Zertifikat holen

Wir befinden uns auf dem LDAP-Server

• apt update
• wget https://web.samogo.de/certs/it2XX.int.tgz
• tar -C /tmp -xvzf it2XX.int.tgz
• mv /tmp/fullchain.pem /etc/ssl/own.crt
• mv /tmp/privkey.pem /etc/ssl/own.key

Installation

Das Admin-Passwort wird vorab gesetzt – kein interaktiver Dialog

• debconf-set-selections <<< "slapd slapd/password1 password 123Start$"
• debconf-set-selections <<< "slapd slapd/password2 password 123Start$"
• debconf-set-selections <<< "slapd slapd/domain string it2XX.int"
• debconf-set-selections <<< "slapd shared/organization string it2XX.int"
• debconf-set-selections <<< "slapd slapd/backend select MDB"
• debconf-set-selections <<< "slapd slapd/purge_database boolean false"
• debconf-set-selections <<< "slapd slapd/move_old_database boolean true"
• debconf-set-selections <<< "slapd slapd/allow_ldap_v2 boolean false"
• DEBIAN_FRONTEND=noninteractive apt install -y slapd ldap-utils ldapscripts sssd libnss-sss libpam-sss libsss-sudo sssd-tools oddjob-mkhomedir

Port checken

• ss -4lntp | grep slapd

LISTEN 0      2048         0.0.0.0:389       0.0.0.0:*    users:(("slapd",pid=1365,fd=7))

TLS konfigurieren

Rechte setzen

Der User openldap muss Zertifikat und Schlüssel lesen können

• chown openldap:openldap /etc/ssl/own.crt /etc/ssl/own.key
• chmod 640 /etc/ssl/own.crt /etc/ssl/own.key

TLS in cn=config eintragen

• cat <<EOF > /tmp/tls.ldif

dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/own.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/own.key
EOF

• ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/tls.ldif

LDAPS aktivieren

• vim /etc/default/slapd

SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"

• systemctl restart slapd

Ports prüfen

• ss -4lntp | grep slapd

LISTEN 0      2048         0.0.0.0:389       0.0.0.0:*    users:(("slapd",pid=788,fd=7))
LISTEN 0      2048         0.0.0.0:636       0.0.0.0:*    users:(("slapd",pid=788,fd=10))

Funktionstest

• openssl s_client -connect ldap.it2XX.int:636 -showcerts

ldap.conf setzen

• vim /etc/ldap/ldap.conf

BASE    dc=it2XX,dc=int
URI     ldaps://ldap.it2XX.int
TLS_CACERT /etc/ssl/certs/ca-certificates.crt

Grundstruktur

Erstellen

• cat <<EOF > /root/struktur.ldif

dn: ou=users,dc=it2XX,dc=int
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=it2XX,dc=int
objectClass: organizationalUnit
ou: groups

dn: ou=hosts,dc=it2XX,dc=int
objectClass: organizationalUnit
ou: hosts

dn: ou=sudo,dc=it2XX,dc=int
objectClass: organizationalUnit
ou: sudo
EOF

Anlegen

• ldapadd -xD cn=admin,dc=it2XX,dc=int -w 123Start$ -H ldap://localhost -f /root/struktur.ldif

Kontrolle

• ldapsearch -x -LLL

Sudo-Schema laden

Das Sudo-Schema ist nicht im Standard-slapd enthalten und wird manuell importiert

• cat <<EOF > /tmp/sudo.ldif

dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoOption' DESC 'Options passed to sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoOption $ sudoRunAsUser $ sudoRunAsGroup $ sudoNotBefore $ sudoNotAfter $ sudoOrder $ description ) )
EOF

• ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/sudo.ldif

Sudo-Regeln anlegen

• cat <<EOF > /root/sudo_rule.ldif

dn: cn=defaults,ou=sudo,dc=it2XX,dc=int
objectClass: sudoRole
cn: defaults
sudoOption: env_keep+=SSH_AUTH_SOCK

dn: cn=admin_role,ou=sudo,dc=it2XX,dc=int
objectClass: sudoRole
cn: admin_role
sudoUser: %sudo
sudoHost: ALL
sudoCommand: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
EOF

• ldapadd -xD cn=admin,dc=it2XX,dc=int -w 123Start$ -H ldap://localhost -f /root/sudo_rule.ldif

Benutzer und Gruppen

Konfiguration ldapscripts

• vim /etc/ldapscripts/ldapscripts.conf

SERVER="ldap://localhost"
SUFFIX="dc=it2XX,dc=int"
GSUFFIX="ou=groups"
USUFFIX="ou=users"
MSUFFIX="ou=hosts"
BINDDN="cn=admin,dc=it2XX,dc=int"
USHELL="/bin/bash"
UHOMES="/home/%u"
CREATEHOMES="yes"
HOMESKEL="/etc/skel"
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
GIDSTART="10000" # Group ID
UIDSTART="10000" # User ID
MIDSTART="20000" # Machine ID
GCLASS="posixGroup"
PASSWORDGEN="pwgen"
RECORDPASSWORDS="no"
PASSWORDFILE="/var/log/ldapscripts_passwd.log"
LOGTOFILE="yes"
LOGFILE="/var/log/ldapscripts.log"
LOGTOSYSLOG="no"
SYSLOGFACILITY="local4"
SYSLOGLEVEL="info"
LDAPSEARCHBIN="/usr/bin/ldapsearch"
LDAPADDBIN="/usr/bin/ldapadd"
LDAPDELETEBIN="/usr/bin/ldapdelete"
LDAPMODIFYBIN="/usr/bin/ldapmodify"
LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
LDAPPASSWDBIN="/usr/bin/ldappasswd"
LDAPSEARCHOPTS="-o ldif-wrap=no"
GETENTPWCMD=""
GETENTGRCMD=""
GTEMPLATE=""
UTEMPLATE=""
MTEMPLATE=""

• echo -n "123Start$" > /etc/ldapscripts/ldapscripts.passwd
• chmod 600 /etc/ldapscripts/ldapscripts.passwd

Gruppen

• ldapaddgroup it
• ldapaddgroup sudo

Benutzer

• ldapadduser thomas it
• ldapadduser tina it

Passwort

• ldapsetpasswd thomas
• ldapsetpasswd tina

Gruppe zuweisen

• ldapaddusertogroup thomas sudo
• ldapaddusertogroup tina sudo

Check

• ldapsearch -xLLL cn=sudo

dn: cn=sudo,ou=groups,dc=it2XX,dc=int
objectClass: posixGroup
cn: sudo
gidNumber: 10001
description: Group account
memberUid: thomas
memberUid: tina

SSSD Anbindung

Konfiguration

• vim /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = it2XX.int

[domain/it2XX.int]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = permit
sudo_provider = ldap
ldap_uri = ldaps://ldap.it2XX.int
ldap_search_base = dc=it2XX,dc=int
ldap_sudo_search_base = ou=sudo,dc=it2XX,dc=int
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_tls_reqcert = hard
cache_credentials = True

[nss]
filter_users = root,daemon,bin,sys,sync,games,man,lp,mail,news,uucp,proxy,www-data,backup,list,irc,gnats,nobody,systemd-network,systemd-resolve,messagebus,_apt,uuidd,nslcd
filter_groups = root,daemon,bin,sys,adm,tty,disk,lp,mail,news,uucp,man,proxy,kmem,dialout,fax,voice,cdrom,floppy,tape,sudo,audio,dip,www-data,backup,operator,list,irc,src,gnats,shadow,utmp,video,sasl,plugdev,staff,games,users,nogroup,systemd-journal,systemd-network,systemd-resolve,input,kvm,render,crontab,netdev,messagebus,_apt,uuidd,ssh,nslcd

[pam]
offline_credentials_expiration = 2

• chmod 600 /etc/sssd/sssd.conf
• pam-auth-update --enable sss mkhomedir
• systemctl restart sssd

NSS

Nur Kontrolle

• cat /etc/nsswitch.conf

passwd:         files systemd sss
group:          files systemd sss
shadow:         files systemd sss
gshadow:        files systemd

hosts:          files dns
networks:       files

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers:        files sss
automount:      sss

PAM

• grep "^[^#]" /etc/pam.d/common-auth

auth    [success=2 default=ignore]  pam_unix.so nullok
auth    [success=1 default=ignore]  pam_sss.so use_first_pass
auth    requisite                   pam_deny.so
auth    required                    pam_permit.so

Tests

Funktioniert nsswitch?

• getent passwd thomas

thomas:*:10000:10000:thomas:/home/thomas:/bin/bash

• getent passwd tina

tina:*:10001:10000:tina:/home/tina:/bin/bash

• getent group it

it:*:10000:

Kann ich mit su - einen Identitätswechsel vornehmen?

• su - thomas

thomas@ldap:~$ exit

• su - tina

tina@ldap:~$ exit

Client-Anbindung

Voraussetzungen im DNS

Der DNS-Server muss einen SRV-Record für LDAP bereitstellen

_ldap._tcp.it2XX.int.    IN  SRV  10 70 389  ldap.it2XX.int.

Überprüfung vom Client aus

• host -t SRV _ldap._tcp.it2XX.int

Installation

• apt update
• apt install -y sssd libnss-sss libpam-sss libsss-sudo sssd-tools oddjob-mkhomedir

Paket	Funktion
sssd	Hauptdienst zur zentralen Identitätsverwaltung
libnss-sss	NSS-Schnittstelle – liefert User- und Gruppen-IDs ans System
libpam-sss	PAM-Modul für die Authentifizierung beim Login
libsss-sudo	Auslesen zentraler Sudo-Regeln aus dem LDAP
sssd-tools	Hilfswerkzeuge zur Fehlersuche (z. B. sssctl)
oddjob-mkhomedir	Erstellt beim ersten Login automatisch das Home-Verzeichnis

SSSD Konfiguration

• vim /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = it2XX.int

[domain/it2XX.int]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = permit
sudo_provider = ldap
ldap_uri = ldaps://ldap.it2XX.int
ldap_search_base = dc=it2XX,dc=int
ldap_sudo_search_base = ou=sudo,dc=it2XX,dc=int
ldap_default_bind_dn = cn=admin,dc=it2XX,dc=int
ldap_default_authtok = 123Start$
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_tls_reqcert = hard
cache_credentials = True

[nss]
filter_users = root,daemon,bin,sys,sync,games,man,lp,mail,news,uucp,proxy,www-data,backup,list,irc,gnats,nobody,systemd-network,systemd-resolve,messagebus,_apt,uuidd,nslcd
filter_groups = root,daemon,bin,sys,adm,tty,disk,lp,mail,news,uucp,man,proxy,kmem,dialout,fax,voice,cdrom,floppy,tape,sudo,audio,dip,www-data,backup,operator,list,irc,src,gnats,shadow,utmp,video,sasl,plugdev,staff,games,users,nogroup,systemd-journal,systemd-network,systemd-resolve,input,kvm,render,crontab,netdev,messagebus,_apt,uuidd,ssh,nslcd

[pam]
offline_credentials_expiration = 2

• chmod 600 /etc/sssd/sssd.conf
• pam-auth-update --enable sss mkhomedir
• systemctl restart sssd

Tests

• getent passwd thomas
• id tina
• sudo -l -U thomas

Netzwerkverkehr prüfen

Verschlüsselte Kommunikation über Port 636 verifizieren

• tcpdump -i any -nn port 636

14:29:33.586737 IP 172.26.213.99.52646 > 10.213.1.3.636: Flags [P.], seq 1:759, ack 3951, win 501, length 758
14:29:33.586816 IP 10.213.1.3.636 > 172.26.213.99.52646: Flags [P.], seq 4795:4831, ack 759, win 504, length 36

Port 636

Die Pakete gehen gezielt an den LDAPS-Port

Flags [P.]

Austausch verschlüsselter Anwendungsdaten nach dem TLS-Handshake

Keine Klartextdaten

Im Gegensatz zu Port 389 sind keine Benutzernamen oder Passwörter im Dump lesbar