Why store accounts in LDAP

1
Why store accounts in LDAP?

• Every piece of data associated with a user is
  stored in their LDAP record
• Easy maintenance of user accounts
• Wide variety of tools to analyze and edit the
  data
• Central database
• Can be access remotely from many systems

2
Software Required

• An LDAP server (OpenLDAP)
• Pam_ldap - PAM module that allows PAM to
  authenticate against an LDAP database
• Nss_ldap - NSS modules that allows NSS to pull
  user information from an LDAP database
• All this software is easily obtainable from every
  major distribution

3
Steps

• Get the data in LDAP
• Configure PAM to use the LDAP data for
  authentications
• Configure NSS to use the LDAP data for
  passwd/group databases

4
Getting the Data in LDAP

• The posixAccount objectClass stores all the
  information that is normally found in the
  /etc/passwd file

5
Example PosixAccount Entry

• dn cnBrian Alliet,ouPeople,dcbrianweb,dcnet
• objectClass person
• objectClass posixAccount
• cn Brian Alliet
• uid brian
• uidNumber 1000
• gidNumber 1000
• homeDirectory /home/brian
• loginShell /bin/bash
• gecos Brian Alliet
• userPassword XXXXXX

6
Populating the LDAP database

• Use GQ
• Scripts to Automatically convert /etc/passwd to
  LDAP
• Manually creating new LDIF files (not
  recommended) XXX FIXME

7
GQ Screenshot
8
PAM

• Stand for Pluggable Authentication Modules
• Used to allow authentication sources to be added
  or modified on the system without rebuilding all
  the programs that require authentication.

9
pam.conf

• login auth required pam_unix.so
• login account required pam_unix.so
• login password required pam_permit.so
• login session required pam_permit.so

10
pam.conf with LDAP added

• login auth sufficient pam_unix.so
• login auth required pam_ldap.so
  try_first_pass
• login account required pam_unix.so
• login password required pam_permit.so
• login session required pam_permit.so

11
Pam_ldap config file

• Contains the hostname of the LDAP server
• Contains the LDAP tree to look under for accounts
• Contains the query used to map usernames to LDAP
  records

12
Ldap.conf

• base dcbrianweb,dcnet
• uri ldap//myldap_server/
• pam_filter objectclassposixAccount
• pam_min_uid 1000

13
Diagram of PAM w/ pam_ldap
14
One more probem!

• Pam_ldap allows pam to authenticate against an
  LDAP database but it doesnt allow apps to do
  UID/GID mapping against LDAP
• Users still need entries in /etc/passwd

15
Solution - nss_ldap

• NSS module to allow NSS to lookup passwd
  information from LDAP
• Uses the same client configuration file as
  pam_ldap, so no additional configuration required
• Needs to be added to /etc/nsswitch.conf

16
Nsswitch.conf

• Similar to pam.conf
• Used by the system to find the databases used to
  retrieve user account info (the stuff in passwd)
  as well as several other databses
• Each line specifies a database
• List of services (and the order to consult the
  in) appears after the database

17
Nsswitch.conf - before and after

• Before
• passwd files
• group files
• After
• passwd files ldap
• group files ldap

18
Diagram of NSS w/ nss_ldap
19
Problems with this simple Setup

• No redundancy
• If your LDAP server goes down nobody can log in
• Can be solved by adding additional LDAP servers
  and configuring replication between them

20
Problems with this simple Setup

• No encryption
• All data flows over the network in clear text
• Can be solved by configuring pam_ldap and pam_nss
  to use TLS (successor to SSL).

21
Other Applications

• Once this infrastructure is in place it can be
  built on and integrated with more programs
• Postfix (MTA)
• Apache (Web Server)
• Custom Applications
• Countless others

22
Postfix

• LDAP can be used for nearly anything in postfix.
• Any part of the configuration that involves
  mapping a key to a value can be done with an LDAP
  query

23
LDAP Entry containing Mail Aliases

• Brian Alliet, People, brianweb.net
• dn cnBrian cn Brian Alliet
• cn Brian Alliet
• uid brian
• mailAcceptingAddress webmaster_at_brianweb.net
• mailAcceptingAddress webmaster_at_brian-web.com
• mailAcceptingAddress webmaster_at_alliet.com
• mailAcceptingAddress info_at_brian-web.com
• mailAcceptingAddress info_at_brianweb.net
• mailAcceptingAddress info_at_alliet.com
• mailAcceptingAddress hostmaster_at_brianweb.net
• mailAcceptingAddress hostmaster_at_brian-web.com
• mailAcceptingAddress hostmaster_at_the-glow.net

24
Postfix Configuration

• ldap_virtual_server_host ldap_host
• ldap_virtual_bind
• ldap_virtual_search_base dcmyco,dcnet
  ldap_virtual_query_filter ((objectclassposixAc
  count)
• (mailAcceptingAddresss))
• ldap_virtual_result_attribute uid

25
Apache LDAP integration

• Apache can use LDAP for User authentication
• Different authentication configurations can be
  used for each directory

26
Apache Configuration Example

• ltLocation "/mp3/"gt
• AuthName "Brian's MP3s"
• AuthType Basic
• AuthLDAPURL ldap//localhost/ouPeople,dcbria
  nweb,dcnet
• Require valid-user
• Options Indexes
• lt/Locationgt

27
Custom Applications