Setting Up A Centralised Authentication Server With Sudo Access Using LDAP
Scope:
This document will cover setting up a Centralized Authentication Server with SUDO access using OpenLDAP & clients to authentication from the server.
This is very practical document. This has been tested on Linux & Solaris. It will not explain what is LDAP
and it’s theory, as it can be easily found at various locations.
During the set up process, it was found that there is no centralized place where one can get all steps for
setting up this server. One has to search at various places for minor things. Therefore, this compilation
covers all the steps while setting up this server as has been defined above.
Operating Systems Used
-
Fedora Core-4 Linux
-
Solaris 9.
Setup OpenLDAP Server:
Installing OpenLDAP on Solaris Server
-
Download OpenLDAP software for Solaris 9 or 10. Gunzip it.
-
sudo pkgadd –d <file name of openldap software>
-
But I will prefer to download tarball from openldap.org. Then compile and install it. For more references see www.openldap.org
-
If you install it by “pkgadd” then by default ldap’s config files, schemas will be in “/usr/local/etc/openldap” and “slapd” in /usr/local/libexec/”
Installing OpenLDAP on Linux Server
-
Download tarball from openldap.org. Untar it, & go to that that newly created directory and give
following commands:
# ./configure
# make
# make install
-
In Debian type distros you can use “apt-get install openldap” or “apt-get install slapd”
-
Please get the detail installation procedure on www.openldap.org
Configuring OpenLDAP server:
In my example:
-
Configuration files are in —-> /usr/local/etc/openldap
-
Database Directory —-> /var/lib/openldap
-
“slapd” binary is in —-> /usr/local/libexec
-
ldap binaries like ldapadd —-> /usr/local/bin/
-
“slapadd” binary —-> /usr/local/sbin
Note: These file locations can be different for you.
-
Changes in /usr/local/etc/openldap/slapd.conf:
include /usr/local/etc/openldap/schema/core.schema
It will be default. Just add below given “schema” lines
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/dyngroup.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/java.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/ppolicy.schema
database bdb suffix "dc=example,dc=com"
rootdn "cn=admin, dc=example,dc=com"
directory /var/lib/openldap/
access to *
by self write
by users write
by anonymous auth
Note. Please change the directory as per your setup and make sure to create that directory.
-
Check that slapd.conf file is ok or not with following command:
# /usr/local/libexec/slapd –T test
-
Create people.ldif and put following entries in that:
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
-
Import /usr/local/etc/openldap/people.ldif offline:
# /usr/local/sbin/slapadd –l /usr/local/etc/openldap/people.ldif
–f /usr/local/etc/openldap/slapd.conf
Note : You can add it Online way also. After starting slapd server you need to give following command:
# /usr/local/bin/ldapadd –x –f /usr/local/etc/openldap/people.ldif
–D cn=admin,dc=example,dc=com –w secret
-
Start slapd server. i.e. OpenLDAP server:
# /usr/local/libexec/slapd –f /usr/local/etc/openldap/slapd.conf
Check whether server is up or not:
# ps –ef|grep slapd # netstat –an|grep 389
-
Create Group.ldif and put following entries in that:
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group
-
Import Group.ldif online:
# /usr/local/bin/ldapadd –x –f
/usr/local/etc/openldap/Group.ldif –D cn=admin,dc=example,dc=com
–w secret
-
Creating passwd.ldif & usergroups.ldif
For this you need to download Migration tools which are developed in perl. URL is given below
Untar MigrationTools.tgz in /usr/local/etc/openldap/migrate . For our comfort create directory /usr/local/etc/openldap/ldif_files
Copy /etc/passwd & /etc/group to /usr/local/etc/openldap/
Go to /usr/local/etc/openldap/migrate and give following commands:
# ./migrate_passwd.pl /usr/local/etc/openldap/passwd
/usr/local/etc/openldap/ldif_files/passwd.ldif
# ./migrate_group.pl /usr/local/etc/openldap/group
/usr/local/etc/openldap/ldif_files/usergroups.ldif
Open passwd.ldif and do following changes in that:
Replace dc=padl to dc=example
Add below give line to each group in passwd.ldif
objectClass: shadowAccount
Copy each user’s encrypted passwd from /etc/shadow and paste it in below given line
userPassword: {crypt}<PASTE YOUR PASSWD from Shadow file HERE>
Check path of home directories of users and change according to it in passwd.ldif as per Open usergroups.ldif and do following changes
Replace dc=padl to dc=example
-
Import passwd.ldif & usergroups.ldif
# sudo /usr/local/bin/ldapadd –x –f /usr/local/etc/openldap/ldif_files
/usergroups.ldif –D cn=admin,dc=example,dc=com –w secret
# sudo /usr/local/bin/ldapadd –x –f /usr/local/etc/openldap/ldif_files
passwd.ldif –D cn=admin,dc=example,dc=com –w secret
-
For Sudo access via LDAP add following line to /usr/local/etc/openldap/slapd.conf
include /usr/local/etc/openldap/schema/sudo.schema
Create /usr/local/etc/openldap/schema/sudo.schema
Put below give lines in /usr/local/etc/openldap/schema/sudo.schema
attributetype ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser'
DESC 'User(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
DESC 'Host(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributetype ( 1.3.6.1.4.1.15953.9.1.3
NAME 'sudoCommand'
DESC 'Command(s) to be executed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributetype ( 1.3.6.1.4.1.15953.9.1.4
NAME 'sudoRunAs'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributetype ( 1.3.6.1.4.1.15953.9.1.5
NAME 'sudoOption'
DESC 'Options(s) followed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole'
SUP top STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description )
X-ORIGIN 'SUDO' )
Note: I have created as per my requirement. You can modify as per yours.
Stop slapd server by killing it and start it by above given way. Please recheck whether it is started or not.
Create /usr/local/etc/openldap/ldif_files/sudoaccess.ldif and put following lines in it:
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
cn: defaults
sudoOption: ignore_dot
sudoOption: !mail_no_user
sudoOption: !root_sudo
sudoOption: log_host
sudoOption: logfile=/var/log/sudolog
sudoOption: !syslog
sudoOption: timestamp_timeout=10
objectClass: top
objectClass: sudoRole
description: Default sudoOption's
dn: cn=Rule1,ou=SUDOers,dc=example,dc=com
cn: Rule1
sudoOption: !authenticate
objectClass: top
objectClass: sudoRole
sudoHost: ALL
sudoCommand: ALL
sudoUser: ALL
description: Allowed without password for ALL users
-
Import /usr/local/etc/openldap/ldif_files/sudoaccess.ldif :
# sudo /usr/local/bin/ldapadd –x –f
/usr/local/etc/openldap/ldif_files/sudoaccess.ldif –D
cn=admin,dc=example,dc=com –w secret
-
Our OpenLDAP server is ready now. Check with “slapcat” & “ldapsearch”
Setup Client to get authentication from LDAP Server:
For Linux:
-
In RedHat you can use authconfig. In that you have to just specify type of authentication as LDAP
And set proper server and base DN.
OR
-
Please replace below given lines in /etc/nsswitch.conf
Old Values:
passwd:files group: files
New Values:
passwd: ldap files
group: ldap files
Just change in /etc/nsswitch.conf as give above.
And do below changes in /etc/ldap.conf
BASE dc=example,dc=com
URI ldap://10.27.6.67:389
Please uncomment following lines and configure as per your setup.
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_shadow ou=People,dc=example,dc=com?one
nss_base_group ou=Group,dc=example,dc=com?one
Put following lines to /etc/ldap.conf for allowing user to change his passwd:
binddn cn=admin,dc=example,dc=com
bindpw secret
rootbinddn cn=admin,dc=example,dc=com
pam_password exop
And create /etc/ldap.secret file and put bindpw in that. i.e. secret in our example.
-
Need to do changes in /etc/pam.d/login:
First please check LDAP module is available or not.
# ls -l /lib/security/pam_ldap.so
Then do following changes in /etc/pam.d/login
auth required pam_securetty.so
auth sufficient pam_ldap.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_ldap.so
account required pam_stack.so service=system-auth
password sufficient pam_ldap.so
password required pam_stack.so service=system-auth
session sufficient pam_ldap.so
session required pam_stack.so service=system-auth
session optional pam_console.so
session required /lib/security/pam_limits.so
-
For Sudo access you need to recompile & install sudo by below give way:
Untar tarball of sudo and in that directory:
# ./configure –prefix=/usr/local/sudo
–with-ldap –with-ldap-conf-file=/etc/sudo.ldap
# make
# make install
It will install new sudo in /usr/local/sudo. Now we need to use /usr/local/sudo/bin/sudo every time.
Create /etc/sudo.ldap. Put following lines in that file:
host <server IP/hostname>
sudoers_base ou=SUDOers,dc=example,dc=com
For Solaris:
-
Use following commands:
# ldapclient manual -a defaultSearchBase=dc=example,dc=com
-a domainName=test.example.com
-a defaultServerList=<IP of LDAP server>:389
To check use:
# ldaplist
-
Please replace below given lines in /etc/nsswitch.conf
Old Values:
passwd: files group: files
New Values:
passwd: ldap files group: ldap files
-
Create User’s Home directories as per path given in LDAP server configs and set permissions properly.
-
Changes in /etc/pam.conf
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_ldap.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1 other
auth sufficient pam_ldap.so.1 other
auth required pam_unix_auth.so.1
# Account management
login account requisite pam_roles.so.1
login account required pam_projects.so.1
login account sufficient pam_ldap.so.1
#other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account sufficient pam_ldap.so.1
other account required pam_unix_account.so.1
# # Password management
other password sufficient pam_ldap.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
-
Now try logging in by different users.
-
For Sudo access you need to recompile & install sudo by below give way:
Untar tarball of sudo and in that directory:
# sudo ./configure –prefix=/usr/local/sudo –with-ldap
–with-ldap-conf-file=/etc/sudo.ldap # sudo make # sudo make install
It will install new sudo in /usr/local/sudo. Now we need to use /usr/local/sudo/bin/sudo every time.
Create /etc/sudo.ldap. Put following lines in that file:
host <server ip/hostname> sudoers_base ou=SUDOers,dc=example,dc=com
-
Now check sudo access for all user.
Note: In centralized authentication we can setup user’s home directories on one server and share it with NFS. And on client we will mount it. It will be better as there are not much processes running in home directory so not to worry about CPU usage in NFS and It will be very useful in uploads also.