Projekt SSO: Difference between revisions

From JoBaPedia
Jump to navigation Jump to search
Line 29: Line 29:
For secure communication between LDAP server and client, an SSL connection can be used. This means we also need a key/certificate management. The same can be used for other services that use SSL, like HTTPS for webservers, remote mysql connections or openvpn.
For secure communication between LDAP server and client, an SSL connection can be used. This means we also need a key/certificate management. The same can be used for other services that use SSL, like HTTPS for webservers, remote mysql connections or openvpn.


OpenLDAP can be run on the same host as samba or on a different host. I want to use the QNAP NAS since I expect it to have more uptime and I want to run the samba AD there too as soon as it is available. OpenLDAP is available as a QPKG on the NAS. But as a first step it is running on job4 now.
OpenLDAP can be run on the same host as samba or on a different host. I want to use the QNAP NAS since I expect it to have more uptime and I want to run the samba AD there too as soon as it is available. OpenLDAP is available as a QPKG on the NAS. Suse usermanagement did not work with that. I had to copy the schemas from opensuse ldap to qnap and configure ldap to use them.


Configuration with yast ldap client was easy once I discovered I had to use enumerate option in /etc/sssd/sssd.conf to enable getent for ldap users
Configuration with yast ldap client then was easy once I discovered I had to use enumerate option in /etc/sssd/sssd.conf to enable getent for ldap users. The uri domain name needs to be the cn or an alternate subject of the openldap certificate on the qnap device.
 
Being able to change passwords and honor disabled users some changes were needed. For background see here:
 
http://forum.qnap.com/viewtopic.php?f=50&t=70028


==== /etc/sssd/sssd.conf ====
==== /etc/sssd/sssd.conf ====
Line 42: Line 46:
  [nss]
  [nss]
  filter_groups = root
  filter_groups = root
  filter_users = root
  filter_users = root  
   
   
  [pam]
  [pam]  
   
   
# Section created by YaST
  [domain/default]
  [domain/default]
  ldap_uri = ldap://ldap.banzhaf.chickenkiller.com
  ldap_uri = ldap://qnap.job.de
  ldap_search_base = dc=job2
  ldap_search_base = dc=job,dc=de
  ldap_schema = rfc2307bis
  ldap_schema = rfc2307bis
  id_provider = ldap
  id_provider = ldap
Line 56: Line 61:
  enumerate = True
  enumerate = True
  cache_credentials = True
  cache_credentials = True
ldap_tls_cacert = /etc/ssl/certs/jba-pki-v2-ca.crt
ldap_user_search_base = ou=people,dc=job2
ldap_group_search_base = ou=group,dc=job2
  chpass_provider = ldap
  chpass_provider = ldap
  auth_provider = ldap
  auth_provider = ldap
ldap_tls_cacert = /etc/ssl/certs/jba-pki-v2-ca.crt
ldap_user_search_base = ou=people,dc=job,dc=de
ldap_group_search_base = ou=group,dc=job,dc=de
# following lines added for using user disabled flag
ldap_pwd_policy = none
access_provider = ldap
ldap_account_expire_policy = shadow
ldap_access_order = expire
ldap_chpass_update_last_change = true
ldap_default_bind_dn = cn=admin,dc=job,dc=de
ldap_default_authtok = {pwd of bind dn}


==== /etc/nsswitch.conf ====
==== /etc/nsswitch.conf ====
Line 67: Line 84:
  group:  compat sss
  group:  compat sss
  ...
  ...
==== LDAP Schemas ====
The qnap device and openSUSE need different (incompatible?) schemas.
Since I could not manage users with yast with the qnap schemas, I copied the suse schemas over and used them.


==== phpLdapAdmin ====
==== phpLdapAdmin ====
Line 87: Line 99:
  smbclient -c ls -W job -U ldaptest //qnap/Download
  smbclient -c ls -W job -U ldaptest //qnap/Download
The homedirectory is not created this way. Try yast?
The homedirectory is not created this way. Try yast?
==== Useful commands ====
show publicly accessible ldap database content without using ssl
# configure /etc/openldap/ldap.conf
uri    ldap://qnap.job.de
base    dc=job,dc=de
TLS_CACERT      /etc/ssl/certs/jba-pki-v2-ca.crt
# execute search
ldapsearch -x
show ldap content with ssl (needs password of root cn and valid cert on qnap slapd.conf)
ldapsearch -ZZ -D "cn=admin,dc=job,dc=de" -W
show base dn of ldap database
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
add a key value pair to an ldap object (here homeDirectory)
# create file test.ldap
dn: cn=jo,dc=job,dc=de
changetype: modify
add: homeDirectory
homeDirectory: /home/jo
# execute modify
ldapmodify -ZZ -D "cn=admin,dc=job,dc=de" -W -f test.ldap


=== Certificate Management (PKI) ===
=== Certificate Management (PKI) ===

Revision as of 16:11, 8 April 2014

SSO

Goal is to have single signon (SSO) with open source software for as much services as possible. Since SSO for windows services needs a windows domain controller and Samba provides one, this seems to be the only way to go.

In the end, I want all services to be run on the low power QNAP NAS. This is not possible yet, because QNAP as PDC will only be available on the next QNAP OS 4.1. In the meantime I'll implement this part on the opensuse server.

SSO Services

  • login on all linux and windows devices, including servers, NAS and notebooks
  • windows shares
  • samba shares on linux servers and qnap NAS
  • wiki
  • bugtracker (trac)
  • databases (mysql, db2)
  • more webservices

Subprojects

Samba needs some backend technology to work. Right now, I know of user management and domain name service. User management could be handled by samba internally, but not all sso services support samba users as identity provider. A common user id management that is supported by many services directly or indirectly is LDAP. Samba, openSUSE linux and e.g. DB2 support it natively, others via PAM or other services.

Open LDAP

Open ldap provides user management, but can also be used for many other things, like certificate store or address management. For secure communication between LDAP server and client, an SSL connection can be used. This means we also need a key/certificate management. The same can be used for other services that use SSL, like HTTPS for webservers, remote mysql connections or openvpn.

OpenLDAP can be run on the same host as samba or on a different host. I want to use the QNAP NAS since I expect it to have more uptime and I want to run the samba AD there too as soon as it is available. OpenLDAP is available as a QPKG on the NAS. Suse usermanagement did not work with that. I had to copy the schemas from opensuse ldap to qnap and configure ldap to use them.

Configuration with yast ldap client then was easy once I discovered I had to use enumerate option in /etc/sssd/sssd.conf to enable getent for ldap users. The uri domain name needs to be the cn or an alternate subject of the openldap certificate on the qnap device.

Being able to change passwords and honor disabled users some changes were needed. For background see here:

http://forum.qnap.com/viewtopic.php?f=50&t=70028

/etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss,pam
domains = default

[nss]
filter_groups = root
filter_users = root 

[pam] 

# Section created by YaST
[domain/default]
ldap_uri = ldap://qnap.job.de
ldap_search_base = dc=job,dc=de
ldap_schema = rfc2307bis
id_provider = ldap
ldap_user_uuid = entryuuid
ldap_group_uuid = entryuuid
ldap_id_use_start_tls = True
enumerate = True
cache_credentials = True
chpass_provider = ldap
auth_provider = ldap
ldap_tls_cacert = /etc/ssl/certs/jba-pki-v2-ca.crt
ldap_user_search_base = ou=people,dc=job,dc=de
ldap_group_search_base = ou=group,dc=job,dc=de

# following lines added for using user disabled flag
ldap_pwd_policy = none

access_provider = ldap
ldap_account_expire_policy = shadow
ldap_access_order = expire
ldap_chpass_update_last_change = true

ldap_default_bind_dn = cn=admin,dc=job,dc=de
ldap_default_authtok = {pwd of bind dn}


/etc/nsswitch.conf

passwd:  compat sss
group:   compat sss
...

phpLdapAdmin

Config in

/share/MD0_DATA/.qpkg/OpenLDAP/phpldapadmin/config/config.php

Can create samba user with samba3 schema. The user needs to change pwd before use:

job4:~ # smbpasswd -r qnap -U ldaptest

It may be required to add the user to share sections in /etc/smb.conf. @"everyone" only includes local users, not ldap

read list = @"everyone"
write list = "admin","joachim","julian","caro"
valid users = "root",@"everyone","admin","joachim","julian","caro","ldaptest"

Then this works

smbclient -c ls -W job -U ldaptest //qnap/Download

The homedirectory is not created this way. Try yast?

Useful commands

show publicly accessible ldap database content without using ssl

  1. configure /etc/openldap/ldap.conf
uri     ldap://qnap.job.de
base    dc=job,dc=de
TLS_CACERT      /etc/ssl/certs/jba-pki-v2-ca.crt
  1. execute search
ldapsearch -x

show ldap content with ssl (needs password of root cn and valid cert on qnap slapd.conf)

ldapsearch -ZZ -D "cn=admin,dc=job,dc=de" -W

show base dn of ldap database

ldapsearch -x -b  -s base '(objectclass=*)' namingContexts

add a key value pair to an ldap object (here homeDirectory)

  1. create file test.ldap
dn: cn=jo,dc=job,dc=de
changetype: modify
add: homeDirectory
homeDirectory: /home/jo
  1. execute modify
ldapmodify -ZZ -D "cn=admin,dc=job,dc=de" -W -f test.ldap

Certificate Management (PKI)

see Projekt_PKI

DNS

Samba 4 needs a domain name service. I have no idea why, but it has an internal dns activated by default, so I'll use that. Implication: change used dns at least on the windows pc's from my router to the samba server. The samba server then forwards to the router, if necessary.

How will the dhcp/dns handshake work?