290 likes | 438 Views
Implementing a SSO Solution Using Linux and OpenLDAP Shanker Balan Exocore Consulting (P) Ltd http://www.exocore.com. "Single-Sign-On" Solution. Introduction. What is "Single Sign On"? Problems with standard authentication mechanisms How does LDAP fit in? Migrating to OpenLDAP on Linux
E N D
Implementing a SSO Solution Using Linux and OpenLDAP Shanker Balan Exocore Consulting (P) Ltd http://www.exocore.com "Single-Sign-On" Solution
Introduction • What is "Single Sign On"? • Problems with standard authentication mechanisms • How does LDAP fit in? • Migrating to OpenLDAP on Linux • UNIX Authentication • Windows Authentication
Single Sign On • What it means • Use the same "username" and "password" for accessing network resources • Should work across all operating systems – Windows, Linux, FreeBSD, Solaris etc • Authentication system should be network aware
Standard Problems • Administrative nightmare • Centralized account management is difficult • Difficult to keep users and password in sync • Not scalable. Might work in small setups (<100 users) • It is not cross platform
Single Sign On • Features • Single Authentication Backend • One account == One password • Password changes are universal • Users do not need to rememeber multiple login Ids/password • Accounts are allways in sync • Database Based (LDAP, RDBMS etc) • Standard API for manipulating entries • Easy to write GUI and Web frontends for administration • Very Extensible! Can handle objects like addressbook, profiles etc
Single Sign On (Contd) • Database Based (Contd) • High availablity and reliability using replication • Fine grained access control lists • Highly scalable • Encryption support using SSL/TLS • Network enabled
Why LDAP? • Standardized Protocol • Vendor independent • OpenLDAP, NDS, ActiveDirectory etc • Platform Independent • *NIX, Windows etc • Most applications already have LDAP support • Linux PAM, Postfix, Samba • Outlook Express, Evolution
OpenLDAP on Linux • Installation • via RPMS openldap-clients-2.0.23-4 openldap-2.0.23-4 openldap-servers-2.0.23-4 openldap-devel-2.0.23-4 • TGZ from http://openldap.org/ • Start/Stop LDAP Server # service ldap start # service ldap stop # service ldap restart
Configuring OpenLDAP • Edit /etc/openldap/slapd.conf (man slapd.conf) #################### # ldbm database definitions #################### database ldbm suffix "dc=exocore,dc=com" rootdn "cn=Manager,dc=exocore,dc=com" rootpw secret
OpenLDAP ACLs • Access Control Lists access to attribute=userPassword by dn="cn=Manager,dc=exocore,dc=com" write by anonymous auth by self write by * none access to * by dn="cn=manager,dc=exocore,dc=com" write by * read
Testing Basic Operation • Edit /etc/openldap/ldap.conf (man ldap.conf) HOST localhost BASE dc=exocore,dc=com • Start LDAP Server • Test with a simple search # ldapsearch -x • Test "bind" as "manager" # ldapsearch -x -D"cn=manager,dc=exocore,dc=com" -w secret
Migrating Users • MigrationTools /usr/share/openldap/migration • See "README" and make changes to "migrate_common.ph" $DEFAULT_MAIL_DOMAIN = "exocore.com" $DEFAULT_BASE = "dc=exocore,dc=com" $EXTENDED_SCHEMA = 1; • Run "migrate_all_online.sh" • Run "ldapsearch" to list all entries # ldapsearch -x
LDAP Authentication • Test user authentication #ldapsearch -x -D"uid=abc,ou=people,dc=exocore,dc=com" -w xyz • Remove non-system accounts from passwd,shadow, group and gshadow • On RedHat systems, run "authconfig" (man authconfig) # authconfig Server: <ldap server> Base DN: dc=exocore,dc=com
Test Client Authentication • On non-RedHat systems, edit /etc/pam_ldap.conf and /etc/nss_ldap.conf host <ldap server> base dc=exocore,dc=com • Copy /usr/share/doc/nss_ldap-189/pam.d/* /etc/pam.d/
Non-RedHat Systems • Edit /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap man nsswitch(5) • Check name service #getent passwd (lists users) #getent group (lists groups) • Try console login as "abc"
UNIX Authentication • On other OS Platforms • *BSD: "portinstall security/pam_ldap" • Solaris: Ships with pam_ldap • Compile and install from http://www.padl.com • pam_ldap • nss_ldap • Works with any OS that supports PAM and NSSWITCH
Windows Authentication • UNIX and Windows authentication are mutually incompatible • UNIX UIDs Vs NT RIDs • UNIX GIDs Vs NT GroupRIDs • {CRYPT} Passwords Vs NT/LM hashes • NT SIDs • Windows cannot directly autheticate against an LDAP directory • Requires a "Domain Controller"
Samba Integration • Stable LDAP support from version 2.2.1 • Samba must be recompiled with LDAP support samba#./configure –with-ldap • Edit /etc/samba/smb.conf ldap admin dn = "cn=manager,dc=exocore,dc=com" ldap server = <ldap server> ldap suffix = "ou=people,dc=exocore,dc=com" pam password change = yes
Migrating Samba Users • Use the Samba migration scripts in doc/samba-2.2.3a/examples/LDAP/ • See README • Edit import2_smbpasswd.pl $DN="ou=people,dc=exocore,dc=com"; $ROOTDN="cn=Manager,dc=exocore,dc=com"; $rootpw = "secret"; $LDAPSERVER="<ldap server"; • Migrate # cat smbpasswd | import2_smbpasswd.pl
Are we SSO'ed yet? • Yep!!! • UNIX OS • Authentication -> PAM -> LDAP • Name Service -> NSS -> LDAP • Windows • Authentication -> Samba -> LDAP • No more /etc/passwd and /etc/smbpasswd
Schema & Attributes • ObjectClasses • PosixAccount • PosixGroup • ShadowAccount • SambaAccount • Attributes • User Account: cn, uid, uidNumber, gidNumber, homeDirectory • Group Account: cn, gidNumber
Account Management • Develop in-house web frontends for managing the LDAP database (Best!) • Graphical Tools • GQ from http://biot.com/gq/ • Directory Administrator from http://diradmin.open-it.org/ • UNIX Authtentication (posixAccount/shadowAccount) • Supports Samba (sambaAccount) • Sendmail/Postfix Mail routing (inetmailrecipient)
What more can I have? • Central Addressbook. Just configure your mailer to look up the LDAP server. • Sendmail/Postfix mail routing tables • Squid user authentication • Netscape Roaming Profiles • DNS Start here: http://www.linuxdocs.org/HOWTOs/LDAP-Implementation-HOWTO/index.html
Resources • URLs • http://www.openldap.org/ • http://www.padl.com/ • http://www.tldp.org/ • http://www.samba.org/
Thank You! Shanker Balan <http://www.exocore.com> <http://shankerbalan.com> Questions?