Main Web>UbuntuLdapAuth (05 Oct 2009, TWikiAdminUser)EditAttachTEX/PDF

Konfigurácia LDAP autentifikácie v Ubuntu

Jednoduchý návod ako rozbehnúť autentifikáciu používateľov na distribúcii GNU/Linuxu Ubuntu voči labákovému LDAPu.

Rýchle linky

Konfigurácia LDAP autentifikácie v Ubuntu
- Rýchle linky

Quick and dirty setup

wget /dev/null http://ns.cnl.tuke.sk/cnl_ldap_setup
chmod +x cnl_ldap_setup
./cnl_ldap_setup

example:

root@md:~# wget /dev/null http://ns.cnl.tuke.sk/cnl_ldap_setup
/dev/null: Unsupported scheme.
--19:01:05--  http://ns.cnl.tuke.sk/cnl_ldap_setup
           => `cnl_ldap_setup'
Resolving ns.cnl.tuke.sk... 147.232.22.65, 147.232.22.1
Connecting to ns.cnl.tuke.sk|147.232.22.65|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,032 (3.0K) [text/plain]

100%[=====================================================================================================================================>] 3,032         --.--K/s

19:01:05 (297.61 MB/s) - `cnl_ldap_setup' saved [3032/3032]


FINISHED --19:01:05--
Downloaded: 3,032 bytes in 1 files
root@md:~# chmod +x cnl_ldap_setup
root@md:~# ./cnl_ldap_setup
This script will install CNL LDAP access to this machine. Do you really want to continue? [y/N]:
y
Starting ...
Installing stunnel and libnss-ldap
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  auth-client-config ldap-auth-client ldap-auth-config libpam-ldap
Suggested packages:
  libpam-cracklib logcheck-database
Recommended packages:
  nscd
The following NEW packages will be installed:
  auth-client-config ldap-auth-client ldap-auth-config libnss-ldap libpam-ldap stunnel4
0 upgraded, 6 newly installed, 0 to remove and 11 not upgraded.
Need to get 0B/284kB of archives.
After this operation, 1270kB of additional disk space will be used.
Preconfiguring packages ...
Selecting previously deselected package stunnel4.
(Reading database ... 29104 files and directories currently installed.)
Unpacking stunnel4 (from .../stunnel4_3%3a4.21-1_i386.deb) ...
Selecting previously deselected package auth-client-config.
Unpacking auth-client-config (from .../auth-client-config_0.6.1_all.deb) ...
Selecting previously deselected package libnss-ldap.
Unpacking libnss-ldap (from .../libnss-ldap_258-1ubuntu3_i386.deb) ...
Selecting previously deselected package libpam-ldap.
Unpacking libpam-ldap (from .../libpam-ldap_184-2ubuntu2_i386.deb) ...
Selecting previously deselected package ldap-auth-client.
Unpacking ldap-auth-client (from .../ldap-auth-client_0.5_all.deb) ...
Setting up auth-client-config (0.6.1) ...
Selecting previously deselected package ldap-auth-config.
(Reading database ... 29230 files and directories currently installed.)
Unpacking ldap-auth-config (from .../ldap-auth-config_0.5_all.deb) ...
Setting up stunnel4 (3:4.21-1) ...

Setting up libpam-ldap (184-2ubuntu2) ...
Setting up ldap-auth-client (0.5) ...
Setting up ldap-auth-config (0.5) ...

Setting up libnss-ldap (258-1ubuntu3) ...

Enabling stunnel at bootup
Installing new stunnel configuration
Starting stunnel
Stopping SSL tunnels: stunnel.
Starting SSL tunnels: 2009.10.05 19:01:15 LOG7[5853:3082692272]: Snagged 64 random bytes from /root/.rnd
2009.10.05 19:01:15 LOG7[5853:3082692272]: Wrote 1024 new random bytes to /root/.rnd
2009.10.05 19:01:15 LOG7[5853:3082692272]: RAND_status claims sufficient entropy for the PRNG
2009.10.05 19:01:15 LOG7[5853:3082692272]: PRNG seeded successfully
2009.10.05 19:01:15 LOG7[5853:3082692272]: SSL context initialized for service ldaps-primary
2009.10.05 19:01:15 LOG7[5853:3082692272]: SSL context initialized for service ldaps-secondary
[Started: /etc/stunnel/stunnel.conf] stunnel.
Installing new nsswitch configuraton
Installing /etc/ldap.conf configuration
LDAP Connection works!
Installing PAM hooks
CNL LDAP Access has been installed.
Try to login to this machine with a valid LDAP account.
Do not forget to customize the /etc/ldap.conf file with accessTo=... attributes!
root@md:~#
root@md:~# ssh jozjan@127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
RSA key fingerprint is 02:60:3d:fc:f5:29:fb:97:21:61:a7:f0:cf:87:e6:5f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (RSA) to the list of known hosts.
jozjan@127.0.0.1's password:
Creating directory '/home/jozjan'.
Linux md.voip.cnl.tuke.sk 2.6.24-23-xen #1 SMP Thu Apr 2 00:16:13 UTC 2009 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
jozjan@md:~$ whoami
jozjan
jozjan@md:~$ logout
Connection to 127.0.0.1 closed.

Nainštalovať balíček stunnel4

Linux:/# apt-get install stunnel4

Editovať /etc/default/stunnel4 a povoliť jeho štart

Linux:/# sed -i "s/ENABLED=0/ENABLED=1/g" /etc/default/stunnel4

Vytvoriť konfiguráciu STUNNEL-u oproti labákovému LDAP serveru v súbore /etc/stunnel4/stunnel.conf

setuid = stunnel4
setgid = stunnel4
pid = /var/run/stunnel4/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
debug = 7
output = /var/log/stunnel4/stunnel.log
client = yes

[ldaps-primary]
accept  = 6361
connect = ldap1.dmz.cnl.tuke.sk:636

[ldaps-secondary]
accept  = 6362
connect = ldap2.dmz.cnl.tuke.sk:636

nefunguje s voľbou sslVersion = SSLv3

Naštartovanie STUNNEL-u

Linux:/# /etc/init.d/stunnel4 start

Nainštalovať balíček libnss-ldap

Linux:/# apt-get install libnss-ldap

Nastaviť kontrolu používateľských účtov a skupín oproti LDAP-u v súbore /etc/nsswitch.conf

passwd:         files ldap
group:          files ldap
shadow:         files ldap
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

Nastavenie LDAP-u v súbore /etc/ldap.conf a /etc/ldap/ldap.conf (identický súbor, dá sa spraviť link)

base dc=top
uri ldap://localhost:6361 ldap://localhost:6362
ldap_version 3
scope sub
nss_base_passwd ou=Active,ou=People,dc=top?sub?|(accessTo=Public-Resources)(trustmodel=fullaccess)
nss_base_shadow ou=Active,ou=People,dc=top?sub?|(accessTo=Public-Resources)(trustmodel=fullaccess)
nss_base_group  ou=Groups,dc=top?one
pam_password md5crypt
bind_policy soft

- hodnotu accessTo= Public-Resources treba nahradiť menom servera - napríklad stargate.cnl.tuke.sk a vyžiadať si u správcov delegovanie správy atribútu accessTo= meno-servera...

Preverenie zoznamu používateľov z LDAPu

Linux:/# getent passwd

Preverenie zoznamu skupín z LDAPu

Linux:/# getent group

Zmena PAMd v súbore /etc/pam.d/common-account

account sufficient       pam_ldap.so
account required         pam_unix.so try_first_pass

Zmena PAMd v súbore /etc/pam.d/common-auth

auth sufficient       pam_ldap.so
auth required         pam_unix.so try_first_pass

Zmena PAMd v súbore /etc/pam.d/common-password

password sufficient       pam_ldap.so md5
password required         pam_unix.so md5 try_first_pass

Zmena PAMd v súbore /etc/pam.d/common-session

session required         pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required         pam_unix.so

V prípade problémov treba odsledovať /var/log/auth.log

-- Main.JCube - 27 Sep 2009

Topic revision: r3 - 05 Oct 2009 - 19:02:48 - TWikiAdminUser

Main

Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback