LDAP for internet project. Part 4
I apologize for the break in writing the last part of the article, we continue!
Links to other parts: one , two , three , five
In this part we will learn how to log in to our Linux / Unix servers.
As I said, it is not so difficult to configure authorization, how difficult it is to plan the structure of our directory. I have done it this way:
I store users in objects of type posixAccount, unix-group in objects of posixGroup.
Users themselves are stored in containers of type ou = developers, ou = shell-users, dc = habr, dc = en
Servers are not objects, but containers in which objects of the type groupOfUniqueNames are stored to determine user access to this server, objects for sudo rights. It is also convenient to store information about IP and so on. For example, a DN object in which users who have access to the server are stored:
cn = developers, ou = dev.habr.ru, ou = datacenter01, ou = servers, dc = habr, dc = ru
My example may not be convenient in your case, anyway, you need to draw a structure.
We proceed directly to the setting:
The authorization uses the nss_ldap and pam_ldap modules developed by the company with the sonorous name PADL .
Install the necessary packages:
The installer will ask the following questions:
')
You can check the configuration in the
I have the same, so I made symbolic links:
If you entered a password for the administrator, then:
Next we need to correct the PAM configuration ( be careful ):
Edit the /etc/nsswitch.conf file:
Actually after this, the system will skip any user located in ou = shell-users, dc = habr, dc = ru and below, but we need to let users on a certain basis - there are several options:
one.
Use groupOfUniqueNames and in /etc/pam_ldap.conf set the following lines:
It seems that all is well, except that there can be only one such group.
2
Use PAM add-on - pam_listfile or pam_succed_if
These modules are able to check the user attributes user, group, rhost, tty ...
But here the group will be posixGroup - this is not very convenient, although you can adapt. I did not like.
3
Actually this is the first option, but with a special patch from padl.com, which allows you to use several pam_groupdn entries in the configuration. This is done like this:
For Debian Squeeze, patches are a little differently applied:
Actually everything.
Restoring our symbolic links to /etc/pam_ldap.conf (my dpkg will erase them):
And prescribe the necessary pam_groupdn:
We check authorization - we rejoice.
There is still a question about sudo, there is quite a lot of material - apparently you have to go beyond the 4 topics.
Thanks for attention!
Links to other parts: one , two , three , five
In this part we will learn how to log in to our Linux / Unix servers.
As I said, it is not so difficult to configure authorization, how difficult it is to plan the structure of our directory. I have done it this way:
I store users in objects of type posixAccount, unix-group in objects of posixGroup.
Users themselves are stored in containers of type ou = developers, ou = shell-users, dc = habr, dc = en
Servers are not objects, but containers in which objects of the type groupOfUniqueNames are stored to determine user access to this server, objects for sudo rights. It is also convenient to store information about IP and so on. For example, a DN object in which users who have access to the server are stored:
cn = developers, ou = dev.habr.ru, ou = datacenter01, ou = servers, dc = habr, dc = ru
My example may not be convenient in your case, anyway, you need to draw a structure.
We proceed directly to the setting:
The authorization uses the nss_ldap and pam_ldap modules developed by the company with the sonorous name PADL .
Install the necessary packages:
apt-get install libpam-ldap libnss-ldapThe installer will ask the following questions:
- LDAP URI - we write ldap: //ldap.habr.ru
- Search base - write ou = shell-users, dc = habr, dc = ru
- LDAP Version - 3
- Local root database admin - we do not need it, we answer No
- The next question about the need for a clone for the local database - answer No
- An account to manage LDAP - we also do not need, we have configured authorization for anonymous users. Otherwise, enter cn = admin, dc = habr, dc = ru
- And the password for this account, if you selected the second in the previous paragraph
')
You can check the configuration in the
/etc/pam_ldap.conf and /etc/libnss-ldap.conf files /etc/libnss-ldap.confI have the same, so I made symbolic links:
ln -sf /etc/libnss-ldap.conf /etc/pam_ldap.confIf you entered a password for the administrator, then:
ln -sf /etc/libnss-ldap.secret /etc/pam_ldap.secretNext we need to correct the PAM configuration ( be careful ):
cat > /etc/pam.d/common-account << "EOF"
account required pam_ldap.so ignore_authinfo_unavail ignore_unknown_user
account required pam_unix.so
EOF
cat > /etc/pam.d/common-auth << "EOF"
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure
EOF
cat > /etc/pam.d/common-password << "EOF"
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
EOF
cat > /etc/pam.d/common-session << "EOF"
session required pam_mkhomedir.so umask=0077 skel=/etc/skel/ silent # home-,
session sufficient pam_ldap.so
session required pam_unix.so
EOF
Edit the /etc/nsswitch.conf file:
passwd: files ldap
group: files ldap
shadow: files ldap
Actually after this, the system will skip any user located in ou = shell-users, dc = habr, dc = ru and below, but we need to let users on a certain basis - there are several options:
one.
Use groupOfUniqueNames and in /etc/pam_ldap.conf set the following lines:
pam_groupdn cn=developers,ou=dev.habr.ru,ou=datacenter01,ou=servers,dc=habr,dc=ru
pam_member_attribute uniqueMember
It seems that all is well, except that there can be only one such group.
2
Use PAM add-on - pam_listfile or pam_succed_if
These modules are able to check the user attributes user, group, rhost, tty ...
But here the group will be posixGroup - this is not very convenient, although you can adapt. I did not like.
3
Actually this is the first option, but with a special patch from padl.com, which allows you to use several pam_groupdn entries in the configuration. This is done like this:
apt-get install build-essential fakeroot dpkg-dev
cd /usr/src
apt-get source libpam-ldap
apt-get build-dep libpam-ldap
cd /usr/src/libpam-ldap-184 ( , debian)
wget "http://bugzilla.padl.com/attachment.cgi?id=227" -O - | sed s=orig/pam=pam= | sed s=new/pam=pam= > debian/patches/99pam_ldap.patch
dpkg-buildpackage -rfakeroot -uc -b
dpkg -i ../libpam-ldap*.deb
For Debian Squeeze, patches are a little differently applied:
wget -q "http://bugzilla.padl.com/attachment.cgi?id=227" -O - | sed s=orig/pam=pam= | sed s=new/pam=pam= > debian/patches/multi_groupdn
echo multi_groupdn >> debian/patches/series
Actually everything.
Restoring our symbolic links to /etc/pam_ldap.conf (my dpkg will erase them):
ln -sf /etc/libnss-ldap.conf /etc/pam_ldap.confln -sf /etc/libnss-ldap.secret /etc/pam_ldap.secretAnd prescribe the necessary pam_groupdn:
pam_groupdn cn=developers,ou=dev.habr.ru,ou=datacenter01,ou=servers,dc=habr,dc=ru
pam_groupdn cn=admins,dc=habr,dc=ru
We check authorization - we rejoice.
There is still a question about sudo, there is quite a lot of material - apparently you have to go beyond the 4 topics.
Thanks for attention!
Source: https://habr.com/ru/post/53279/
All Articles