SIDEBAR
»
S
I
D
E
B
A
R
«
New LDAP server 2013
Feb 26th, 2013 by Tim Watts

Requirements and history

I’m replacing the department’s old LDAP server with a new one. The old one had a number of problems:

  • No password policy – had to enforce elsewhere. Related issues.
  • Was a multi branched tree which is overcomplicated for one department with 700 users.
  • On old hardware and not on the VMWare cluster.
  • DN form was random, some used cn=, some uid=

The new LDAP server seeks to implement the following features:

  • Flat tree;
  • A temporary and separate proxy to emulate the old multi branched tree (basically put every account in every tree – works for apache configs that test specific DNs);
  • Uniform DN form of uid=USERNAME,ou=people,dc=dighum,dc=kcl,dc=ac,dc=uk
  • Changing passwords will trigger creation or update of MIT kerberos principle on new kerberos server (on the same server as LDAP);
  • MIT Kerberos will enforce password policy (10 or more characters, 3 or more character classes from (upper,lower,digit,punct and space/unprintable);
  • Allow smooth transition to having LDAP use kerberos as a backend auth service via saslauthd;
  • Local root user on LDAP server will be able to run ldap* commands without password for scripting – like we can use kadmin.local;

Basic test setup

This assumes Debian 6. Commands in red are run as root on master ldap/kerberos server. Commands in blue are run on a test server: ldaptest1.cch.kcl.ac.uk. Anything in green is test data/password and must be replaced with something more suitable for production deployment.

Note: we are changing DNS domains from the historical cch.kcl.ac.uk to dighum.kcl.ac.uk which is why there is disparity.

Install and setup MIT Kerberos

aptitude install krb5-admin-server krb5-config krb5-doc krb5-kdc krb5-user libpam-krb

kdb5_util create -s

Set Master Key to TestTest10

Config:

/etc/krb5.conf

[libdefaults]
 default_realm = DIGHUM.KCL.AC.UK
 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true
 default_tgs_enctypes = des3-hmac-sha1
 default_tkt_enctypes = des3-hmac-sha1
[realms]
 DIGHUM.KCL.AC.UK = {
 kdc = kdc1.cch.kcl.ac.uk
 admin_server = kerberos.cch.kcl.ac.uk
 default_domain = cch.kcl.ac.uk
 }
[domain_realm]
 .cch.kcl.ac.uk = DIGHUM.KCL.AC.UK
 cch.kcl.ac.uk = DIGHUM.KCL.AC.UK
 .dighum.kcl.ac.uk = DIGHUM.KCL.AC.UK
 dighum.kcl.ac.uk = DIGHUM.KCL.AC.UK
[login]
 krb4_convert = false
 krb4_get_tickets = false
[appdefaults]
 forwardable = true
 pam = {
 DIGHUM.KCL.AC.UK = {
 forwardable = true
 ccache = /tmp/krb5cc_%u
 }
 }
[logging]
 kdc = SYSLOG:INFO:DAEMON
 admin_server = SYSLOG:INFO:DAEMON
 default = SYSLOG:INFO:DAEMON

/etc/krb5kdc/kadm5.acl

*/admin@DIGHUM.KCL.AC.UK *
smbkrb5pwd/tokaimura.cch.kcl.ac.uk *

/etc/krb5kdc/kdc.conf

 [kdcdefaults]
 kdc_ports = 750,88
 kdc_tcp_ports = 750,88
[realms]
 DIGHUM.KCL.AC.UK = {
 database_name = /var/lib/krb5kdc/principal
 admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
 acl_file = /etc/krb5kdc/kadm5.acl
 key_stash_file = /etc/krb5kdc/stash
 kdc_ports = 750,88
 max_life = 10h 0m 0s
 max_renewable_life = 7d 0h 0m 0s
 master_key_type = des3-hmac-sha1
 supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
 default_principal_flags = +preauth
 }

Setup some working principles

mkdir /etc/ldap
kadmin.local  
  add_policy -minlength 10 -maxlife "380 days" -minclasses 3 -history 10 -maxfailure 5 -failurecountinterval 3600 -lockoutduration 3600 default
  add_principal -clearpolicy -randkey host/tokaimura.cch.kcl.ac.uk
  add_principal -clearpolicy -randkey smbkrb5pwd/tokaimura.cch.kcl.ac.uk
  add_principal -pw TestTest20 test1
  ktadd host/tokaimura.cch.kcl.ac.uk
  ktadd -k /etc/ldap/smbkrb5pwd.keytab smbkrb5pwd/tokaimura.cch.kcl.ac.uk
  exit
chown openldap.openldap /etc/ldap/smbkrb5pwd.keytab
chmod 600 /etc/ldap/smbkrb5pwd.keytab
/etc/init.d/krb5-kdc restart
/etc/init.d/krb5-admin-server restart

That’s kerberos done…

kinit test1

will verify (use password TestTest20)

Install and configure slapd (OpenLDAP server)

apt-get install slapd ldap-utils libnss-ldap libpam-ldap
rm -rf /etc/ldap/slapd.d     # We hate cn=config
cp -v /vol/source/smbkrb5pwd/1.0.0/smbkrb5pwd/.libs/smbkrb5pwd.so* /usr/lib/ldap/

The last step is a local custom step to provide the smbkrb5pwd module that communicates password changes to the kerberos server.

Config

/etc/ldap/slapd.conf

# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
allow bind_anon_cred bind_anon_dn update_anon
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
#include /etc/ldap/schema/ppolicy.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel sync stats
# The maximum number of entries that is returned for a search operation
sizelimit 5000
tool-threads 1
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_hdb
moduleload back_relay
moduleload rwm
#moduleload ppolicy
moduleload smbkrb5pwd
# TLS
TLSCipherSuite SECURE256:!AES-128-CBC
TLSCACertificateFile /etc/ssl/certs/CA-cch.kcl.ac.uk.pem
TLSCertificateFile /etc/ldap/ssl/ldapmaster.cch.kcl.ac.uk.crt
TLSCertificateKeyFile /etc/ldap/ssl/ldapmaster.cch.kcl.ac.uk.key
# Overlays
overlay rwm
rwm-rewriteEngine on
# Default password hash
password-hash {SASL}
backend hdb
#######################################################################
# Global ACLs
#
# Ensure read access to the base for things like
# supportedSASLMechanisms.
access to dn.base="" by * read
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# This ACL must be first or password leakage will happen!!!
access to attrs=userPassword 
 by peername.path="/var/run/slapd/ldapi" manage
 by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" manage
 by self write
 by * auth
#by set="user/uid & [cn=sysadmin,ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk]/memberUid" write
access to attrs=shadowLastChange 
 by peername.path="/var/run/slapd/ldapi" manage
 by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" manage
 by self read
#by set="user/uid & [cn=sysadmin,ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk]/memberUid" write
# The admin dn has full write access, everyone else
# can read everything. Local unix domain socket (root only)
# Can do everything
access to * 
 by peername.path="/var/run/slapd/ldapi" manage
 by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" manage
 by * read 
#by set="user/uid & [cn=sysadmin,ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk]/memberUid" write
#######################################################################
# Main dighum.kcl.ac.uk authoritative database
#
database hdb
suffix dc=dighum,dc=kcl,dc=ac,dc=uk
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn "cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk"
rootpw "{SSHA}YgC58XfZEiVuRLxS0oS6aM4txuY5mXFE"
# Password is TestTest30
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# The dbconfig settings are used to generate a DB_CONFIG file the first
# time slapd starts. They do NOT override existing an existing DB_CONFIG
# file. You should therefore change these settings in DB_CONFIG directly
# or remove DB_CONFIG and restart slapd for changes to take effect.
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 134217728 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
checkpoint 512 30
#######################################################################
#
# Policies for main backend database
# Warning - these are called in REVERSE order listed
#
#
# Kerberos password synchronise - this runs via smbkrb5pwd.so compiled from
# /vol/source/smbkrb5pwd/1.0.0/smbkrb5pwd/smbkrb5pwd.c
#
overlay smbkrb5pwd
smbkrb5pwd-enable krb5
smbkrb5pwd-krb5realm DIGHUM.KCL.AC.UK
smbkrb5pwd-requiredclass posixAccount

/etc/ldap/initialsetup/killnreload.sh

/etc/init.d/slapd stop
rm /var/lib/ldap/*
slapadd -l initialsetup/core.ldif 
slapadd -l /etc/ldap/initialsetup/test.ldif 
chown -R openldap.openldap /var/lib/ldap/
/etc/init.d/slapd start

/etc/ldap/initialsetup/core.ldif

dn: dc=dighum,dc=kcl,dc=ac,dc=uk
objectClass: top
objectClass: dcObject
objectClass: organization
o: dighum.kcl.ac.uk
dc: dighum
dn: cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: {SSHA}BMWNIXzpUwNHj8P7hSdP1iAJMgEz03k6
# Password is TestTest31
dn: ou=people,dc=dighum,dc=kcl,dc=ac,dc=uk
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk
objectClass: organizationalUnit
ou: groups

/etc/ldap/initialsetup/test.ldif

dn: uid=lumpy,ou=people,dc=dighum,dc=kcl,dc=ac,dc=uk
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Uncle Lumpy
employeeType: Staff
gecos: Uncle Lumpy
gidNumber: 1000
givenName: Uncle
homeDirectory: /homes/lumpy
loginShell: /bin/bash
mail: tw_spam@dionic.net
sn: Lumpy
uid: lumpy
uidNumber: 1000
userPassword: {SSHA}DaRP8agJqStzQyThfzVFAKO80BIQmUk/
# Password is TestTest40
dn: cn=lumpygroup,ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk
objectClass: top
objectClass: posixGroup
cn: lumpygroup
description: Lumpy Group
gidNumber: 1000
memberUid: lumpy
dn: cn=coffee-admin,ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk
objectClass: top
objectClass: posixGroup
cn: coffee-admin
description: System: Coffee Machine Guru
gidNumber: 1001
memberUid: lumpy
dn: cn=whisky,ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk
objectClass: top
objectClass: posixGroup
cn: whisky
description: People who like to get mashed on whisky
gidNumber: 1002
memberUid: lumpy

saslauthd config

/etc/default/saslauthd

# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="kerberos5"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-m /var/run/saslauthd"

/etc/ldap/sasl2/slapd.conf

pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux

Load slapd with a fresh test database

cd /etc/ldap/
sh initialsetup/killnreload.sh

Test server

Hostname: ldaptest1.cch.kcl.ac.uk. All host names in the following section are aliases for tomaimura.cch.kcl.ac.uk, the LDAP and kerberos master server.

Other configs for ldaptest1

/etc/pam_ldap.conf

base dc=dighum,dc=kcl,dc=ac,dc=uk
uri ldap://ldapmaster.cch.kcl.ac.uk.
ldap_version 3
timelimit 10
pam_filter objectclass=posixAccount
pam_member_attribute memberUid
pam_password exop
nss_map_attribute uniqueMember member
nss_base_passwd dc=dighum,dc=kcl,dc=ac,dc=uk
nss_base_shadow dc=dighum,dc=kcl,dc=ac,dc=uk
nss_base_group dc=dighum,dc=kcl,dc=ac,dc=uk
tls_checkpeer no
pam_min_uid 500
pam_max_uid 65000

/etc/libnss-ldap.conf

base dc=dighum,dc=kcl,dc=ac,dc=uk
uri ldap://ldapmaster.cch.kcl.ac.uk.
ldap_version 3

Tests run from ldaptest1.cch.kcl.ac.uk

(Commands in bold, responses in grey)

ldapwhoami -x -w TestTest40 -D uid=lumpy,ou=People,dc=dighum,dc=kcl,dc=ac,dc=uk
dn:uid=lumpy,ou=people,dc=dighum,dc=kcl,dc=ac,dc=uk
ldappasswd -x -w TestTest40 -s test -D uid=lumpy,ou=People,dc=dighum,dc=kcl,dc=ac,dc=uk
 Result: Local error (-2)
The last command fails because the password is too weak for the kerberos server. In /var/log/syslog on tokaimura you should see
2013-02-26 17:12:46 +00:00 [notice:daemon] kadmind[16409]: Request: kadm5_create_principal, lumpy@DIGHUM.KCL.AC.UK, Password is too short, client=smbkrb5pwd/tokaimura.cch.kcl.ac.uk@DIGHUM.KCL.AC.UK, service=kadmin/admin@DIGHUM.KCL.AC.UK, addr=137.73.123.90
2013-02-26 17:12:46 +00:00 [err:local4] slapd[16486]: smbkrb5pwd conn=1002 op=1 : Problem creating principal for user lumpy@DIGHUM.KCL.AC.UK: Password is too short

listprincs in kadmin.local should NOT show a principle called  lumpy@DIGHUM.KCL.AC.UK. The principal did not exist so smbkrb5pwd tried to create it with the password “test” and the policy “default”. The policy “default” (which is used by default for add_principal in kadmin) fails this because it is too short (less than 10 characters) and does not contain 3 or more character classes.

However, the command:

ldappasswd -x -w TestTest40 -s TestTest41 -D uid=lumpy,ou=People,dc=dighum,dc=kcl,dc=ac,dc=uk

should work, with no error. This will have created a kerberos principal lumpy@DIGHUM.KCL.AC.UK with the same password. Verify this on tokaimura:

kinit lumpy

and supply  TestTest41 as the password.

Now to prove that ldap is still using its internal hash in userPassword to authenticate binds

kadmin.local
  change_password -pw TestTest39 lumpy
  exit

Now, on ldaptest1, try

ldapwhoami -x -w TestTest41 -D uid=lumpy,ou=People,dc=dighum,dc=kcl,dc=ac,dc=uk
dn:uid=lumpy,ou=people,dc=dighum,dc=kcl,dc=ac,dc=uk

OK, good. It works. Let’s reset the kerberos password:

ldappasswd -x -w TestTest41 -s TestTest42 -D uid=lumpy,ou=People,dc=dighum,dc=kcl,dc=ac,dc=uk

Now, we have to update the userPassword entry to tell slapd to use kerberos (via SASL via saslauthd) for this DN. Put this in a file:

setuserpwsasl.ldif

dn: uid=lumpy,ou=people,dc=dighum,dc=kcl,dc=ac,dc=uk
changetype: modify
replace: userPassword
userPassword: {SASL}lumpy@DIGHUM.KCL.AC.UK

and run:

ldapmodify -H ldapi:/// -x < initialsetup/setuserpwsasl.ldif
modifying entry "uid=lumpy,ou=people,dc=dighum,dc=kcl,dc=ac,dc=uk"

(The slapd.conf allows admin access if connected via the slapd unix domain socket – and we fixed that to be accessible to root users only.)

Let’s test it on ldaptest1

ldapwhoami -x -w TestTest42 -D uid=lumpy,ou=People,dc=dighum,dc=kcl,dc=ac,dc=uk
dn:uid=lumpy,ou=people,dc=dighum,dc=kcl,dc=ac,dc=uk

And tokaimura’s syslog should show:

slapd[16918]: conn=1014 fd=21 ACCEPT from IP=137.73.123.228:36747 (IP=0.0.0.0:389)
2013-02-26 18:52:36 +00:00 [debug:local4] slapd[16918]: conn=1014 op=0 BIND dn="uid=lumpy,ou=People,dc=dighum,dc=kcl,dc=ac,dc=uk" method=128
2013-02-26 18:52:36 +00:00 [info:daemon] krb5kdc[16375]: AS_REQ (1 etypes {16}) 137.73.123.90: NEEDED_PREAUTH: lumpy@DIGHUM.KCL.AC.UK for krbtgt/DIGHUM.KCL.AC.UK@DIGHUM.KCL.AC.UK, Additional pre-authentication required 
2013-02-26 18:52:36 +00:00 [info:daemon] krb5kdc[16375]: AS_REQ (1 etypes {16}) 137.73.123.90: ISSUE: authtime 1361904756, etypes {rep=16 tkt=18 ses=16}, lumpy@DIGHUM.KCL.AC.UK for krbtgt/DIGHUM.KCL.AC.UK@DIGHUM.KCL.AC.UK
2013-02-26 18:52:36 +00:00 [info:daemon] krb5kdc[16375]: TGS_REQ (1 etypes {16}) 137.73.123.90: ISSUE: authtime 1361904756, etypes {rep=16 tkt=18 ses=16}, lumpy@DIGHUM.KCL.AC.UK for host/tokaimura.cch.kcl.ac.uk@DIGHUM.KCL.AC.UK
2013-02-26 18:52:36 +00:00 [debug:local4] slapd[16918]: conn=1014 op=0 BIND dn="uid=lumpy,ou=people,dc=dighum,dc=kcl,dc=ac,dc=uk" mech=SIMPLE ssf=0
2013-02-26 18:52:36 +00:00 [debug:local4] slapd[16918]: conn=1014 op=0 RESULT tag=97 err=0 text=
2013-02-26 18:52:36 +00:00 [debug:local4] slapd[16918]: conn=1014 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.3 
2013-02-26 18:52:36 +00:00 [debug:local4] slapd[16918]: conn=1014 op=1 WHOAMI
2013-02-26 18:52:36 +00:00 [debug:local4] slapd[16918]: conn=1014 op=1 RESULT oid= err=0 text= 
2013-02-26 18:52:36 +00:00 [debug:local4] slapd[16918]: conn=1014 op=2 UNBIND
2013-02-26 18:52:36 +00:00 [debug:local4] slapd[16918]: conn=1014 fd=21 closed

The ISSUE: lines show that kerberos is issuing tickets which means it is being called for authentication. Not only that, but on tokaimura:

kadmin.local
  getprinc lumpy
Principal: lumpy@DIGHUM.KCL.AC.UK
Expiration date: [never]
Last password change: Tue Feb 26 18:34:48 GMT 2013
Password expiration date: Thu Mar 13 18:34:48 GMT 2014
Maximum ticket life: 0 days 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Feb 26 18:34:48 GMT 2013 (smbkrb5pwd/tokaimura.cch.kcl.ac.uk@DIGHUM.KCL.AC.UK)
Last successful authentication: Tue Feb 26 18:52:36 GMT 2013
Last failed authentication: Tue Feb 26 18:52:24 GMT 2013
Failed password attempts: 0
<Boring stuff snipped>
Policy: default
  exit

Excellent. Now we have last auth times, password failure control (try it – it works), password expiration and password policy control. Granted, it will not be pretty when an account gets locked out for any reason – we must write some cron scripts to run over the kerberos database and send emails: one to the sysadmin of an account gets locked and one to the user if the account gets locked or the password is about to expire.

Bug – setting passwords

The only problem is, if the user tries to use ldappasswd, passwd via pam-ldap or any ldap password change operation, the userPassword LDAP entry will get smashed back to a {SSHA} hash. The bodge for this is when everyone has kerberos passwords, in slapd.conf, change:

password-hash {SSHA}

to

password-hash {SASL}

This is a bodge because the Extended Operation Password Modify code does not know about {SASL} so it simply errors and does not change userPassword. smbkrb5pwd has run already though so the kerberos principal is now updated. The user does get a nasty and erroneous error message though. Perhaps an rwm rewrite rule might fix this?

Disk failure in VMWare’s disk array
Feb 11th, 2013 by Tim Watts

Nothing to panic about. A disk failed this weekend and the RAID array immediately took one of the two spares and used it.

I am expecting a new disk this morning from Dell, so assuming that arrives, I will be replacing the failed disk:

LUNCHTIME TODAY, Monday 11th Feb 2013

I expect no problems nor interruptions to any services, but as always, there is a slight risk of bad things happening.

UPDATE

The disk has been replaced and accepted by the system. Everything back to 100% normal 🙂

ssh access to ssh.cch.kcl.ac.uk now works from Eduroam WIFI
Feb 11th, 2013 by Tim Watts

It was previously blocked (by default, not by design).

It’s now open giving local users and visitors another option.

VMWare Backups stuck
Feb 8th, 2013 by Tim Watts

A few jobs have run into snapshots getting stuck.

Fixing now.

Now fixed and verified. Might have to space the backups out slightly. Seem to be occasional problems with snapshots getting stuck – possibly because jobs are running into each other and overloading VMWare.

poms.cch.kcl.ac.uk rebooted
Feb 4th, 2013 by Tim Watts

It is failing to backup due to snapshots failing.  I’m hoping a reboot will clear this and it will be back by the time you read this message.

Confirmed – the problem has been cleared and backups are now 100%.

SIDEBAR
»
S
I
D
E
B
A
R
«
»  Substance:WordPress   »  Style:Ahren Ahimsa