LDAP and Kerberos: An Overview

1
LDAP and KerberosAn Overview

• Leveraging services provided by Active Directory
  for Unix/Linux authentication, authorization and
  name services

Jason Testart Computer Science Computing
Facility University of Waterloo
March 2007
2
Summary

• Kerberos is for authentication only and provides
  Single Sign-on (SSO)
• LDAP can be used for authentication,
  authorization, and name services (no SSO)
• Active Directory is a kerberized directory
  service with an LDAP interface
• Use Kerberos for authentication, LDAP for
  authorization and name services

3
What do these technologies give us?

• Eliminate password synchronization
• Speed-up system deployment
• Reduce development time when a new platform is
  introduced

Improve the end-user experience
4
LDAP

• Name services using the Lightweight Directory
  Access Protocol

5
What is LDAP?

• A protocol for accessing a directory service
• Whats a directory service? Think DNS.
• Database backend do we care?
• Schema attributes with OIDs (à la SNMP)
• Objects organized in a tree structure (DIT)
• Operations bind, search, modify
• LDIF text file format for describing directory
  contents

6
Schema

• Attribute like a variable in a programming
  language, it holds a value
• ObjectClass a special attribute that all
  directory entries must have, as it acts as a
  template for the data (enforces a kind of
  internal consistency)
• AD Schemahttp//msdn.microsoft.com/library/en-us
  /ad/ad/active_directory_schema.asp
• Unix Schema http//www.ietf.org/rfc/rfc2307.txt

7
Types of Object Classes

• Structural only one per entry!
• Auxiliary supplements structural
• Abstract cant be used directly only as an
  ancestor of another class (eg. top)

8
Schema Examples
Snippets of OpenLDAPs RFC 2307 schema
implementation
objectclass ( 1.3.6.1.1.1.2.0 NAME
'posixAccount' DESC 'Abstraction of an
account with POSIX attributes' SUP top
AUXILIARY MUST ( cn uid uidNumber
gidNumber homeDirectory ) MAY (
userPassword loginShell gecos description )
)
attributetype ( 1.3.6.1.1.1.1.3 NAME
'homeDirectory' DESC 'The absolute path
to the home directory' EQUALITY
caseExactIA5Match SYNTAX
1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
9
Directory Information Tree (DIT)
10
DN and RDN of a directory entry

• RDN a unique attribute among all siblings of a
  single parent in the DIT(eg. uidjatestar)
• DN concatenation of RDNs when following the
  path from the entry (node) to the root of the
  DIT(eg. uidjatestar, oupeople, dcldap,
  dcstudent, dccs, dcuwaterloo, dcca)

11
Directory Entry Example
Entry in /etc/passwd
jatestarx14491449Jason Testart
CSCF,DC2555B,x37174,,/u4/jatestart/xhbin/tcsh
Becomes the following LDIF
dn uidjatestar, ouldap, oupeople, dcstudent,
dccs, dcuwaterloo, dcca objectClass
top objectClass person objectClass
posixAccount cn Jason Testart sn Testart uid
jatestar uidNumber 1449 gidNumber
1449 homeDirectory /u4/jatestart loginShell
/xhbin/tcsh gecos Jason Testart
CSCF,DC2555B,x37174,,
12
Some LDAP Interfaces

• LDIF - ldapsearch, ldapmodify, ldp.exe(see man
  ldif, man ldapsearch, etc)
• Perl - NetLDAP(see http//ldap.perl.org/)
• C/C - OpenLDAP API (likely others)(see man 3
  ldap)
• ADSI - Windows specific(see http//www.microsoft.
  com/windows2000/techinfo/howitworks/activedirector
  y/adsilinks.asp)

13
When interfacing, you need

• Server hostname
• Bind DN
• Base DN (if searching)
• SSL?

Note An Active Directory domain controller will
accept the value of theuserPrincipalName
attribute as the binddn. (eg. jatestar_at_nexus.uwa
terloo.ca is friendlier than CNJason J
Testart (jatestar),OUCSCF,OUStaff,OUAccounts,O
UComputer Science,OUFaculties,DCNEXUS,DCUWATER
LOO,DCCA)
14
What object classes does AD use for users?
Query
ldapsearch -x -W -H "ldaps//canadenis.student.cs.
uwaterloo.ca \ -D "jatestar_at_student.cs.uwaterloo
.ca" \-b "dcstudent,dccs,dcuwaterloo,dcca
\ "(cnjatestar)" objectClass
Yields
dn CNjatestar,OUUsers,OUCS,DCstudent,DCcs,DC
uwaterloo,DCca objectClass top objectClass
person objectClass organizationalPerson objectCla
ss user
15
Need Unix attributes in AD

• The user objectClass is missing needed attributes
  that RFC 2307 provides
• So, extend the schema in AD, but be careful!
• Differences between MS-SFU-2.0, MS-SFU-3.5 and
  schema provided by Windows Server 2003 R2
• Maximize use of client attribute mappings!

16
Attribute Mappings

• Example When I ask for the gecos attribute
  value, fetch the value of cn from the directory
  instead
• Minimize duplication of data in the directory
  (ie. redundant attributes)
• In some cases, doing this allows you to avoid
  extending the schema of a directory

17
Groups

• posixGroup uses memberUid, which is the uid of
  the member
• groupofUniqueNames uses the member attribute,
  which is the DN of the member
• Attribute mappings may be inappropriate,
  redundancy may be unavoidable
• Netgroups may give additional functionality, with
  additional complexity

18
Applying the knowledge (client-side)

• Make sure you know what directory attributes that
  you are using!
• Tell /etc/nsswitch.conf to use the nss_ldap
  library from padl.com
• Edit the ldap.conf appropriately to point to AD
  and define the attribute maps
• No need to add users/groups in /etc/passwd or
  /etc/group!

19
Kerberos

• Using Active Directory Kerberos for Unix/Linux
  authentication

20
What is Kerberos?

• Authentication protocol
• Secure
• SSO
• Trusted 3rd party
• Mutual Authentication

21
Some Kerberos Terminology

• User Principal
• Host/Service Principal
• Instance
• Realm
• KDC
• TGT
• Credential cache

22
Principals

• username/instance_at_REALM
• servicename/FQDN_at_REALM

Examples

• jatestar_at_NEXUS.UWATERLOO.CA
• nfs/gl01.student.cs.uwaterloo.ca_at_STUDENT.CS.UWATER
  LOO.CA
• host/cpu14.student.cs.uwaterloo.ca_at_STUDENT.CS.UWAT
  ERLOO.CA
• imap/services02.student.cs.uwaterloo.ca_at_STUDENT.CS
  .UWATERLOO.CA

23
Credential Cache (on a Mac)
klist Ticket cache FILE/tmp/krb5cc_1000 Defaul
t principal jatestar_at_STUDENT.CS.UWATERLOO.CA Val
id starting Expires Service
principal 12/13/06 010650 12/13/06 110503
krbtgt/STUDENT.CS.UWATERLOO.CA_at_STUDENT.CS.UWATERLO
O.CA renew until 12/14/06
010650 12/13/06 010638 12/13/06 110503
fs02_at_STUDENT.CS.UWATERLOO.CA renew until
12/14/06 010650 12/13/06 011023 12/13/06
110503 host/cpu20.student.cs.uwaterloo.ca_at_STUDE
NT.CS.UWATERLOO.CA renew until 12/14/06
010650
24
AD Domain Kerberos v5 Realm

• Domain controllers provide KDC functionality
• A domain is synonymous with realm
• Joining a Windows computer to a domain means you
  are creating a host principal in the realm
• No multipart principal names in AD, so mappings
  are needed for instances

25
Adding a Unix host to AD

• Create a user account for the host/service (eg.
  cpu04-host)
• Map the account to a service principalhost/cpu04
  .student.cs.uwaterloo.ca_at_STUDENT.CS.UWATERLOO.CA
• Set the account password
• Generate a krb5.keytab file
• Stick the keytab file in /etc/krb5 on cpu04
• Done on all student.cs CPU servers

26
Adding a Unix host to AD (sans GUI)
Create the account using LDIF (from a Linux box)
ldapmodify -x -W -H ldaps//canadenis -D
Administrator_at_student.cs.uwaterloo.ca dn
cncpu04-host,OUService Principals,DCstudent,DC
cs,DCuwaterloo,DCca changetype add cn
cpu04-host objectClass user sAMAccountName
cpu04-host displayName cpu04-host description
Kerberos host service principal for
cpu04 userAccountControl 2097664
Do the mapping and generate a keytab file (on the
domain controller)
ktpass princ host/cpu04.student.cs.uwaterloo.ca_at_
STUDENT.CS.UWATERLOO.CA mapuser cpu04-host
password S0m3Rand0mPaZZw0rd out
cpu04-host.keytab
27
Tell Unix login to authenticate against AD

• Set-up an appropriate /etc/krb5.conf
• Modify the PAM authentication stack to use the
  pam_krb5 module

28
Lots of work for simple authentication!

• Could have used ldap, or radius, etc
• Kerberos gives us Single Sign-On
• Can take advantage of domain trusts!
• Most apps use SASL and GSSAPI to support Kerberos
  5

29
SSH and SSO

• Configure SSH clients and servers to use GSSAPI
  for authentication
• Mac Lab user can ssh to a CPU server without a
  password (no ssh keys or .shosts required)
• Honours .k5login file (handy for course accounts)
• Possibilities with NFS (v3), IMAP, SMTP AUTH,
  HTTP, etc

30
SSO Demo (Linux client to AD)

• Show krb5.conf
• Login to realm (kinit)
• Show file shares on NetApp
• Query our entry on domain controller
• Show resulting credential cache (klist)
• Logout of realm (kdestroy)

31
Using slapd (OpenLDAP) with AD

• OpenLDAP supports Kerberos via SASL/GSSAPI
• Can map entities in a realm with entries in the
  directory
• Use authz-regexp directive in slapd.conf
• Seehttp//www.openldap.org/doc/admin23/sasl.html
  

32
References

• LDAP System Administration by Gerald Carter
  (OReilly)
• Kerberos The Definitive Guide by Jason Garman
  (OReilly)
• Unified Windows and UNIX Authorization Using
  Microsoft Active Directory LDAP as a Directory
  Store by Ellie Berriman (Network Appliance Inc.)
• Unified Windows and UNIX Authentication Using
  Microsoft Active Directory Kerberos by Ellie
  Berriman (Network Appliance Inc.)