From 04b048dd474e6cfc77002ed8b74199b7158058dc Mon Sep 17 00:00:00 2001 From: Valentin Tolmer Date: Mon, 19 Aug 2024 22:37:34 +0200 Subject: [PATCH] example_configs: add PAM configuration guide --- README.md | 10 +++- example_configs/pam/README.md | 89 ++++++++++++++++++++++++++++++++++ example_configs/pam/nslcd.conf | 59 ++++++++++++++++++++++ 3 files changed, 157 insertions(+), 1 deletion(-) create mode 100644 example_configs/pam/README.md create mode 100644 example_configs/pam/nslcd.conf diff --git a/README.md b/README.md index e87fbbd..4129550 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,7 @@ - [Client configuration](#client-configuration) - [Compatible services](#compatible-services) - [General configuration guide](#general-configuration-guide) + - [Integration with OS's](#integration-with-os-s) - [Sample client configurations](#sample-client-configurations) - [Incompatible services](#incompatible-services) - [Migrating from SQLite](#migrating-from-sqlite) @@ -401,7 +402,7 @@ LLDPA configuration file: /etc/lldap/lldap_config.toml
You can also install it as a rc.d service in FreeBSD, see [FreeBSD-install.md](example_configs/freebsd/freebsd-install.md). -The rc.d script file +The rc.d script file [rc.d_lldap](example_configs/freebsd/rc.d_lldap). ### From source @@ -538,6 +539,13 @@ admin rights in the Web UI. Most LDAP integrations should instead use a user in the `lldap_strict_readonly` or `lldap_password_manager` group, to avoid granting full administration access to many services. +### Integration with OS's + +Integration with Linux accounts is possible, through PAM and nslcd. See [PAM +configuration guide](example_configs/pam/README.md). + +Integration with Windows (e.g. Samba) is WIP. + ### Sample client configurations Some specific clients have been tested to work and come with sample diff --git a/example_configs/pam/README.md b/example_configs/pam/README.md new file mode 100644 index 0000000..f9eabb2 --- /dev/null +++ b/example_configs/pam/README.md @@ -0,0 +1,89 @@ +# Configure lldap + +You MUST use LDAPS. You MUST NOT use plain ldap. Even over a private network +this costs you nearly nothing, and passwords will be sent in PLAIN TEXT without +it. + +```toml +[ldaps_options] +enabled=true +port=6360 +cert_file="cert.pem" +key_file="key.pem" +``` + +You can generate an SSL certificate for it with the following command. The +`subjectAltName` is REQUIRED. Make sure all domains are listed there, even your +`CN`. + +```sh +openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 36500 -nodes -subj "/CN=lldap.example.net" -addext "subjectAltName = DNS:lldap.example.net" +``` + +# Install the client packages. + +This guide used `libnss-ldapd` (which is different from `libnss-ldap`). + +PURGE the following ubuntu packages: `libnss-ldap`, `libpam-ldap` + +Install the following ubuntu packages: `libnss-ldapd`, `nslcd`, `nscd`, `libpam-ldapd` + +# Configure the client's `nslcd` settings. + +Edit `/etc/nslcd.conf`. Use the [provided template](./nslcd.conf). + +You will need to set `tls_cacertfile` to a copy of the public portion of your +LDAPS certificate, which must be available on the client. This is used to +verify the LDAPS server identity. + +You will need to add the `binddn` and `bindpw` settings. + +The provided implementation uses custom attributes to mark users and groups +that should be included in the system (for instance, you don't want LDAP +accounts of other services to have a matching unix user). + +For users, you need to add an (integer) `is-unix-user` attribute, set manually +to 1 for the users you want to enable. This could also be implemented as a +group membership. + +For groups, you need an (integer) `is-unix-group` attribute, similarly set to 1 +(this cannot be replaced by group membership until LLDAP supports nested group +memberships). + +If you want to change this representation, update the `filter passwd` and +`filter group` accordingly. + +You should check whether you need to edit the `pam_authz_search` setting. This +is used after authentication, at the PAM `account` stage, to determine whether +the user should be allowed to log in. If someone is an LDAP user, even if they +use an SSH key to log in, they must still pass this check. The provided example +will check for membership of a group named `YOUR_LOGIN_GROUP_FOR_THIS_MACHINE`. + +You should review the `map` settings. These contain custom attributes that you +will need to add to lldap and set on your users. + +# Configure the client OS. + +Ensure the `nslcd` and `nscd` services are installed and running. `nslcd` +provides LDAP NSS service. `nscd` provides caching for NSS databased. You want +the caching. + +``` +systemctl enable --now nslcd nscd +``` + +Configure PAM to create the home directory for LDAP users automatically at +first login. + +``` +pam-auth-update --enable mkhomedir +``` + +Edit /etc/nsswitch.conf and add "ldap" to the END of the "passwd" and "group" +lines. + +You're done! + +## Clearing nscd caches. + +If you want to manually clear nscd's caches, run `nscd -i passwd; nscd -i group`. diff --git a/example_configs/pam/nslcd.conf b/example_configs/pam/nslcd.conf new file mode 100644 index 0000000..0e674d6 --- /dev/null +++ b/example_configs/pam/nslcd.conf @@ -0,0 +1,59 @@ +# /etc/nslcd.conf +# nslcd configuration file. See nslcd.conf(5) +# for details. + +# The user and group nslcd should run as. +uid nslcd +gid nslcd + +# The location at which the LDAP server(s) should be reachable. +uri ldaps://lldap.example.net:6360/ + +# The search base that will be used for all queries. +base dc=example,dc=net + +# The LDAP protocol version to use. +#ldap_version 3 + +# The DN to bind with for normal lookups. +#binddn cn=...,ou=people,dc=example,dc=com +#bindpw ... + +# The DN used for password modifications by root. +#rootpwmoddn cn=admin,dc=example,dc=com + +# SSL options +#ssl off +tls_reqcert demand +tls_cacertfile /etc/cert-lldap.example.com.pem + +# The search scope. +#scope sub + +reconnect_invalidate passwd group +nss_initgroups_ignoreusers ALLLOCAL + +# Do you have users/groups that aren't for linux? These filters determine which user/group objects are used. +filter passwd (&(objectClass=posixAccount)(is-unix-user=1)) +filter group (&(objectClass=groupOfUniqueNames)(is-unix-group=1)) + +# This check is done AFTER authentication, in the pam "account" stage. +# Regardless of if they used a LDAP password, or an SSH key, if they're an LDAP user, they have to pass this check. +pam_authz_search (&(objectClass=posixAccount)(is-unix-user=1)(unix-username=$username)(memberOf=cn=YOUR_LOGIN_GROUP_FOR_THIS_MACHINE,ou=groups,dc=example,dc=com)) + + +map passwd uid unix-username +map passwd uidNumber unix-uid +map passwd gidNumber unix-uid +map passwd gecos unix-username +map passwd homeDirectory "/home/${unix-username}" +map passwd loginShell unix-shell + +map group gidNumber unix-gid +map group memberUid member + +nss_min_uid 1000 + +pam_password_prohibit_message "Please use the forgot password link on https://lldap.example.com/ to change your password." + +