292
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − + Line 8:
Line 8: − + − − − Line 47:
Line 44: − + Line 54:
Line 51: + + + + + + + + + + + + − + − + − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
no edit summary
{{mbox |type=warning |text=This information is out of date. [[IT Infrastructure|Up-to-date IT information can be found here]] }}
External services that authenticate users often use Ldap for authentication.
External services that authenticate users often use Ldap for authentication.
Use <code>pwgen 64</code> to generate a password. Then create your user.
Use <code>pwgen 64</code> to generate a password. Then create your user.
samba-tool user create ps1-sa-servicename
samba-tool user create ps1-sa-servicename
== Common Settings ==
== Common Settings ==
| This is where the user list is filtered from.
| This is where the user list is filtered from.
|-
|-
| uid or username field
| uid or username
| sAMAccountName
| sAMAccountName
| Our user's difinitive username is stored in the sAMAccountName Field on the ldap object.
| Our user's difinitive username is stored in the sAMAccountName Field on the ldap object.
| (userAccountControl:1.2.840.113556.1.4.803:=2)
| (userAccountControl:1.2.840.113556.1.4.803:=2)
| Filters on not disabled account. Sometimes this needs to be preceded with a <code>!</code> to negate the filter.
| Filters on not disabled account. Sometimes this needs to be preceded with a <code>!</code> to negate the filter.
|-
| Account Suffix
| @PS1
| When attempting to check password, the sAMAccountName needs the suffix appeneded to it.
|-
| mail
| mail
| ldap field that stores the user's email address
|-
| Minimum password length
| 1
| AD lets users bind to ldap with 0 length passwords. It's fscked up, but accepted.
|}
|}
* Depending on how the filter is applied, you may need to put a <code>!</code> in front to negate it. The current format filters on users that are not disabled.
* Depending on how the filter is applied, you may need to put a <code>!</code> in front to negate it. The current format filters on users that are not disabled.
* You almost always want to get debug info for ldap when setting up. There are a lot of things that can go wrong.
* You almost always want to get debug info for ldap when setting up. There are a lot of things that can go wrong.
* Start without the filter field, add it later.
* Start without the filter field, add it later.
* When a service checks a password, it usually attempts to bind to samba as that user. To bind successfully, it needs to bind as user@PS1
** Some services apply setting different e.g. as a regex on the user, or as a template setting.
* If you try and bind to ldap with a 0 length password, it "works", sort of. There is no error, but you can't access anything substantial. This is enough to fool services into thinking that the password was correct.
== ldapsearch ==
ldapsearch is a handy tool that is part of open ldap. You can query some handy information out of our ldap servers as follows if you have an account to bind with:
You may need to set LDAPTLS_REQCERT=allow before those commands.
#list laser cutter certified:
ldapsearch -v -x -H ldaps://bob.ad.pumpingstationone.org -b "DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Laser Engraver Certified"
#list domain Admins
ldapsearch -v -x -H ldaps://bob.ad.pumpingstationone.org -b "CN=Users,DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Domain Admins"
Remember you can use space.pumpingstationone.org if it is outside PS1 network.
== Apache mod_authnz_ldap ==
The following example is useful for making members-only sites and web apps. See https://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html for additional information. You will also need to enable the mod_authnz_ldap and mod_ldap apache modules.
#Very important, Don't bind in cleartext. Can't be defined as part of your location or directory block, so make sure you don't skip it.
LDAPTrustedMode TLS
<Location/protected>
AuthName "AD Authentication"
AuthType Basic
AuthUserFile /dev/null
AuthBasicProvider ldap
#LDAP-URI will be bob.ad.pumpingstationone.org for internal apps, space.pumpingstationone.org for external apps.
AuthLDAPURL "ldap://[[LDAP-URI]/cn=Users,dc=ad,dc=pumpingstationone,dc=org?sAMAccountName?sub?(objectClass=*)"
#You should generate a new account per authenticated service. Just create a new user on the DC.
AuthLDAPBindDN cn=[SERVICE-ACCOUNT],cn=Users,dc=ad,dc=pumpingstationone,dc=org
AuthLDAPBindPassword [SERVICE-ACCOUNT-PASSWORD]
#Set require where appropriate, example shows "All valid users" and "Domain admins only" (commented out)
#Require ldap-group cn=Domain Admins,cn=users,dc=ad,dc=pumpingstationone,dc=org
Require valid-user
</Location>
== Nginx nginx-auth-ldap ==
Nginx doesn't support LDAP authentication with it's default modules, so a third-party module (https://github.com/kvspb/nginx-auth-ldap) is required. More information can be found here: http://deezx.github.io/blog/2015/04/24/how-to-configure-nginx-with-ldap-authentication/
This is not a good idea, since nginx-auth-ldap does not support STARTTLS encryption, only ldaps on port 636. A better option for those requiring nginx might be auth_pam, and pam/sssd configured to authenticate via AD. Do not use this configuration in production, or on off-site services. Only for use in development environments, authenticating with bob from the local PS1 network.
Building nginx 1.8.0 from source with LDAP support on Debian Jessie
apt-get remove nginx
apt-get install libldap2-dev libpcre3-dev build-essential
wget http://nginx.org/download/nginx-1.8.0.tar.gz
git clone https://github.com/kvspb/nginx-auth-ldap.git
tar -zxvf nginx-1.8.0.tar.gz
cd nginx-1.8.0
./configure --user=nginx \
--group=nginx \
--prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-pcre \
--with-file-aio \
--with-http_realip_module \
--add-module=../nginx-auth-ldap \
--with-ipv6 \
--with-debug
make
make install
If you didn't have debian-packaged nginx installed previously, you will also want to install and configure an nginx init script/systemd service unit.
Configuring nginx:
* /etc/nginx/nginx.conf (add to http{} block)
##
#LDAP authentication Settings
##
auth_ldap_cache_enabled on;
auth_ldap_cache_expiration_time 10000;
auth_ldap_cache_size 1000;
ldap_server BOB {
url "ldap://bob.ad.pumpingstationone.org:389/cn=users,dc=ad,dc=pumpingstationone,dc=org?sAMAccountName?sub?(objectClass=*)";
binddn "PS1\SERVICE-ACCOUNT";
binddn_passwd "SERVICE-ACCOUNT-PASSWORD";
connect_timeout 5s;
bind_timeout 5s;
request_timeout 5s;
satisfy any;
group_attribute member;
group_attribute_is_dn on;
require group "cn=Domain Admins,cn=users,dc=ad,dc=pumpingstationone,dc=org";
}
* /etc/nginx/sites-available/site.conf (add to your vhost's server{} block)
auth_ldap "AD authentication";
auth_ldap_servers BOB;
[[Category: Systems Group]]