with-ldap-authentication/
This is not a good idea, since nginx-auth-ldap does not support STARTTLS encryption, only ldaps on port 636. A better option for those requiring nginx might be auth_pam, and pam/sssd configured to authenticate via AD. Do not use this configuration in production, or on off-site services. Only for use in development environments, authenticating with bob from the local PS1 network.
Building nginx 1.8.0 from source with LDAP support on Debian Jessie
apt-get remove nginx apt-get install libldap2-dev libpcre3-dev build-essential wget http://nginx.org/download/nginx-1.8.0.tar.gz git clone https://github.com/kvspb/nginx-auth-ldap.git tar -zxvf nginx-1.8.0.tar.gz cd nginx-1.8.0 ./configure --user=nginx \ --group=nginx \ --prefix=/etc/nginx \ --sbin-path=/usr/sbin/nginx \ --conf-path=/etc/nginx/nginx.conf \ --pid-path=/var/run/nginx.pid \ --lock-path=/var/run/nginx.lock \ --error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --with-http_gzip_static_module \ --with-http_stub_status_module \ --with-http_ssl_module \ --with-pcre \ --with-file-aio \ --with-http_realip_module \ --add-module=../nginx-auth-ldap \ --with-ipv6 \ --with-debug make make install
If you didn't have debian-packaged nginx installed previously, you will also want to install and configure an nginx init script/systemd service unit.
Configuring nginx:
- /etc/nginx/nginx.conf (add to http{} block)
##
#LDAP authentication Settings
##
auth_ldap_cache_enabled on;
auth_ldap_cache_expiration_time 10000;
auth_ldap_cache_size 1000;
ldap_server BOB {
url "ldap://bob.ad.pumpingstationone.org:389/cn=users,dc=ad,dc=pumpingstationone,dc=org?sAMAccountName?sub?(objectClass=*)";
binddn "PS1\SERVICE-ACCOUNT";
binddn_passwd "SERVICE-ACCOUNT-PASSWORD";
connect_timeout 5s;
bind_timeout 5s;
request_timeout 5s;
satisfy any;
group_attribute member;
group_attribute_is_dn on;
require group "cn=Domain Admins,cn=users,dc=ad,dc=pumpingstationone,dc=org";
}
- /etc/nginx/sites-available/site.conf (add to your vhost's server{} block)
auth_ldap "AD authentication";
auth_ldap_servers BOB;