Difference between revisions of "Configuring authentication with openLDAP server"
m |
m |
||
Line 162: | Line 162: | ||
#Download latest LdapAuthentication plugin for installed media-wiki version from http://www.mediawiki.org/wiki/Special:ExtensionDistributor/LdapAuthentication | #Download latest LdapAuthentication plugin for installed media-wiki version from http://www.mediawiki.org/wiki/Special:ExtensionDistributor/LdapAuthentication | ||
#Extract the downloaded file in extensions folder | #Extract the downloaded file in extensions folder | ||
#Add following lines to '<tt>LocalSettings.php</tt>' file | #Add following lines to '<tt>LocalSettings.php</tt>' file for a non-SSL, non-TLS LDAP server with anonymous read enabled: | ||
#:<pre> | #:<pre> | ||
#::require_once("$IP/extensions/LdapAuthentication/LdapAuthentication.php"); | #::require_once("$IP/extensions/LdapAuthentication/LdapAuthentication.php"); | ||
#::$wgAuth = new LdapAuthenticationPlugin(); | #::$wgAuth = new LdapAuthenticationPlugin(); | ||
#:: | #:: | ||
#::$wgLDAPDomainNames = array(' | #::$wgLDAPDomainNames = array('Domain_name',); | ||
#::$wgLDAPServerNames = array(' | #::$wgLDAPServerNames = array('Domain_name' => 'LDAP_server_IP_or_FQDN',); | ||
#:: | #:: | ||
#:: | #:: #Avoid using local groups. This is recommended by plugin author | ||
#::$ | #:: #$wgLDAPUseLocal = false; | ||
#::$wgLDAPEncryptionType = array(' | #:: | ||
#:: | #:: #This can be uncommented on test machines to debug ldap issue, not meant for production. | ||
#::$ | #:: #$wgLDAPDebug = 3; | ||
#:: | #:: #$wgDebugLogGroups['ldap'] = '/tmp/debug.log'; | ||
#:: | #:: | ||
#:: | #::$wgLDAPEncryptionType = array('Domain_name' => 'clear',); | ||
#::$ | #::$wgLDAPSearchAttributes = array('Domain' => 'uid',); | ||
#::$ | #::$wgLDAPBaseDNs = array('Domain_name' => 'Base_dn',); | ||
#::$wgLDAPPreferences = array('Domain_name' => array('email' => 'mail', 'realname' => 'displayName', 'nickname' => 'cn',),); | |||
#::$wgLDAPLowerCaseUsername = array('Domain_name' => true, ); | |||
#::$wgLDAPGroupUseFullDN = array('Domain_name' => false, ); | |||
#::$wgLDAPGroupObjectclass = array('Domain_name' => 'posixGroup',); | |||
#::$wgLDAPGroupAttribute = array('Domain_name' => 'memberUid',); | |||
#::$wgLDAPGroupNameAttribute = array('Domain_name' => 'cn',); | |||
#:: | |||
#:: #This should be avoided on really large setup as per plugin author documentation | |||
#::$wgLDAPGroupsPrevail = array('Domain_name' => true,); | |||
#:</pre> | #:</pre> | ||
#::Here Domain_name should be replaced with recognizable name which would also be shown to user on login page. Base_dn should be replaced by LDAP base_dn. Few settings such as User and Group search dn have been omitted for simplicity. Note that all arrays values can take multiple key, value pairs but only one is used in this example for simplicity. In large setups one can put multiple values in necessary arrays. | |||
#To force user to be from a specific LDAP group also append: | |||
#:<pre> | |||
#::$wgLDAPRequiredGroups = array('Domain_name' => array('Required_Group',),); | |||
#:</pre> | |||
#::Here Required_Group is dn for group for which user must be a member | |||
#To ensure users belonging to a particular group can never login use: | |||
#:<pre> | |||
#::$wgLDAPExcludedGroups = array('Domain_name' => array('Exclude_Group',),); | |||
#:</pre> | |||
#::Here Exclude_Group is dn for group whose members would be denied access. | |||
===ldap_domains table does not exists error=== | ===ldap_domains table does not exists error=== |
Revision as of 04:08, 27 March 2014
<yambe:breadcrumb self="Authentication through LDAP">OpenLDAP server configuration|OpenLDAP</yambe:breadcrumb>
Configuring authentication with openLDAP server
LDAP server configuration
Necessary schema
Schema file nis.schema should be included in slapd.conf for being able to add posixAccount or shadowAccount entry.
User accounts
First user accounts or groups should be created on ldap server. A sample ldif file that can be used create a user is:
dn: uid=saurabh,ou=people,dc=sbarjatiya,dc=com objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: Saurabh Barjatiya uid: saurabh uidNumber: 3000 gidNumber: 3000 homeDirectory: /home/saurabh loginShell: /bin/bash gecos: OFQ F2, IIIT Hyderabad userPassword: iiit123 shadowLastChange: 0 shadowMax: 99999 shadowWarning: 99999
Group accounts
To create a group account sample ldif file is:
dn: cn=group1,ou=groups,dc=sbarjatiya,dc=com objectClass: top objectClass: posixGroup cn: group1 userPassword: iiit123 gidNumber: 3000 memberuid: saurabh
To add member to group sample ldif file is:
dn: cn=group1,ou=groups,dc=sbarjatiya,dc=com changetype: modify add: memberuid memberuid: saurabh.barjatiya
To delete member from group sample ldif file is:
dn: cn=group1,ou=groups,dc=sbarjatiya,dc=com changetype: modify delete: memberuid memberuid: saurabh.barjatiya
Linux host authentication
To configure a linux host to authenticate from ldap server use following steps:
- yum install openldap-clients openldap nss-pam-ldapd
- Check if sssd package is installed using 'rpm -qa | grep sssd'. If it is installed remove it using 'yum remove sssd'. If some ipa-* packages also need to be removed then it is fine.
- Start setup program and use following steps:
- Choose 'Authentication configuration'
- Select 'Use ldap'
- Select 'Use ldap authentication'
- Go to next screen with next button
- Do not check Use TLS
- Enter server name, for example ldap://ldap.virtual-labs.ac.in/
- Enter server basedn, for example, dc=virtual-labs,dc=ac,dc=in
- Complete configuration with ok button
- Close setup program with quit button
- Edit '/etc/hosts' file and add static entry for ldap server, for example '12.4.12.152 ldap.virtual-labs.ac.in'
- Edit '/etc/pam_ldap.conf' and replace lines at end that start with uri with following:
- uri ldaps://ldap.virtual-labs.ac.in/
- ssl on
- tls_cacertfile /etc/openldap/certs/ca.crt
- pam_password md5
- Go to '/etc/openldap/certs' and put CA certificate in the directory with name ca.crt
- Edit '/etc/nslcd.conf' and replace lines at end that start with uri with following:
- uri ldaps://ldap.virtual-labs.ac.in/
- base dc=virtual-labs,dc=ac,dc=in
- ssl on
- timelimit 10
- idle_timelimit 30
- reconnect_sleeptime 30
- reconnect_retrytime 90
- tls_reqcert hard
- tls_cacertfile /etc/openldap/certs/ca.crt
- Edit '/etc/pam.d/sshd' and add following line after last 'session required' line
- session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
- Edit '/etc/nsswitch.conf' and for 'hosts' choose value 'files ldap dns'
- Note that you should not see sss anywhere in this file. If you see sss instead of ldap then you have forgotten to remove sssd as mentioned earlier in these steps
- Use 'service nscld restart'
- Do 'chkconfig nslcd on'
Verifying setup
To verify whether authentication setup is working or not try commands:
getent hosts getent passwd getent group getent shadow
One can also read '/var/log/messages' and '/var/log/secure' while trying to login from a ldap user, if configuration does not seem to succeed.
Restricting logins to specific users and posixGroups
To restrict logins on a machine to specific users or posixGroups use:
- Edit file '/etc/pam.d/sshd' and add following line
- auth required pam_access.so
- Edit file '/etc/security/access.conf' and add line similar to:
- - : ALL EXCEPT root (admin) : ALL
An access.conf configuration line has three parameters separated by :
- First '+' or '-' to indicate whether to allow or deny
- Second list of users and groups. Group names can be enclosed in round brackets () to be more explicit that given name is of group. We can also use word ALL to indicate ALL. We can also use word EXCEPT to create exceptions from ALL for specific users and groups.
- Third is the location from where when user logins should this rule apply.
Read the comments in file '/etc/security/access.conf' to understand use of access.conf in better way.
Password change
If user tries to ssh or login using credentials then he/she would be forced to change password on first login. During password change user would be asked for existing ldap password again through which user has logged in. Then user would have option of entering new password twice. After password is set user would be logged off automatically. Then user can login again by using ssh and entering new password.
Mediawiki Authentication
Mediawiki supports LDAP based authentication with extension 'LdapAuthentication'. To configure mediawiki authentication using ldap use: Note that LDAP authentication may not work with SQLite database back-end
- yum -y install php-ldap
- service httpd restart
- Download latest LdapAuthentication plugin for installed media-wiki version from http://www.mediawiki.org/wiki/Special:ExtensionDistributor/LdapAuthentication
- Extract the downloaded file in extensions folder
- Add following lines to 'LocalSettings.php' file for a non-SSL, non-TLS LDAP server with anonymous read enabled:
- require_once("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
- $wgAuth = new LdapAuthenticationPlugin();
- $wgLDAPDomainNames = array('Domain_name',);
- $wgLDAPServerNames = array('Domain_name' => 'LDAP_server_IP_or_FQDN',);
- #Avoid using local groups. This is recommended by plugin author
- #$wgLDAPUseLocal = false;
- #This can be uncommented on test machines to debug ldap issue, not meant for production.
- #$wgLDAPDebug = 3;
- #$wgDebugLogGroups['ldap'] = '/tmp/debug.log';
- $wgLDAPEncryptionType = array('Domain_name' => 'clear',);
- $wgLDAPSearchAttributes = array('Domain' => 'uid',);
- $wgLDAPBaseDNs = array('Domain_name' => 'Base_dn',);
- $wgLDAPPreferences = array('Domain_name' => array('email' => 'mail', 'realname' => 'displayName', 'nickname' => 'cn',),);
- $wgLDAPLowerCaseUsername = array('Domain_name' => true, );
- $wgLDAPGroupUseFullDN = array('Domain_name' => false, );
- $wgLDAPGroupObjectclass = array('Domain_name' => 'posixGroup',);
- $wgLDAPGroupAttribute = array('Domain_name' => 'memberUid',);
- $wgLDAPGroupNameAttribute = array('Domain_name' => 'cn',);
- #This should be avoided on really large setup as per plugin author documentation
- $wgLDAPGroupsPrevail = array('Domain_name' => true,);
-
- Here Domain_name should be replaced with recognizable name which would also be shown to user on login page. Base_dn should be replaced by LDAP base_dn. Few settings such as User and Group search dn have been omitted for simplicity. Note that all arrays values can take multiple key, value pairs but only one is used in this example for simplicity. In large setups one can put multiple values in necessary arrays.
- To force user to be from a specific LDAP group also append:
- $wgLDAPRequiredGroups = array('Domain_name' => array('Required_Group',),);
-
- Here Required_Group is dn for group for which user must be a member
- To ensure users belonging to a particular group can never login use:
- $wgLDAPExcludedGroups = array('Domain_name' => array('Exclude_Group',),);
-
- Here Exclude_Group is dn for group whose members would be denied access.
ldap_domains table does not exists error
It is possible that ldap_domains table does not exists error is shown. To solve that login into MySQL database used by mediawiki and use:
CREATE TABLE ldap_domains(domain_id int not null primary key auto_increment, domain varchar(255) binary not null, user_id int not null); CREATE INDEX user_id on ldap_domains(user_id);
The queries have been obtained using schema/ldap-mysql.sql file from LdapAuthentication plugin source files.
Refer http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Configuration_Options for more details
Squid proxy authentication
To enable ldap based authentication for squid use:
- First find location of program named 'squid_ldap_auth' and run it as follows:
- /usr/lib64/squid/squid_ldap_auth -b "<base-dn>" -f "uid=%s" <ldap-server>
- The command will not give any prompt and expect '<username> <password>' as input.
- If the after supply username and password the response is ok, then ldap authentication from proxy server is working properly, else debug ldap issues
- Edit squid.conf and add following lines:
- acl login-users src <IP-range>
- auth_param basic program /usr/lib64/squid/squid_ldap_auth -b "<base-dn>" -f "uid=%s" -h <ldap-server>
- acl ldapauth proxy_auth REQUIRED
- http_access allow login-users ldapauth
- This would cause all users connecting from given IP-range to be authenticated. For others one can use 'http_access allow all' or 'http_access deny all' etc. based on situation.
<yambe:breadcrumb self="Authentication through LDAP">OpenLDAP server configuration|OpenLDAP</yambe:breadcrumb>