LDAP and Kerberos: An Overview

LDAP and Kerberos:An Overview Leveraging services provided by Active Directory for Unix/Linux authentication, authorization and name services Jason Testart Computer Science Computing Facility University of Waterloo March 2007

Summary • Kerberos is for authentication only and provides Single Sign-on (SSO) • LDAP can be used for authentication, authorization, and name services (no SSO) • Active Directory is a kerberized directory service with an LDAP interface • Use Kerberos for authentication, LDAP for authorization and name services

What do these technologies give us? • Eliminate password synchronization • Speed-up system deployment • Reduce development time when a new platform is introduced Improve the end-user experience

LDAP Name services using the Lightweight Directory Access Protocol

What is LDAP? • A protocol for accessing a directory service • What’s a directory service? Think DNS. • Database backend – do we care? • Schema: attributes with OIDs (à la SNMP) • Objects organized in a tree structure (DIT) • Operations: bind, search, modify • LDIF: text file format for describing directory contents

Schema • Attribute – like a variable in a programming language, it holds a value • ObjectClass – a special attribute that all directory entries must have, as it acts as a template for the data (enforces a kind of internal consistency) • AD Schema:http://msdn.microsoft.com/library/en-us/ad/ad/active_directory_schema.asp • Unix Schema: http://www.ietf.org/rfc/rfc2307.txt

Types of Object Classes • Structural – only one per entry! • Auxiliary – supplements structural • Abstract – can’t be used directly; only as an ancestor of another class (eg. “top”)

Schema Examples Snippets of OpenLDAP’s RFC 2307 schema implementation: objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction of an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) ) attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'The absolute path to the home directory' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

Directory Information Tree (DIT)

DN and RDN of a directory entry • RDN – a unique attribute among all siblings of a single parent in the DIT(eg. “uid=jatestar”) • DN – concatenation of RDNs when following the path from the entry (node) to the root of the DIT(eg. “uid=jatestar, ou=people, dc=ldap, dc=student, dc=cs, dc=uwaterloo, dc=ca)

Directory Entry Example Entry in /etc/passwd: jatestar:x:1449:1449:Jason Testart [CSCF],DC2555B,x37174,,:/u4/jatestart:/xhbin/tcsh Becomes the following LDIF: dn: uid=jatestar, ou=ldap, ou=people, dc=student, dc=cs, dc=uwaterloo, dc=ca objectClass: top objectClass: person objectClass: posixAccount cn: Jason Testart sn: Testart uid: jatestar uidNumber: 1449 gidNumber: 1449 homeDirectory: /u4/jatestart loginShell: /xhbin/tcsh gecos: Jason Testart [CSCF],DC2555B,x37174,,

Some LDAP Interfaces • LDIF - ldapsearch, ldapmodify, ldp.exe(see “man ldif, man ldapsearch, etc…) • Perl - Net::LDAP(see http://ldap.perl.org/) • C/C++ - OpenLDAP API (likely others…)(see “man 3 ldap”) • ADSI - Windows specific(see http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/adsilinks.asp)

When interfacing, you need… • Server hostname • Bind DN • Base DN (if searching) • SSL? Note: An Active Directory domain controller will accept the value of theuserPrincipalName attribute as the binddn. (eg. “jatestar@nexus.uwaterloo.ca” is friendlier than “CN=Jason J Testart (jatestar),OU=CSCF,OU=Staff,OU=Accounts,OU=Computer Science,OU=Faculties,DC=NEXUS,DC=UWATERLOO,DC=CA”)

What object classes does AD use for users? Query: ldapsearch -x -W -H "ldaps://canadenis.student.cs.uwaterloo.ca“ \ -D "jatestar@student.cs.uwaterloo.ca" \-b "dc=student,dc=cs,dc=uwaterloo,dc=ca“ \ "(cn=jatestar)" objectClass Yields: dn: CN=jatestar,OU=Users,OU=CS,DC=student,DC=cs,DC=uwaterloo,DC=ca objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user

Need Unix attributes in AD • The user objectClass is missing needed attributes that RFC 2307 provides • So, extend the schema in AD, but be careful! • Differences between MS-SFU-2.0, MS-SFU-3.5 and schema provided by Windows Server 2003 R2 • Maximize use of client attribute mappings!

Attribute Mappings • Example: “When I ask for the gecos attribute value, fetch the value of cn from the directory instead” • Minimize duplication of data in the directory (ie. redundant attributes) • In some cases, doing this allows you to avoid extending the schema of a directory

Groups • posixGroup uses memberUid, which is the uid of the member • groupofUniqueNames uses the member attribute, which is the DN of the member • Attribute mappings may be inappropriate, redundancy may be unavoidable • Netgroups may give additional functionality, with additional complexity

Applying the knowledge (client-side) • Make sure you know what directory attributes that you are using! • Tell /etc/nsswitch.conf to use the nss_ldap library from padl.com • Edit the ldap.conf appropriately to point to AD and define the attribute maps • No need to add users/groups in /etc/passwd or /etc/group!

Kerberos Using Active Directory Kerberos for Unix/Linux authentication

What is Kerberos? • Authentication protocol • Secure • SSO • Trusted 3rd party • Mutual Authentication

Some Kerberos Terminology • User Principal • Host/Service Principal • Instance • Realm • KDC • TGT • Credential cache

Principals • username[/instance]@REALM • servicename/FQDN@REALM Examples: • jatestar@NEXUS.UWATERLOO.CA • nfs/gl01.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA • host/cpu14.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA • imap/services02.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA

Credential Cache (on a Mac) $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: jatestar@STUDENT.CS.UWATERLOO.CA Valid starting Expires Service principal 12/13/06 01:06:50 12/13/06 11:05:03 krbtgt/STUDENT.CS.UWATERLOO.CA@STUDENT.CS.UWATERLOO.CA renew until 12/14/06 01:06:50 12/13/06 01:06:38 12/13/06 11:05:03 fs02$@STUDENT.CS.UWATERLOO.CA renew until 12/14/06 01:06:50 12/13/06 01:10:23 12/13/06 11:05:03 host/cpu20.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA renew until 12/14/06 01:06:50

AD Domain == Kerberos v5 Realm • Domain controllers provide KDC functionality • A “domain” is synonymous with “realm” • Joining a Windows computer to a domain means you are creating a host principal in the realm • No multipart principal names in AD, so mappings are needed for instances

Adding a Unix host to AD • Create a user account for the host/service (eg. cpu04-host) • Map the account to a service principal:host/cpu04.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA • Set the account password • Generate a krb5.keytab file • Stick the keytab file in /etc/krb5 on cpu04 • Done on all student.cs CPU servers

Adding a Unix host to AD (sans GUI) Create the account using LDIF (from a Linux box): % ldapmodify -x -W -H ldaps://canadenis -D “Administrator@student.cs.uwaterloo.ca” dn: cn=cpu04-host,OU=Service Principals,DC=student,DC=cs,DC=uwaterloo,DC=ca changetype: add cn: cpu04-host objectClass: user sAMAccountName: cpu04-host displayName: cpu04-host description: Kerberos host service principal for cpu04 userAccountControl: 2097664 Do the mapping and generate a keytab file (on the domain controller): ktpass –princ host/cpu04.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA –mapuser cpu04-host –password S0m3Rand0mPaZZw0rd –out cpu04-host.keytab

Tell Unix login to authenticate against AD • Set-up an appropriate /etc/krb5.conf • Modify the PAM authentication stack to use the pam_krb5 module

Lots of work for simple authentication! • Could have used ldap, or radius, etc… • Kerberos gives us Single Sign-On • Can take advantage of domain trusts! • Most apps use SASL and GSSAPI to support Kerberos 5

SSH and SSO • Configure SSH clients and servers to use GSSAPI for authentication • Mac Lab user can ssh to a CPU server without a password (no ssh keys or .shosts required) • Honours .k5login file (handy for course accounts) • Possibilities with NFS (v3+), IMAP, SMTP AUTH, HTTP, etc…

SSO Demo (Linux client to AD) • Show krb5.conf • Login to realm (kinit) • Show file shares on NetApp • Query our entry on domain controller • Show resulting credential cache (klist) • Logout of realm (kdestroy)

Using slapd (OpenLDAP) with AD • OpenLDAP supports Kerberos via SASL/GSSAPI • Can map entities in a realm with entries in the directory • Use authz-regexp directive in slapd.conf • See:http://www.openldap.org/doc/admin23/sasl.html

References • LDAP System Administration by Gerald Carter (O’Reilly) • Kerberos The Definitive Guide by Jason Garman (O’Reilly) • Unified Windows® and UNIX® Authorization Using Microsoft® Active Directory LDAP as a Directory Store by Ellie Berriman (Network Appliance Inc.) • Unified Windows® and UNIX® Authentication Using Microsoft® Active Directory Kerberos by Ellie Berriman (Network Appliance Inc.)

LDAP and Kerberos: An Overview

LDAP and Kerberos: An Overview

Presentation Transcript

LDAP Protocol Overview

Kerberos

Authentication Technology Survey: Kerberos, LDAP, Client-side PKI and Other Solutions

Leveraging the power of the UITS LDAP and Kerberos

LDAP

LDAP

ECS and LDAP

LDAP

LDAP Overview

LDAP

Overview of Kerberos

LDAP

An Introduction to Kerberos

Kerberos and LDAP

An Overview of the GSS-API and Kerberos

Kerberos and LDAP

An Overview of the GSS-API and Kerberos

LDAP Protocol Overview