lun. 19 décembre 2022

After a long break, I come back to my home server with, finally,a working version of LDAP, tadam! It is so much complex, such a mess but I finally get a working version of my LDAP and I will explain now how.

All along the presentation below, I will use the following variables:

• $PASSWD -- LDAP administrator password,
• $DOMAIN -- LDAP domain (dot-separated words)
• $DC_DOMAIN -- LDAP domain as a comma-separated list with dc= components.

For example, if the domain is server.domain.fr, the DC form is dc=server,dc=domain,dc=fr.

Just to recall, LDAP is a server providing user information and authentification where you can record the member of the family and use it with different servers.

Installing the server

First, we have to install the LDAP server, slapd:

sudo apt install slapd ldap-utils

Then, I we have to configure the server with:

sudo dpkg-reconfigure slapd

Where you have to type the domain, the administrator password. For organizition, I also use the domain name.

Then, we have to set up LDAP the database structure and populate it with groups and user. This is very painful and was not able to find a completely satisfying solution.

Consequently, I installed my own tool based on Python and ldap3 library. This tools if freely available in EHome.

Installing and using ehome-user.py

Install the following dependencies:

$ sudo apt install python3-ldap3 git

git here is required to fetch ehome sources as below:

$ https://framagit.org/casse/ehome.git

And to use the command, a good idea is to put it on the path:

$ export PATH=$PATH:$PWD/ehome/command

Now, we are able to set up the LDAP database structure:

$ ehome-user.py --init

It will ask for the LDAP domain (dot-separated) and for administator password. After that, the administator password will not be asked anymore. [sssd] services = nss, pam config_file_version = 2 domains = LDAP

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://localhost
ldap_search_base = $DOMAIN

ldap_default_bind_dn = cn=admin,$DOMAIN
ldap_default_authtok = $LDAP_PASSWORD

cache_credentials = true
enumerate = false

ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

The configuration of ehome-user.py is stored in $HOME/.config/ehome/ldap.ini. Just edit it with your preferred editor.

Then you can declare your groups with:

$ ehome-user.py --add-group

And user with:

$ ehome-user.py --add-user

During this operation, ehome-user.py has to create directories for users so that your password will be asked.

A user has to belong to a group so a group has to be created before users. ehome-user.py provides a bunch of functions to manage the LDAP server. to get the list of these options, just type:

$ ehome-user.py -h

Connecting LDAP with Linux authentification

Here starts the tricky part. Maybe, one day, I will group all this in a command...

The most modern way to do this is to use sssd, so we install it:

$ sudo apt install sssd libpam-sss libnss-sss ldap-utils

In order to authenticate with LDAP, a secure communication based has to be set up and first a key has to be generated:

$ sudo openssl req -new -x509 -nodes -days 365 -out /etc/ssl/certs/ldap.crt -keyout /etc/ssl/private/ldap.key
$ sudo chown openldap:openldap /etc/ssl/private/ldap.key
$ sudo chmod 600 /etc/ssl/private/ldap.key

The two last lines ensures that slapd can access theis key but this it not enough as the directory /etc/ssl/private can only be accessed by members of group ssl-cert. So we have to add LDAP server user, openldap, to this group:

$ sudo usermod -aG ssl-cert openldap

This seems to be a defect of Ubuntu but in the meantime it will be fixed, we have to do it.

Now, we have to configure LDAP for secured connection. We have to create file tls.ldif with the content below:

dn: cn=config
changetype: modify
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap.key
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ldap.crt

Finally, we restart slapd.

$ sudo systemctl restart slapd

Now, we have to configure by creating the file sssd.conf and typing inside:

[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://localhost
ldap_search_base = $DC_DOMAIN

ldap_default_bind_dn = cn=admin,$DC_DOMAIN
ldap_default_authtok = $PASSWORD

cache_credentials = true
enumerate = false

ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

Beware: Of the use of $DC_DOMAIN and $PASSWORD defined at the head of the document.

Then we copy this file at right place and make it secure as it contains the **LDAP administrator password:

$ sudo cp sssd.conf /etc/sssd
$ sudo chmod 600 /etc/sssd/sssd.conf

And we restart sssd:

$ sudo systemctl enable sssd
$ sudo systemctl restart sssd

Modify finally nsswitch.conf and change it to look like:

passwd:         files systemd sss
group:          files systemd sss
shadow:         files sss```

Then, we can log with an LDAP user:

$ su - $USER

Final Notes

• I finally give up with ldapcherry as it does not fullfil my needs and specially with the creation of the Posix user home directories. But maybe, it was not its goal.

References

LDAP

• ComputingForGeeks
• https://ubuntu.com/server/docs/service-ldap

Non-PHP LDAP Managers:

• LdapCherry (Python)

PAM (Linux authentification) * PAM

Category: EHome Tagged: ldap pam sssd slapd authentification