470 likes | 574 Views
OpenLDAP Directory Administration Replacing NIS. Table of Contents. Introduction More about NIS Schemas for Information Services Information Migration The pam_ldap Module The nss_ldap Module OpenSSH, PAM, and NSS Authorizing Through PAM Netgroups Security Automount Maps
E N D
Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway
Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway
Introduction • This chapter: how to replace Sun's Network Information Service (NIS) with LDAP • NIS, used for centralized management of: • user information • Passwords • Hostnames • IP addresses • Automount maps (control mounting of remote filesystems) • Other administrative information • Note that there are alternatives to NIS and LDAP • General approach: • Get information you want to share in the directory • Get clients to use the directory • Disable old information-sharing mechanism
Introduction (cont.) • Two fundamental strategies: • Setting up an NIS/LDAP gateway • An NIS server that accepts NIS queries • Retrieves answers from an LDAP directory • No client modifications required • Making a complete transition to LDAP • Install LDAP libraries and modules on all clients • Disable all NIS lookups on clients • eg. PAM and NSS LDAP modules released by PADL Software under LGPL • Either way, we need to define the attribute types and object classes needed to move the information served by NIS into an LDAP directory • PAM and NSS allow for transparent upgrades from NIS to LDAP
Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway
More about NIS • Most commonly used to distribute system password and account maps to client machines • Other files: also possible (/etc/hosts, /etc/services, /etc/group, /etc/networks, ...) • Master copy of any shared data always resides on a master server, and is distributed to slave servers • NIS master acts as directory system agent (DSA) • Flat namespace, eg. passwd.byname map • To work around this: group machines into NIS domains • Different NIS domains are different directories, but may be served by the same server • LDAP: hierarchical namespace
More about NIS (cont.) Comparing Namespaces YP:domain1.com jerry:##:... LDAP namespace YP:domain2.com jerry:##:... dc=plainjoe,dc=org NIS namespace ou=sales ou=engr uid=jerry, ou=sales... uid=jerry, ou=engr...
Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway
Schemas for Information Services RFC 2307 - “An Approach for Using LDAP as a Network Information Service” • Note:has recently been updated in an Internet-Draft by LDAPbis working group • Defines attribute types and object classes needed to use an LDAP directory as a replacement for NIS • Despite experimental status, supported by many vendors: Sun, OpenLDAP, Apple, HP, PADL • Lengthy list of attribute types and object classes
Schemas for Information Services (cont.) How to migrate all user accounts and groups into OpenLDAP: (slapd.conf) include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema pidfile var/run/slapd.pid argsfile /usr/run/slapd.args loglevel 256 TLSCipherSuite 3DES:RC4:EXPORT40 TLSCertificateFile /usr/local/etc/openldap/slapd-cert.pem TLSCertificateKeyFile /usr/local/etc/openldap/slapd-private-key.pem database bdb suffix “dc=plainjoe,dc=org” rootdn “cn=Manager,dc=plainjoe,dc=org” rootpw {SSHA}2aksIaicAvwc+DhCrXUFlhgWsbBJPLxy directory /var/ldap/plainjoe.org mode 0600 index objectClass eq index cn,uid eq index uidNumber eq index gidNumber eq
Schemas for Information Services (cont.) Relationships between posixAccount Object Class and an Entry from the /etc/passwd File /bin/bash gcarter: KpP.s/mnFoEoI: Gerald Carter: /home/gcarter: 780:100: required attributes objectClass:posixAccount cn: uid: uidNumber: gidNumber: homeDirectory: userPassword: gecos: loginShell: description: optional attributes
Schemas for Information Services (cont.) Relationships between posixGroup Object Class and an Entry from the /etc/group File admin: *:101: gcarter required attributes objectClass:posixGroup cn: gidNumber: userPassword: memberUid: description: optional attributes
Schemas for Information Services (cont.) Relationships between posixGroup Object Class and an Entry from the /etc/group File gcarter: LnMJ/n2rQsR.c: 11276: 0: 99999: 7: -1: -1: 134540300 required attributes objectClass:shadowAccount uid: userPassword: shadowLastChange: shadowMin: shadowMax: shadowWarning: shadowInactive: shadowExpire: shadowFlag: description: optional attributes
Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway
Information Migration • PADL Software has a set of Perl scripts designed to convert various /etc/ system files into LDIF format • http://www.padl.com/OSS/MigrationTools.html • Customize the migrate_common.ph script to fit your network settings eg. $DEFAULT_BASE variable • eg. • Currently supported: /etc/fstab (ou=Mounts) /etc/hosts (ou=Hosts) /etc/group (ou=Group) /etc/protocols (ou=Protocols) /etc/passwd & /etc/shadow (ou=People) # ./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif /etc/rpc (ou=Rpc) /etc/services (ou=Services) /etc/networks (ou=Networks) netgroups (ou=Netgroups)
Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway
The pam_ldap Module • Pluggable Authentication Modules are implemented as shared libraries that distance applications from the details of account data storage, mechanisms used to authenticate users, and service authorization processes • pam_ldap module developed by PADL Software • Supported on Linux, FreeBSD, HP-UX, Mac OS 10.2, Solaris • http://www.padl.com/OSS/pam_ldap • Compilation not discussed here • Makes use of configuration parameters in /etc/ldap.conf
The pam_ldap Module (cont.) ldap.conf Parameters Shared by pam_ldap & nss_ldap
The pam_ldap Module (cont.) ldap.conf Parameters Used by pam_ldap
The pam_ldap Module (cont.) • pam_ldap module must be able to locate the directory server • Must be specified in /etc/ldap.conf • (nss_ldap can also do a DNS query – see later) • Example /etc/ldap.conf: • Results in this search: (&(objectClass=posixAccount)(uid=gcarter)) uri ldap://ldap.plainjoe.org/ ldap_version 3 base dc=plainjoe,dc=org scope sub timelimit 30 # binddn # bindpw pam_login_attribute uid pam_filter_filter objectclass=posixAccount
Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway
The nss_ldap Module • Name Service Switch (NSS) is similar to PAM except it only provides a mechanism for information retrieval • PADL Software's nss_ldap module • Supported on AIX, HP-UX, Linux and Solaris, not on FreeBSD and Mac OS 10.2 (unlike pam_ldap module) • Compilation of module not discussed here • /lib/libnss_ldap.so on Linux • /lib/nss_ldap.so on Solaris • Uses /etc/ldap.conf configuration file, so must be readable by processes (dangerous when it contains binddn & bindpw information) • To configure NSS to use LDAP, add the keyword ldap to the appropriate lines in /etc/nsswitch.conf
The nss_ldap Module (cont.) • Currently supported: passwd group hosts services networks protocols rpc ethers netgroups • Currently unsupported netmasks bootparms publickey automount
The nss_ldap Module (cont.) • Example /etc/nsswitch.conf file: • Parameters (ldap.conf) that affect load on LDAP servers: • Testing configuration: passwd: files ldap shadow: files ldap group: files ldap nss_base_passwd ou=people,dc=plainjoe,dc=org?one nss_base_shadow ou=people,dc=plainjoe,dc=org?one nss_base_group ou=group,dc=plainjoe,dc=org?one $ getent passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: ... gcarter:x:780:100:G. Carter:/home/queso/gcarter:/bin/bash jerry:x:782:782:Jerry Carter:/home/queso/jerry:/bin/bash This output is retrieved from the LDAP server
The nss_ldap Module (cont.) ldap.conf Parameters Used by nss_ldap
The nss_ldap Module (cont.) LDIF listing for gcarter: • Because of the shadowAccount object class, the getent returns a “x” for the shadow password • Without the presence of this class, the second field of the getent output would have been the password hash (assuming the directory would have returned this) dn: uid=gcarter,ou=People,dc=plainjoe,dc=org uid: gcarter cn: Gerald (Jerry) Carter objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount loginShell: /bin/bash uidNumber: 780 gidNumber: 100 homeDirectory: /home/queso/gcarter userPassword: {crypt}GoYLwzMD6cuZE
Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway
OpenSSH, PAM, and NSS • Once pam_ldap and nss_ldap have been installed and /etc/ldap.conf has been configured, we can configure individual services to use LDAP • We will cover OpenSSH as an example • /etc/pam.d/sshd (session module is ignored by pam_ldap): auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_unix.so shadow nullok use_first_pass account sufficient /lib/security/pam_ldap.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_unix.so nullok use_authok shadow session required /lib/security/pam_unix.so session optional /lib/security/pam_console.so
Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway
Authorizing Through PAM • Two means of restricting access to a host, independent of any other PAM modules (eg. pam_nologin.so) • One host and a group of users • Specify a group of users who are allowed to use a particular host • One user and a group of hosts • Specify the machines that any given use is allowed to access
Authorizing Through PAM (cont.) One Host and a Group of Users • Specify a group of users who are allowed to use a particular host • Host entry for the machine can be extended to include a list of DNs for users (member) that are authorized to log in via pam_ldap • eg. LDIF: • Needed in /etc/ldap.conf: dn: cn=pogo,ou=hosts,dc=plainjoe,dc=org objectClass: ipHost objectClass: device objectClass: extensibleObject ipHostNumber: 192.168.1.75 cn: pogo.plainjoe.org cn: pogo member: uid=gcarter,ou=people,dc=plainjoe,dc=org member: uid=kristi,ou=people,dc=plainjoe,dc=org member: uid=deryck,ou=people,dc=plainjoe,dc=org pam_groupdn cn=pogo,ou=hosts,dc=plainjoe,dc=org pam_member_attribute member
Authorizing Through PAM (cont.) One User and a Group of Hosts • Specify the machines that any given use is allowed to access • Structural account object class must be present (done by PADL migration scripts) • Only one attribute required (uid), host attribute determines access required attributes objectClass:account uid: description: localityName: seeAlso: o: ou: host: optional attributes
Authorizing Through PAM (cont.) One User and a Group of Hosts (cont.) • LDIF: • This must be enabled in /etc/ldap.conf: dn: uid=gcarter,ou=people,dc=plainjoe,dc=org uid: gcarter cn: Gerald (Jerry) Carter objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: /bin/bash uidNumber: 780 gidNumber: 100 homeDirectory: /home/queso/gcarter userPassword: {crypt}GoYLwzMD6cuZE host: queso.plainjoe.org host: pogo.plainjoe.org host: tumnus.plainjoe.org pam_check_host_attr yes
Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway
Netgroups • Allow machines and/or users to be collected together for various administrative tasks, eg. • Grouping machines for use in tcp_wrappers file (/etc/hosts.allow & /etc/hosts.deny) • eg. hosts.deny • eg. hosts.allow • Example netgroups: • RFC2307 describes structural nisNetgroup object class • Note: testing via “getent netgroup groupname” sshd: ALL sshd: @sysadmin sysadmin (garion.plainjoe.org,-,-)(silk.plainjoe.org,-,-) all_sysadmins sysadmin secure_clients
Netgroups (cont.) The nisNetGroup Object Class Next Steps • Before adding any netgroups, we must create the container ou=netgroup required attributes objectClass:nisNetGroup cn: nisNetGroupTriple: memberNisNetgroup: description: optional attributes dn: ou=netgroup,dc=plainjoe,dc=org objectClass: organizationalUnit ou: netgroup
Netgroups (cont.) Next Steps (cont.) • sysadmin netgroup: • all_sysadmin netgroup: • Change required in /etc/ldap.conf: • /etc/nsswitch.conf: $ ./migrate_netgroup.pl /etc/netgroup dn: cn=sysadmin,ou=netgroup,dc=plainjoe,dc=org objectClass: nisNetgroup objectClass: top cn: sysadmin nisNetgroupTriple: (garion.plainjoe.org,-,-) nisNetgroupTriple: (silk.plainjoe.org,-,-) dn: cn=all_sysadmin,ou=netgroup,dc=plainjoe,dc=org objectClass: nisNetgroup objectClass: top cn: all_sysadmin memberNisNetgroup: sysadmin memberNisNetgroup: secure_clients nss_base_netgroup ou=netgroup,dc=plainjoe,dc=org netgroup: ldap
Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway
Security • Discusses how security issues are addressed in pam_ldap and nss_ldap • First, determine what level of security is desired • Protect passwords ? • Protect usernames as well ? • Clear-text passwords ? • Clear-text of the network ? • LDAPv3, two mechanisms to protect passwords: • Use of SASL tp support more secure methods of authentication (Kerberos-5, Digest-MD5) • Not currently supported by pam_ldap • Negotiate secure transport layer to protect information used in the bind request as well as other information • StartTLS & LDAPS support
Security (cont.) • /etc/ldap.conf: • Check with tcpdump or ethereal (sniffers) • Other than encrypting the traffic, one must ensure that users have no access to obtain unauthorized information eg. userPassword attribute • Two ACEs: ssl start_tls access to dn=”.*,dc=plainjoe,dc=org” attr=userPassword by self write by * auth access to dn=”.*,dc=plainjoe,dc=org” by * read This is not the same as read access – client can never obtain the userPassword value
Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway
Automount Maps • Look at autodaemon support • Linux' kernel-based autofs ? • automount and automountMap object classes • However: Red Hat bases automounting on nisObject and nisMap classes described in RFC2307 • RFC2307bis will include new schema items • nisObject and nisMap object classes: required attributes required attributes objectClass:nisObject cn: nisMapEntry: nisMapName: description: objectClass:nisMap nisMapName: description: optional attributes optional attributes
Automount Maps (cont.) • PADL's migration tools (migrate_automount.pl): • Informing the automounter (/etc/auto.master): $ grep src /etc/auto.opt src -rw,hard,intr queso.plainjoe.org:/export/u1/src $ ./migrate_automount.pl /etc/auto.opt /tmp/auto.opt.ldif $ cat /tmp/auto.opt.ldif dn: nisMapName=auto.opt,dc=plainjoe,dc=org objectClass: top objectClass: nisMap nisMapName: auto.opt dn: cn=src,nisMapName=auto.opt,dc=plainjoe,dc=org objectClass: nisObject cn: src nisMapEntry: -rw,hard,intr queso.plainjoe.org:/export/u1/src nisMapName: auto.opt /opt ldap:ldap1:nisMapName=auto.opt,dc=plainjoe,dc=org --timeout 300
Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway
PADL's NIS/LDAP Gateway • ypldapd daemon • From the manpage: • ypldapd emulates the equivalent process ypserv by providing an RFC call-compatible interface. Rather than consulting “map” files as ypserv does, however, ypldapd draws its data from LDAP databases • In theory, allows NIS domain to be replaced with a directory-based solution without any client machines being aware of the change • 30-day trial version available from PADL site (http://www.padl.com/) • PADL migration tools described earlier can be used for the migration
PADL's NIS/LDAP Gateway (cont.) • Initial ypldapd.conf file: • ypldapd may require a special privileged DN to use when it binds to the LDAP server # NIS domain to server ypdomain yp.plainjoe.org # LDAP server ldaphost 192.168.1.77 # Search base basedn dc=plainjoe,dc=org # Enable caching caching on # Dump caches every half hour cache_dump_interval 30 # Use default naming context mappings namingcontexts namingcontexts.conf