Dies ist eine alte Version des Dokuments!
Authentification auf Userebene und Webseiten unter CentOS 7.x
Natürlich wollen wir bei der Authentifikation unserer Cleints auf unseren zentralen OpenLDAP-Verzeichnisdienst zurückgreifen. Nachfolgend werden wir auf einige Beispiele eingehen.
- lokale Benutzer
Bei den betreffenden Clients wollen wir nun die Authentifizierung der einzelnen User nicht mehr gegen die lokale /etc/shadow laufen lassen, denn dazu müssten wir nun auf jedem Host die User manuell (nach)pflegen. Schließlich sollen die User, egal an welchem Host sie sich anmelden, immer auch das gleiche Passwort benutzen können. Nicht zuletzt aus diesem Gründen, haben wir uns für einen zentralen OpenLDAP-Server entschieden. - remote Benutzer
Melden sich unsere Nutzer an unseren Webseiten an, die eine Authentifikation zum Abruf der Seiten notwendig machen, sollen die User sich mit Ihrem bekannten Nutzerkennung und Passwort aus dem zentralen OpenLDAP-Verzeichnisdienst tun. Hierzu betrachetn wir die nötigen Konfigurationsmaßnahmen an den beiden Webservern Apache und NGiNX.
lokale Benutzer
Vertrauensmodelle in Public-Key-Infrastrukturen
Wir haben nun in der Datei /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem die nötigen Root-Zertifikate und müssen nun nur noch unserem openldap-client mitteilen, diesen auch zu nutzen. Hierzu editieren wir nun die Konfigurationsdatei des openldap-clients.
# vim /etc/openldap/ldap.conf
- /etc/openldap/ldap.conf
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 # Django: 2015-07-17 # defaul: unset # Definition des standardmässig abgefragten Teilbaums / Searchbase # Anfragen werden unterhalb von dc=nausch, dc=org ausgeführt BASE dc=nausch, dc=org # Definition des LDAP-Servers URI ldap://openldap.dmz.nausch.org #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # Django : 2015-07-17 # default: TLS_CACERTDIR /etc/openldap/certs # Django : 2015-07-16 # Pfad und Datei mit den vertrauenswürdigen Root-Zertifikaten # default: unset TLS_CACERT /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on
Zum Testen richten wir erneut eine Anfrage an unseren OpenLDP-Server.
# ldapsearch -W -x -b "dc=nausch,dc=org" "uid=django" \ -D "cn=Technischeruser,dc=nausch,dc=org" -LLL \ -H ldaps://openldap.dmz.nausch.org
Enter LDAP Password:
dn: uid=django,ou=People,dc=nausch,dc=org uid: django cn: django objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 16617 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/django gecos: django userPassword:: RGQ0bWRkMyE=
Installation
# yum install nscd nss-pam-ldapd -y
# rpm -qil nscd
Name : nscd Version : 2.17 Release : 78.el7 Architecture: x86_64 Install Date: Mo 20 Jul 2015 16:30:11 CEST Group : System Environment/Daemons Size : 183104 License : LGPLv2+ and LGPLv2+ with exceptions and GPLv2+ Signature : RSA/SHA256, Sa 14 Mär 2015 09:20:11 CET, Key ID 24c6a8a7f4a80eb5 Source RPM : glibc-2.17-78.el7.src.rpm Build Date : Do 05 Mär 2015 22:50:19 CET Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://www.gnu.org/software/glibc/ Summary : A Name Service Caching Daemon (nscd). Description : Nscd caches name service lookups and can dramatically improve performance with NIS+, and may help with DNS as well. /etc/nscd.conf /etc/sysconfig/nscd /lib/systemd/system/nscd.service /lib/systemd/system/nscd.socket /usr/lib/tmpfiles.d/nscd.conf /usr/sbin/nscd /var/db/nscd /var/db/nscd/group /var/db/nscd/hosts /var/db/nscd/passwd /var/db/nscd/services /var/run/nscd /var/run/nscd/group /var/run/nscd/hosts /var/run/nscd/nscd.pid /var/run/nscd/passwd /var/run/nscd/services /var/run/nscd/socket
# rpm -qil nss-pam-ldapd
Name : nss-pam-ldapd Version : 0.8.13 Release : 8.el7 Architecture: x86_64 Install Date: Mo 20 Jul 2015 16:30:14 CEST Group : System Environment/Base Size : 416576 License : LGPLv2+ Signature : RSA/SHA256, Fr 04 Jul 2014 05:58:15 CEST, Key ID 24c6a8a7f4a80eb5 Source RPM : nss-pam-ldapd-0.8.13-8.el7.src.rpm Build Date : Di 10 Jun 2014 08:03:46 CEST Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://arthurdejong.org/nss-pam-ldapd/ Summary : An nsswitch module which uses directory servers Description : The nss-pam-ldapd daemon, nslcd, uses a directory server to look up name service information (users, groups, etc.) on behalf of a lightweight nsswitch module. /etc/nslcd.conf /etc/tmpfiles.d/nss-pam-ldapd.conf /usr/lib/systemd/system/nslcd.service /usr/lib64/libnss_ldap.so /usr/lib64/libnss_ldap.so.2 /usr/lib64/security/pam_ldap.so /usr/sbin/nslcd /usr/share/doc/nss-pam-ldapd-0.8.13 /usr/share/doc/nss-pam-ldapd-0.8.13/AUTHORS /usr/share/doc/nss-pam-ldapd-0.8.13/COPYING /usr/share/doc/nss-pam-ldapd-0.8.13/ChangeLog /usr/share/doc/nss-pam-ldapd-0.8.13/HACKING /usr/share/doc/nss-pam-ldapd-0.8.13/NEWS /usr/share/doc/nss-pam-ldapd-0.8.13/README /usr/share/doc/nss-pam-ldapd-0.8.13/TODO /usr/share/man/man5/nslcd.conf.5.gz /usr/share/man/man8/nslcd.8.gz /usr/share/man/man8/pam_ldap.8.gz /var/run/nslcd
# man authconfig
AUTHCONFIG(8) System Manager's Manual AUTHCONFIG(8) NAME authconfig, authconfig-tui - an interface for configuring system authentication resources SYNOPSIS authconfig [options] {--update|--updateall|--test|--probe|--restorebackup <name>|--save‐ backup <name>|--restorelastbackup} DESCRIPTION authconfig provides a simple method of configuring /etc/sysconfig/network to handle NIS, as well as /etc/passwd and /etc/shadow, the files used for shadow password sup‐ port. Basic LDAP, Kerberos 5, and Winbind client configuration is also provided. If --test action is specified, the authconfig just reads the current settings from the various configuration files and prints their values. If --update action is specified, authconfig must be run by root (or through console helper), and configuration changes are saved. Only the files affected by the configuration changes are overwritten. If --updateall action is specified, authconfig must be run by root (or through console helper), and all configuration files are written. The --probe action instructs auth‐ config to use DNS and other means to guess at configuration information for the cur‐ rent host, print its guesses if it finds them, to standard output, and exit. The --restorebackup, --savebackup, and --restorelastbackup actions provide a possibil‐ ity to save and later restore a backup of configuration files which authconfig modi‐ fies. Authconfig also saves an automatic backup of configuration files before every configuration change. This special backup can be restored by the --restorelastbackup action. If --nostart is specified (which is what the install program does), ypbind or other daemons will not be started or stopped immediately following program execution, but only enabled to start or stop at boot time. The --enablenis, --enableldap, --enablewinbind, and --enablehesiod options are used to configure user information services in /etc/nsswitch.conf, the --enablecache option is used to configure naming services caching, and the --enableshadow, --enableldapauth, --enablekrb5, and --enablewinbindauth options are used to configure authentication functions via /etc/pam.d/system-auth. Each --enable has a matching --disable option that disables the service if it is already enabled. The respective services have parameters which configure their server names etc. The algorithm used for storing new password hashes can be specified by the --passalgo option which takes one of the following possible values as a parameter: descrypt, bigcrypt, md5, sha256, and sha512. The --enablelocauthorize option allows to bypass checking network authentication ser‐ vices for authorization and the --enablesysnetauth allows authentication of system accounts (with uid < 500) by these services. When the configuration settings allow use of SSSD for user information services and authentication, SSSD will be automatically used instead of the legacy services and the SSSD configuration will be set up so there is a default domain populated with the set‐ tings required to connect the services. The --enablesssd and --enablesssdauth options force adding SSSD to /etc/nsswitch.conf and /etc/pam.d/system-auth, but they do not set up the domain in the SSSD configuration files. The SSSD configuration has to be set up manually. The allowed configuration of services for SSSD are: LDAP for user information (--enableldap) and either LDAP (--enableldapauth), or Kerberos (--enablekrb5) for authentication. In case SSSD does not support some feature of the legacy services that are required for the site configuration, the use of the legacy services can be forced by setting FORCELEGACY=yes in /etc/sysconfig/authconfig. The list of options mentioned here in the manual page is not exhaustive, please refer to authconfig --help for the complete list of the options. The authconfig-tui supports all options of authconfig but it implies --update as the default action. Its window contains a Cancel button by default. If --back option is specified at run time, a Back button is presented instead. If --kickstart is speci‐ fied, no interactive screens will be seen. The values the program will use will be those specified by the other options (--passalgo, --enableshadow, etc.). For namelist you may substitute either a single name or a comma-separated list of names. NOTES The authconfig-tui is deprecated. No new configuration settings will be supported by its text user interface. Use system-config-authentication GUI application or the com‐ mand line options instead. The /usr/bin/authconfig uses the consolehelper to authenticate as the system user before it starts up. If you want to run it directly without the authentication as the system user, run the /usr/sbin/authconfig command. The SSSD service is enabled and possibly started by authconfig when at least two of the following three conditions are met: 1) /etc/sssd/sssd.conf file exists (or is configured via the implicit SSSD support) 2) SSSD authentication is enabled (pam_sss.so is used in PAM configuration) 3) SSSD is enabled for user identity (nsswitch.conf contains sss) When --update action is used the enablement or disablement and possible restart of services happens only in case the changed configuration options affect the service to be restarted. This means that if for example the ypbind service is enabled with auth‐ config --update --nostart --enablenis but not started and you run the same command without the --nostart later the ypbind service will not be started because no configu‐ ration change affecting ypbind happened. RETURN CODES authconfig returns 0 on success, 1 on backup operation errors, 2 if not running with sufficient privileges, 3 if unknown password hash algorithm is specified or incorrect values are set for password strength checking (this error is non fatal), 4 if download of CA certificate fails, 5 if writing configuration files fails on --updateall action, 6 if writing fails on --update action, 7 if Winbind or IPA domain join fails. authconfig-tui returns 0 on success, 2 on error, and 1 if the user cancelled the pro‐ gram (by using either the Cancel or Back button). It can also return the same codes as authconfig. FILES /etc/sysconfig/authconfig Used to track whether or not particular authentication mechanisms are enabled. Currently includes variables named USESHADOW, USEMD5, USEKER‐ BEROS, USELDAPAUTH, USESMBAUTH, USEWINBIND, USEWINBINDAUTH, USEHESIOD, USENIS, USELDAP, and others. /etc/passwd /etc/shadow Used for shadow password support. /etc/yp.conf Configuration file for NIS support. /etc/sysconfig/network Another configuration file for NIS support. /etc/ldap.conf /etc/nss_ldap.conf /etc/pam_ldap.conf /etc/nslcd.conf /etc/openldap/ldap.conf Used to configure nss_ldap, pam_ldap, nslcd, and the OpenLDAP library. Only the files already existing on the system are modified. /etc/krb5.conf Used to configure Kerberos 5. /etc/hesiod.conf Used to configure Hesiod. /etc/samba/smb.conf Used to configure winbind authentication. /etc/nsswitch.conf Used to configure user information services. /etc/login.defs Used to configure parameters of user accounts (minimum UID of a regular user, password hashing algorithm). /etc/pam.d/system-auth Common PAM configuration for system services which include it using the include directive. It is created as symlink and not relinked if it points to another file. /etc/pam.d/system-auth-ac Contains the actual PAM configuration for system services and is the default target of the /etc/pam.d/system-auth symlink. If a local config‐ uration of PAM is created (and symlinked from system-auth file) this file can be included there. SEE ALSO authconfig-gtk(8), system-auth-ac(5), passwd(5), shadow(5), pwconv(1), domain‐ name(1), ypbind(8), nsswitch.conf(5), smb.conf(5), sssd(8) AUTHORS Nalin Dahyabhai <nalin@redhat.com>, Preston Brown <pbrown@redhat.com>, Matt Wilson <msw@redhat.com>, Tomas Mraz <tmraz@redhat.com> Red Hat, Inc. 22 July 2011 AUTHCONFIG(8)
# authconfig --enableldap \ --enableldapauth \ --ldapserver=dlp.nausch.org \ --ldapbasedn="dc=nausch,dc=org" \ --enablemkhomedir \ --update
# vim /etc/nslcd.conf
- /etc/nslcd.conf
# This is the configuration file for the LDAP nameservice # switch library's nslcd daemon. It configures the mapping # between NSS names (see /etc/nsswitch.conf) and LDAP # information in the directory. # See the manual page nslcd.conf(5) for more information. # The user and group nslcd should run as. uid nslcd gid ldap # The uri pointing to the LDAP server to use for name lookups. # Multiple entries may be specified. The address that is used # here should be resolvable without using LDAP (obviously). #uri ldap://127.0.0.1/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator # Django : 2015-07-20 # default: uri ldap://127.0.0.1/ uri ldaps://openldap.dmz.nausch.org # The LDAP version to use (defaults to 3 # if supported by client library) #ldap_version 3 # The distinguished name of the search base. # Django : 2015-07-20 # default: base dc=example,dc=com base dc=nausch,dc=org # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=proxyuser,dc=example,dc=com # Django : 2015-07-20 # default: unset binddn cn=Technischeruser,dc=nausch,dc=org # The credentials to bind with. # Optional: default is no credentials. # Note that if you set a bindpw you should check the permissions of this file. #bindpw secret # Django : 2015-07-20 # default: unset bindpw e1n531f!D4xIi57n393I1354u! # The distinguished name to perform password modifications by root by. #rootpwmoddn cn=admin,dc=example,dc=com # The default search scope. #scope sub #scope one #scope base # Customize certain database lookups. #base group ou=Groups,dc=example,dc=com #base passwd ou=People,dc=example,dc=com #base shadow ou=People,dc=example,dc=com #scope group onelevel #scope hosts sub # Bind/connect timelimit. #bind_timelimit 30 # Search timelimit. #timelimit 30 # Idle timelimit. nslcd will close connections if the # server has not been contacted for the number of seconds. #idle_timelimit 3600 # Use StartTLS without verifying the server certificate. #ssl start_tls #tls_reqcert never # CA certificates for server certificate verification #tls_cacertdir /etc/ssl/certs #tls_cacertfile /etc/ssl/ca.cert # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # Mappings for Services for UNIX 3.5 #filter passwd (objectClass=User) #map passwd uid msSFU30Name #map passwd userPassword msSFU30Password #map passwd homeDirectory msSFU30HomeDirectory #map passwd homeDirectory msSFUHomeDirectory #filter shadow (objectClass=User) #map shadow uid msSFU30Name #map shadow userPassword msSFU30Password #filter group (objectClass=Group) #map group member msSFU30PosixMember # Mappings for Services for UNIX 2.0 #filter passwd (objectClass=User) #map passwd uid msSFUName #map passwd userPassword msSFUPassword #map passwd homeDirectory msSFUHomeDirectory #map passwd gecos msSFUName #filter shadow (objectClass=User) #map shadow uid msSFUName #map shadow userPassword msSFUPassword #map shadow shadowLastChange pwdLastSet #filter group (objectClass=Group) #map group member posixMember # Mappings for Active Directory #pagesize 1000 #referrals off #idle_timelimit 800 #filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) #map passwd uid sAMAccountName #map passwd homeDirectory unixHomeDirectory #map passwd gecos displayName #filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) #map shadow uid sAMAccountName #map shadow shadowLastChange pwdLastSet #filter group (objectClass=group) # Alternative mappings for Active Directory # (replace the SIDs in the objectSid mappings with the value for your domain) #pagesize 1000 #referrals off #idle_timelimit 800 #filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer))) #map passwd uid cn #map passwd uidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 #map passwd gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 #map passwd homeDirectory "/home/$cn" #map passwd gecos displayName #map passwd loginShell "/bin/bash" #filter group (|(objectClass=group)(objectClass=person)) #map group gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 # Mappings for AIX SecureWay #filter passwd (objectClass=aixAccount) #map passwd uid userName #map passwd userPassword passwordChar #map passwd uidNumber uid #map passwd gidNumber gid #filter group (objectClass=aixAccessGroup) #map group cn groupName #map group gidNumber gid # This comment prevents repeated auto-migration of settings.
# systemctl start nslcd.service
# systemctl status nslcd.service -l
nslcd.service - Naming services LDAP client daemon. Loaded: loaded (/usr/lib/systemd/system/nslcd.service; disabled) Active: active (running) since Mo 2015-07-20 17:06:44 CEST; 34s ago Process: 8771 ExecStart=/usr/sbin/nslcd (code=exited, status=0/SUCCESS) Main PID: 8774 (nslcd) CGroup: /system.slice/nslcd.service └─8774 /usr/sbin/nslcd Jul 20 17:06:44 vml010052.intra.nausch.org systemd[1]: Starting Naming services LDAP client daemon.... Jul 20 17:06:44 vml010052.intra.nausch.org systemd[1]: PID file /var/run/nslcd/nslcd.pid not readable (yet?) after start. Jul 20 17:06:44 vml010052.intra.nausch.org nslcd[8774]: version 0.8.13 starting Jul 20 17:06:44 vml010052.intra.nausch.org systemd[1]: Started Naming services LDAP client daemon.. Jul 20 17:06:44 vml010052.intra.nausch.org nslcd[8774]: accepting connections
# systemctl enable nslcd.service
ln -s '/usr/lib/systemd/system/nslcd.service' '/etc/systemd/system/multi-user.target.wants/nslcd.service'
# systemctl is-enabled nslcd.service
enabled
# systemctl is-enabled nslcd.service
disabled
remote Benutzer bei Web-Servern
Apache Webserver
NGiNX Webserver