Line 1: |
Line 1: |
− | | + | {{mbox |type=warning |text=This information is out of date. [[IT Infrastructure|Up-to-date IT information can be found here]] }} |
| | | |
| External services that authenticate users often use Ldap for authentication. | | External services that authenticate users often use Ldap for authentication. |
Line 8: |
Line 8: |
| | | |
| | | |
− | Use <code>pwgen 64</code> to generate a password. Then create your user. | + | Use <code>pwgen 64</code> to generate a password. Then create your user. |
| | | |
| samba-tool user create ps1-sa-servicename | | samba-tool user create ps1-sa-servicename |
− |
| |
− |
| |
− |
| |
| | | |
| == Common Settings == | | == Common Settings == |
Line 47: |
Line 44: |
| | This is where the user list is filtered from. | | | This is where the user list is filtered from. |
| |- | | |- |
− | | uid or username field | + | | uid or username |
| | sAMAccountName | | | sAMAccountName |
| | Our user's difinitive username is stored in the sAMAccountName Field on the ldap object. | | | Our user's difinitive username is stored in the sAMAccountName Field on the ldap object. |
Line 54: |
Line 51: |
| | (userAccountControl:1.2.840.113556.1.4.803:=2) | | | (userAccountControl:1.2.840.113556.1.4.803:=2) |
| | Filters on not disabled account. Sometimes this needs to be preceded with a <code>!</code> to negate the filter. | | | Filters on not disabled account. Sometimes this needs to be preceded with a <code>!</code> to negate the filter. |
| + | |- |
| + | | Account Suffix |
| + | | @PS1 |
| + | | When attempting to check password, the sAMAccountName needs the suffix appeneded to it. |
| |- | | |- |
| | mail | | | mail |
| | mail | | | mail |
| | ldap field that stores the user's email address | | | ldap field that stores the user's email address |
| + | |- |
| + | | Minimum password length |
| + | | 1 |
| + | | AD lets users bind to ldap with 0 length passwords. It's fscked up, but accepted. |
| |} | | |} |
| | | |
| | | |
− | * Depending on how the filter is applied, you may need to put a <code>!</code> in front to negate it. The current format filters on users that are not disabled. | + | * Depending on how the filter is applied, you may need to put a <code>!</code> in front to negate it. The current format filters on users that are not disabled. |
− | * You almost always want to get debug info for ldap when setting up. There are a lot of things that can go wrong. | + | * You almost always want to get debug info for ldap when setting up. There are a lot of things that can go wrong. |
− | * Start without the filter field, add it later. | + | * Start without the filter field, add it later. |
| + | * When a service checks a password, it usually attempts to bind to samba as that user. To bind successfully, it needs to bind as user@PS1 |
| + | ** Some services apply setting different e.g. as a regex on the user, or as a template setting. |
| + | * If you try and bind to ldap with a 0 length password, it "works", sort of. There is no error, but you can't access anything substantial. This is enough to fool services into thinking that the password was correct. |
| + | |
| + | == ldapsearch == |
| + | |
| + | ldapsearch is a handy tool that is part of open ldap. You can query some handy information out of our ldap servers as follows if you have an account to bind with: |
| + | |
| + | You may need to set LDAPTLS_REQCERT=allow before those commands. |
| + | |
| + | #list laser cutter certified: |
| + | ldapsearch -v -x -H ldaps://bob.ad.pumpingstationone.org -b "DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Laser Engraver Certified" |
| + | #list domain Admins |
| + | ldapsearch -v -x -H ldaps://bob.ad.pumpingstationone.org -b "CN=Users,DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Domain Admins" |
| + | |
| + | |
| + | Remember you can use space.pumpingstationone.org if it is outside PS1 network. |
| + | |
| + | == Apache mod_authnz_ldap == |
| + | |
| + | The following example is useful for making members-only sites and web apps. See https://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html for additional information. You will also need to enable the mod_authnz_ldap and mod_ldap apache modules. |
| + | |
| + | #Very important, Don't bind in cleartext. Can't be defined as part of your location or directory block, so make sure you don't skip it. |
| + | LDAPTrustedMode TLS |
| + | <Location/protected> |
| + | AuthName "AD Authentication" |
| + | AuthType Basic |
| + | AuthUserFile /dev/null |
| + | AuthBasicProvider ldap |
| + | #LDAP-URI will be bob.ad.pumpingstationone.org for internal apps, space.pumpingstationone.org for external apps. |
| + | AuthLDAPURL "ldap://[[LDAP-URI]/cn=Users,dc=ad,dc=pumpingstationone,dc=org?sAMAccountName?sub?(objectClass=*)" |
| + | #You should generate a new account per authenticated service. Just create a new user on the DC. |
| + | AuthLDAPBindDN cn=[SERVICE-ACCOUNT],cn=Users,dc=ad,dc=pumpingstationone,dc=org |
| + | AuthLDAPBindPassword [SERVICE-ACCOUNT-PASSWORD] |
| + | #Set require where appropriate, example shows "All valid users" and "Domain admins only" (commented out) |
| + | #Require ldap-group cn=Domain Admins,cn=users,dc=ad,dc=pumpingstationone,dc=org |
| + | Require valid-user |
| + | </Location> |
| + | |
| + | == Nginx nginx-auth-ldap == |
| + | |
| + | Nginx doesn't support LDAP authentication with it's default modules, so a third-party module (https://github.com/kvspb/nginx-auth-ldap) is required. More information can be found here: http://deezx.github.io/blog/2015/04/24/how-to-configure-nginx-with-ldap-authentication/ |
| + | |
| + | This is not a good idea, since nginx-auth-ldap does not support STARTTLS encryption, only ldaps on port 636. A better option for those requiring nginx might be auth_pam, and pam/sssd configured to authenticate via AD. Do not use this configuration in production, or on off-site services. Only for use in development environments, authenticating with bob from the local PS1 network. |
| + | |
| + | Building nginx 1.8.0 from source with LDAP support on Debian Jessie |
| + | |
| + | apt-get remove nginx |
| + | apt-get install libldap2-dev libpcre3-dev build-essential |
| + | wget http://nginx.org/download/nginx-1.8.0.tar.gz |
| + | git clone https://github.com/kvspb/nginx-auth-ldap.git |
| + | tar -zxvf nginx-1.8.0.tar.gz |
| + | cd nginx-1.8.0 |
| + | ./configure --user=nginx \ |
| + | --group=nginx \ |
| + | --prefix=/etc/nginx \ |
| + | --sbin-path=/usr/sbin/nginx \ |
| + | --conf-path=/etc/nginx/nginx.conf \ |
| + | --pid-path=/var/run/nginx.pid \ |
| + | --lock-path=/var/run/nginx.lock \ |
| + | --error-log-path=/var/log/nginx/error.log \ |
| + | --http-log-path=/var/log/nginx/access.log \ |
| + | --with-http_gzip_static_module \ |
| + | --with-http_stub_status_module \ |
| + | --with-http_ssl_module \ |
| + | --with-pcre \ |
| + | --with-file-aio \ |
| + | --with-http_realip_module \ |
| + | --add-module=../nginx-auth-ldap \ |
| + | --with-ipv6 \ |
| + | --with-debug |
| + | make |
| + | make install |
| + | |
| + | If you didn't have debian-packaged nginx installed previously, you will also want to install and configure an nginx init script/systemd service unit. |
| + | |
| + | Configuring nginx: |
| + | * /etc/nginx/nginx.conf (add to http{} block) |
| + | |
| + | ## |
| + | #LDAP authentication Settings |
| + | ## |
| + | |
| + | auth_ldap_cache_enabled on; |
| + | auth_ldap_cache_expiration_time 10000; |
| + | auth_ldap_cache_size 1000; |
| + | ldap_server BOB { |
| + | url "ldap://bob.ad.pumpingstationone.org:389/cn=users,dc=ad,dc=pumpingstationone,dc=org?sAMAccountName?sub?(objectClass=*)"; |
| + | binddn "PS1\SERVICE-ACCOUNT"; |
| + | binddn_passwd "SERVICE-ACCOUNT-PASSWORD"; |
| + | connect_timeout 5s; |
| + | bind_timeout 5s; |
| + | request_timeout 5s; |
| + | satisfy any; |
| + | group_attribute member; |
| + | group_attribute_is_dn on; |
| + | require group "cn=Domain Admins,cn=users,dc=ad,dc=pumpingstationone,dc=org"; |
| + | } |
| + | |
| + | * /etc/nginx/sites-available/site.conf (add to your vhost's server{} block) |
| + | |
| + | auth_ldap "AD authentication"; |
| + | auth_ldap_servers BOB; |
| + | |
| + | [[Category: Systems Group]] |