Mageia forum

[jlgrall]

Goals:

• Have a few different servers with different admins on them. Each admin owns his server and is responsible for it. (But we know and trust each others).
• Admins should be able to log on their own server with the local authentication file, so it will work even if the ldap is down.
• Ldap is running on one of the servers. Others connect to it when they need to authenticate a user (though replication to some/all other servers could be useful in the future).
• Ldap should be able to authenticate users of ssh, NX (or VNC), ownCloud and possibly samba connections. It would also be great if it could allow users to connect to a VPN on the servers.
• Ldap defines which services (ssh, ownCloud, …) a user or group can have access to.
• Have an easy to use interface to ldap, preferably web based, which allows an admin to add users and set their rights.

Questions:

• Is there a way to forbid admin users to be defined in the ldap ? Or better, some kind of filter set up locally on the servers to ignore admin accounts defined in the ldap ? This would prevent the ldap owner from acquiring admin rights on all servers.
• Is it possible to define a priority for the accounts defined in the local authentication file over the accounts defined in the ldap so that admin accounts defined locally cannot be modified by the ldap ?
• With ldap, how to restrict users to only selected servers or block them from selected servers ?
• With ldap, how to set different quotas for the same user (or group) but on different servers ?

What I did:

• urpmi openldap openldap-doc openldap-clients openldap-servers
• mv /var/lib/ldap /home/system/ # I put most non default configs of my server in the system user folder to make it easy to backup and manage.
• Edit /etc/openldap/slapd.conf, replacing "computername" by the right computer name:
  • suffix "dc=computername,dc=local"
    
  • rootdn "cn=Manager,dc=computername,dc=local"
    
  • directory /home/system/ldap
• Webmin: configure the ldap modules with the configuration folder: /etc/openldap/ instead of the /etc/ldap/
• Set the root ldap password with: slappasswd
• In MCC: System -> Authentification
  • LDAP
    
  • Button: Get the root DN
    -> This empties all fields in the dialog, I don't know what to do now...

I searched the web for how to configure ldap on Mageia, but there was nothing useful.
On Mandriva, I found old documentations like http://wiki.mandriva.com/fr/Installer_u ... .28LDAP.29 (in french)
On all documentations I could find, they say to setup or use already made directory schemas. But they all seem to use different directory schemas. Is there one already ready in Mageia 2 ? How should I do this ?

[wintpe]

as far as admins on local machines, same as in nis

nsswitch.conf will have

passwd: files ldap

that way local files are consulted first for things like root admin etc.

user lookup in unix is based on first match so as long as the user is found in the first database ie files, which equates to

/etc/passwd then it will use that over any second entry it finds.

also would suggest that you do not use ldap for the password database, and only use it for the user details lookup,

i can never rember which one is which out of authentication/authorisation,

however ldap and files should be used to store the details of the user accounts, and kerberos should be used to store and validate the passwords.

this does mean setting up a kerberos server/realm, but since you are clearly considering the security of your access its worth it.

also kerberos has the facility where users are assigned root and admin principles under kerberos.

root principle is then controlled on each machine with .k5login in the root home directory, and acts in a similar way, to .rhosts (but in a much more secure implementation)

this controls who can ksu to root and logs who they are when they do at the kdc.

this way you dont need to share the root password wth your admins.

admin principles are given to your most trusted staff and its their job to manage the accounts in the kdc, or alternativly give it to your provisioning team.

ldap is not "secure enough" and local files certainly are not secure for passwords.

regards peter

[doktor5000]

also would suggest that you do not use ldap for the password database, and only use it for the user details lookup,

i can never rember which one is which out of authentication/authorisation,

however ldap and files should be used to store the details of the user accounts, and kerberos should be used to store and validate the passwords.

LDAP for authentication, kerberos for authorisation. By default LDAP authorisation would be unencrpyted and hence insecure.

[jlgrall]

Thanks for the answers.

I am new to the directory thing (I never used LDAP or kerberos or Active Directory before). But LDAP seems to be the most compatible thing: I have seen I can use it with local connections, ssh, VNC, NX, VPN, ownCloud and apache/php. For instance, I don't think ownCloud supports other directory systems (http://doc.owncloud.org/server/4.5/admi ... _ldap.html). So if I am right, that means that I can't use kerberos. So I think I am forced to store passwords in LDAP. But I will use TLS connections, or put LDAP connections in encrypted tunnels (with ssh).

When ownCloud becomes compatible with kerberos, I will see if I can use it, so thanks for the explanations.

Ok, so I try to setup LDAP for authentication:

• In MCC: System -> Authentification
  • LDAP
    
  • Ok
    
  • LDAP Server: localhost
    
  • Root dn: dc=computername,dc=local
    
  • Click button: Get the root DN
    
  • Ok

But then this is what I have in my /etc/nsswitch.conf:

Code: Select all

passwd:      files ldap [NOTFOUND=return] db
shadow:      files ldap
group:      files ldap [NOTFOUND=return] db


I don't understand. Shouldn't it show the LDAP server address and root dn somewhere ?

I would like to find a not too difficult to use web interface to manage the users (partly because I won't be the main manager of users). I have heard of phpLDAPadmin which could be a good start. Is there another one commonly used by Mageia users ?
Is it possible to allow users to set/change their passwords through a web interface ? (We should not be able to know the passwords of the users)
I am also trying to make the webmin module "LDAP Users and Groups" work. But it can't find the LDAP config in the NSS file. That's /etc/nsswitch.conf right ?

[wintpe]

ldap is configured in /etc/ldap.conf not nsswitch.conf

nsswitch.conf just dictates the order that services are scanned for user details (authentication).

pam specifies the order authorization is scaned.

yp.conf would specify how nis was setup if you where using nis

krb5.conf would specify how kerberos is setup.

here is a typical ldap.conf that we use where i work with the domain replaced with domainname#

Code: Select all

uri LDAPHOST
nss_base_passwd         ou=Users,dc=domainname,dc=com?sub
nss_base_group          ou=Groups,dc=domainname,dc=com?sub
nss_base_services       ou=Services,ou=unix,dc=domainname,dc=com?sub
nss_base_networks       ou=Networks,ou=unix,dc=domainname,dc=com?sub
nss_base_protocols      ou=Protocols,ou=unix,dc=domainname,dc=com?sub
nss_base_rpc            ou=Rpc,ou=unix,dc=domainname,dc=com?sub
nss_base_ethers         ou=Ethers,ou=unix,dc=domainname,dc=com?sub
nss_base_netmasks       ou=Networks,ou=unix,dc=domainname,dc=com?sub
nss_base_bootparams     ou=Ethers,ou=unix,dc=domainname,dc=com?sub
nss_base_aliases        ou=Aliases,ou=unix,dc=domainname,dc=com?sub
nss_base_netgroup       ou=Netgroup,ou=unix,dc=domainname,dc=com?sub
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5


we use this with kerberos

PS ldap is a right pain in the *** to learn to administer and setup. bit of a black art.

your best bet would be to find a distribution for your ldap server that had this all packaged up in a working

with gui setup, mandriva used to do one called mandriva directory server, it was a great bit of engineering

but it costs, like many of then do.

where i work we use suns directory server , this has a built in gui, but is in no way intuitive to a new ldap implementer.

ive set one up before , and frankly dont want to have to do that again.

redhat do a distribution also called directory server thats based on the same origins as suns directory server (well with the exception that sun rewrote it from scratch based on same ideas) and that origin is netscape directory server.

both are cost options.

theres the free openldap and there are some soltions build around that (the mandriva one for starters).

however im yet to find one that did not require a deep understanding of ldap.

regards peter