LDAP Server Installation for openssh-lpk clients
3/30/2012 05:22:00 PM
Posted by johnhomer
Since OpenLDAP version 2.3, configuration through cn=config is supported. It is also known as run-time configuration (RTC) or zero downtime configuration.
In accomplishing this task, we will use a cn=config type of configuration since by default, Amazon's Official Linux Ami (ALAMI 2012.03) uses this type.
OS: Alami 2012.03 / CentOS 6.2
In accomplishing this task, we will use a cn=config type of configuration since by default, Amazon's Official Linux Ami (ALAMI 2012.03) uses this type.
OS: Alami 2012.03 / CentOS 6.2
Objectives
- Centralize the administration of linux accounts
- Centralize the administration of sudo access
- Use public keys
OpenLDAP Config
- Update the system. Fix timezone
yum -y update echo -e "ZONE=Asia/Singapore\nUTC=false" > /etc/sysconfig/clock ln -sf /usr/share/zoneinfo/Asia/Singapore /etc/localtime
- Install LDAP packages
yum install openldap-servers openldap-clients -y
- Generate the admin password
$ slappasswd -s mysecret {SSHA}IwmKUosglAO6RpcjGDYm04HUu0VgWP0Y
Note: mysecret will now be your Manager password. You will use this password to execute administrative commands. Displayed after is the corresponding hash. Use the hash in succeeding steps. - TLS settings
sed -i 's/dc=my-domain,dc=com/dc=johnalvero,dc=com/g' /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif # Also, add the password and TLS settings in the file cat <<'EOF'>> /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif olcRootPW: {SSHA}IwmKUosglAO6RpcjGDYm04HUu0VgWP0Y olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem EOF
- Also add a password for “cn=admin,cn=config” user
cat <<'EOF'>> /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif olcRootPW: {SSHA}IwmKUosglAO6RpcjGDYm04HUu0VgWP0Y EOF
- Monitor configuration
sed -i 's/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=johnalvero,dc=com/g' /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
- DB config
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown -R ldap:ldap /var/lib/ldap/
- Generate SSL keys
openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365 chown -Rf root.ldap /etc/pki/tls/certs/slapdcert.pem chown -Rf root.ldap /etc/pki/tls/certs/slapdkey.pem
Schemas
- Add openssh-lpk shema
cat <<'EOF'> /etc/openldap/slapd.d/cn=config/cn=schema/cn={21}openssh-lpk.ldif dn: cn={21}openssh-lpk objectClass: olcSchemaConfig cn: {21}openssh-lpk olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DES C 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4. 1.1466.115.121.1.40 ) olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' DESC 'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MAY ( sshPublicKey $ uid ) ) structuralObjectClass: olcSchemaConfig entryUUID: 135574f4-bda0-102f-9362-0b01757f31d8 creatorsName: cn=config createTimestamp: 20110126135819Z entryCSN: 20110126135819.712350Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20110126135819Z EOF
- Add the sudoers schema
cat<<'EOF'> /etc/openldap/slapd.d/cn=config/cn=schema/cn={23}sudo.ldif dn: cn={23}sudo objectClass: olcSchemaConfig cn: {23}sudo olcAttributeTypes: {0}( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMa tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {1}( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMat ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {2}( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Comma nd(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1 466.115.121.1.26 ) olcAttributeTypes: {3}( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115 .121.1.26 ) olcAttributeTypes: {4}( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Option s(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115 .121.1.26 ) olcObjectClasses: {0}( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer En tries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ s udoRunAs $ sudoOption $ description ) ) structuralObjectClass: olcSchemaConfig entryUUID: 13557a62-bda0-102f-9364-0b01757f31d8 creatorsName: cn=config createTimestamp: 20110126135819Z entryCSN: 20110126135819.712350Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20110126135819Z EOF
- Make initial files for base, group, people and sudoers
- base.ldif
dn: dc=johnalvero,dc=com dc: johnalvero objectClass: top objectClass: domain dn: ou=People,dc=johnalvero,dc=com ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=johnalvero,dc=com ou: Group objectClass: top objectClass: organizationalUnit
- newgroup.ldif
dn: cn=phstaff,ou=Group,dc=johnalvero,dc=com objectClass: posixGroup objectClass: top cn: phstaff userPassword: {crypt}x gidNumber: 1000
- newpeople.ldif
dn: uid=john,ou=People,dc=johnalvero,dc=com uid: john cn: John Alvero objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: ldapPublicKey userPassword: {CRYPT}cr5y5J6F67Ci2 shadowLastChange: 15140 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/john sshPublicKey: myrsakeyhere_changeme
- newsudoers.ldif
dn: ou=sudoers,dc=johnalvero,dc=com objectclass: organizationalUnit ou: sudoers dn: cn=defaults,ou=sudoers,dc=johnalvero,dc=com objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption's go here sudoOption: logfile=/var/log/sudolog dn: cn=root,ou=sudoers,dc=johnalvero,dc=com objectClass: top objectClass: sudoRole cn: root sudoUser: root sudoHost: ALL sudoCommand: ALL # Sample sudo user dn: cn=john,ou=sudoers,dc=johnalvero,dc=com objectClass: top objectClass: sudoRole cn: john sudoUser: john sudoHost: ALL sudoCommand: ALL sudoOption: !authenticate
- We can now start the services and add the entries:
chkconfig slapd on service slapd start ldapadd -x -W -D "cn=Manager,dc=johnalvero,dc=com" -f base.ldif ldapadd -x -W -D "cn=Manager,dc=johnalvero,dc=com" -f newgroup.ldif ldapadd -x -W -D "cn=Manager,dc=johnalvero,dc=com" -f newpeople.ldif ldapadd -x -W -D "cn=Manager,dc=johnalvero,dc=com" -f newsudoers.ldif
- And try searching
ldapsearch -x -b "dc=johnalvero,dc=com" ldapsearch -H "ldap://johnalvero.com:389" -x -b "dc=johnalvero,dc=com"
Configuring ssh-lpk Clients
- Install the packages
yum install openssh-ldap nss-pam-ldapd
- Setup LDAP config. This will modify various LDAP files including that of PAM
authconfig --disablenis --enablemkhomedir --enableshadow --enablelocauthorize --enableldap --ldapserver=johnalvero.com --enablemd5 --ldapbasedn=dc=johnalvero,dc=com --updateall # Or, you can use a curses-based application. Enable necessary options based on the above command but --enablemkhomedir is not available in authconfig-tui authconfig-tui
- Allow SSH public-key login
cat <<'EOF'> /etc/ssh/ldap.conf uri ldap://johnalvero.com/ base dc=johnalvero,dc=com ssl no EOF cat <<'EOF'>> /etc/ssh/sshd_config AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper AuthorizedKeysCommandRunAs nobody EOF
- Tell system to lookup sudoers info from ldap or files respectively
echo 'sudoers: ldap files' >> /etc/nsswitch.conf cat <<'EOF'>> /etc/nslcd.conf ou=sudoers,dc=johnalvero,dc=com sudoers_base ou=sudoers,dc=johnalvero,dc=com EOF
- Restart sshd
service sshd restart
nslcd start/restart hack
Since, Alami's nss-pam-ldapd suffers from the same bug described in https://bugzilla.redhat.com/show_bug.cgi?id=760843.
I have made a patch for /etc/init.d/nslcd. This will make nss-pam-ldapd
play nicely with sudo. Essentially, what is does is comment out
“sudo-ldap”-related config in /etc/nslcd.conf just before starting the
daemon and uncommenting these configs right after.
If you dont apply this patch, you will get errors in restarting/starting nslcd.
There's another option though, instead of installing nss-pam-ldapd from the default amzn-main repo, you can install the one in http://danielhall.me/shared/rpms/nss-pam-ldapd/ and forget about this patch.
If you dont apply this patch, you will get errors in restarting/starting nslcd.
There's another option though, instead of installing nss-pam-ldapd from the default amzn-main repo, you can install the one in http://danielhall.me/shared/rpms/nss-pam-ldapd/ and forget about this patch.
*** /etc/init.d/nslcd 2012-03-30 13:42:53.859493505 +0800 --- /root/nslcd 2012-03-30 13:28:08.120237533 +0800 *************** *** 29,35 **** --- 29,39 ---- start() { echo -n $"Starting $prog: " + sed -i 's/^ou/#ou/' /etc/nslcd.conf + sed -i 's/^sudoers_base/#sudoers_base/' /etc/nslcd.conf daemon $program + sed -i 's/^#ou/ou/' /etc/nslcd.conf + sed -i 's/#sudoers_base/sudoers_base/' /etc/nslcd.conf RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$progand then, patch by:
cd /etc/init.d/ patch -i /path/to/patch/nslcd.patch
This entry was posted on October 4, 2009 at 12:14 pm, and is filed under
AWS,
linux
. Follow any responses to this post through RSS. You can leave a response, or trackback from your own site.
Subscribe to:
Post Comments (Atom)
June 12, 2012 at 2:37 AM
Hello,
this subject is quite interesting. however, installed a laboratory to perform tests and fails. I think the documentation is incomplete or failed to explain the scenario a little better.