sudo ldapsearch -Q -LLL -Y EXTERNAL -b cn=config '(olcDatabase={1}hdb)' olcAccess dn: olcDatabase={1}hdb,cn=config olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn="cn= admin,dc=itthon,dc=cucc" write by * none olcAccess: {1}to attrs=shadowLastChange,shadowMax by self write by dn="cn=admi n,dc=itthon,dc=cucc" write by * read olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * by self write by dn="cn=admin,dc=itthon,dc=cucc" write by * readThe by * read does not look too nice. We changes this and others today.
(Ez a cikk magyarul is olvasható)
You might remember that at the installation of the LDAP client we've said the following:
Does the LDAP database require login? NoWell, we did not mean that:)
Edit the file /etc/ldap.conf on the client - insert two lines:
binddn cn=pamproxyuser,ou=serviceAccounts,dc=itthon,dc=cucc bindpw bigsecretOn the LDAP server create two files. Content of serviceaccountsou.ldif :
dn: ou=serviceAccounts,dc=itthon,dc=cucc objectClass: top objectClass: organizationalUnit ou: serviceAcoounts description: unreal usersAdd it to LDAP:
ldapadd -D cn=admin,dc=itthon,dc=cucc -w secret -f serviceaccountsou.ldifContent of pamproxyuser.ldif:
dn: cn=pamproxyuser,ou=serviceAccounts,dc=itthon,dc=cucc objectClass: applicationProcess objectClass: simpleSecurityObject cn: pamproxyuser userPassword: bigsecret description: proxyuser PAM ldap bindAdd it to LDAP:
ldapadd -D cn=admin,dc=itthon,dc=cucc -w secret -f pamproxyuser.ldifWhen working on a production server the password should be encoded using the
slappasswd -s bigsecret
command.So we have an account that has an aging password since on my system the password policy says so. Therefore we create a new policy with infinitely valid passwords. Create the file ppolicy_no_password_aging.ldif:
dn: cn=NoPasswordAgingPPolicy,ou=Policies,dc=itthon,dc=cucc cn: NoPasswordAgingPPolicy objectClass: pwdPolicy objectClass: device objectClass: top pwdAttribute: userPassword pwdAllowUserChange: FALSE pwdLockout: FALSEAdd it to LDAP:
ldapadd -D cn=admin,dc=itthon,dc=cucc -w secret -f ppolicy_no_password_aging.ldifAnd you should modify pamproxyuser too: add a new attribute named pwdPolicySubentry with the value of the previous policy's dn.
So far so good. The only thing left is to modify the ACL. Here we have the acl.ldif (different code formatting due to the outage of my favorite tohtml.com and using http://w-i-k-i.appspot.com instead):
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=itthon,dc=cucc" write by * none
olcAccess: {1}to attrs=shadowLastChange,shadowMax by self write by dn="cn=admin,dc=itthon,dc=cucc" write by users read
olcAccess: {2}to dn.base="" by users read
olcAccess: {3}to * by self write by dn="cn=admin,dc=itthon,dc=cucc" write by users read
Instead of * we have users which says: anyone logged in can read it.Add it to LDAP:
sudo ldapmodify -Y EXTERNAL -f acl.ldifAnd it should be okay.
Samba.
So far in smb.conf you had an entry like:
ldap admin dn = cn=admin,dc=itthon,dc=cuccIt was the user we stored the password for using the command sudo smbpasswd -W . Modify the configuration file:
ldap admin dn = cn=sambaproxyuser,ou=serviceAccounts,dc=itthon,dc=cuccThen we add sambaproxyuser (just like the PAM user before) and of course we do not forget to add the right password policy. And then:
sudo service smbd restart
Create the file GONsambaAdmins.ldiff file which creates a groupOfNames (object)class group:
dn: cn=GONsambaAdmins,ou=Groups,dc=itthon,dc=cucc objectClass: groupOfNames objectClass: top cn: GONsambaAdmins description: Samba Admins member: cn=placeholderWe need to crerate a groupOfNames class group because this way we'll be able to check if an entity is a member of a group. This I learned a long ago. The placeholder is needed as no groupOfNames can exist without members.
Add it to LDAP:
ldapadd -D cn=admin,dc=itthon,dc=cucc -w secret -f GONsambaAdmins.ldiffWhen the group is ready then put in a new member, the sambaproxyuser then check out this ACL (ziesemer.ldiff):
dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by group.exact="cn=GONldapAdmins,ou=Groups,dc=itthon,dc=cucc" write by * break olcAccess: {1}to dn.one="dc=itthon,dc=cucc" filter=(objectClass=sambaDomain) by group.exact="cn=GONsambaAdmins,ou=Groups,dc=itthon,dc=cucc" write by * break olcAccess: {2}to attrs=@sambaSamAccount,userPassword by group.exact="cn=GONsambaAdmins,ou=Groups,dc=itthon,dc=cucc" write by * break olcAccess: {3}to dn.subtree="ou=People,dc=itthon,dc=cucc" attrs=userPassword by self write by * break olcAccess: {4}to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by self read by anonymous auth by * none olcAccess: {5}to * by users readMake it happen:
sudo ldapmodify -Y EXTERNAL -f ziesemer.ldiff(I konw I konw... no GONldapAdmins group. Yet.)
When trying to log on form Windows you'll stay out (bad password... of course). The syslog comes handy - if we help it. First we should modify the LDAP logging so ACL things are mentioned. Here is the file logging.ldiff:
dn: cn=config changetype: modify add: olcLogLevel olcLogLevel: stats aclThe command that does the modifying:
sudo ldapmodify -Y EXTERNAL -f logging.ldifSecond is to turn of the rate-limiting in rsyslog. In the file /etc/rsyslog.conf insert:
$SystemLogRateLimitInterval 0following by the command
sudo service rsyslog restart.
And here I found out what went wrong.
The unsuccesful queries are prepended with this:
ubuserver slapd[1061]: conn=1167 fd=47 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi) ubuserver slapd[1061]: conn=1167 op=0 BIND dn="" method=128But who the hell binds with an empty name (dn="") ? Is that Samba? First I thought so but the bind coming from ldapi gave me a clue. On the server I forgot to set up using PAM proxy user. After changing that setting everything was nice.
So now the Kerberos.
All the time you should have a root-shell open (as typos can lead to segfaults)
Create a GONkerberosAdmins group
Create a kerberosproxyuser serviceAccount
Set a non-aging password
Put the user in the group just created
Tell the password to Kerberos:
sudo kdb5_ldap_util -D cn=admin,dc=itthon,dc=cucc stashsrvpw -f /etc/krb5kdc/service.keyfile cn=kerberosproxyuser,ou=serviceAccounts,dc=itthon,dc=cuccEdit the file/etc/krb5.conf: change the entries ldap_kdc_dn and ldap_kadmind_dn.
Define the new ACL:
dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by group.exact="cn=GONldapAdmins,ou=Groups,dc=itthon,dc=cucc" write by * break olcAccess: {1}to dn.subtree="cn=krbcontainer,dc=itthon,dc=cucc" by group.exact="cn=GONkerberosAdmins,ou=Groups,dc=itthon,dc=cucc" write olcAccess: {2}to dn.one="dc=itthon,dc=cucc" filter=(objectClass=sambaDomain) by group.exact="cn=GONsambaAdmins,ou=Groups,dc=itthon,dc=cucc" write by * break olcAccess: {3}to attrs=@sambaSamAccount,userPassword by group.exact="cn=GONsambaAdmins,ou=Groups,dc=itthon,dc=cucc" write by * break olcAccess: {4}to dn.subtree="ou=People,dc=itthon,dc=cucc" attrs=userPassword by self write by * break olcAccess: {5}to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by self read by anonymous auth by * none olcAccess: {6}to * by users readRestart the servers:
sudo service krb5-kdc restart sudo service krb5-admin-server restartAnd ready.
May I have a drink?:)
Further reading:
http://blogger.ziesemer.com/2010/12/linux-client-authentication-ldap-pam.html
http://blogger.ziesemer.com/2011/01/ldap-authentication-for-samba.html
http://stackoverflow.com/questions/8121980/openldap-memberof-overlay-configuration-in-ubuntu-11-04
http://simon.kisikew.org/documentation/ldap/sampleacls/
http://www.linuxtopia.org/online_books/network_administration_guides/ldap_administration/slapdconf2_Access_Control.html
Nincsenek megjegyzések:
Megjegyzés küldése