Setting Up A Secure Linux Authentication Server Quickly (LDAP + TLS + SAMBA)

Just like microsoft active directory, having a centralised authentication server in linux is important especially when you have more than one server or service to manage. Just imagine each service (ssh, samba, httpd…etc) has its own user database… Sooner or later, you will find managing users very difficult. A simple task like deleting a user could be daunting. Ideally, we want to have a common authenticating mechanism for all services and machines in the network. Most importantly, we need to do it securely.

Unfortunately, doing it in linux is far from easy. That is why the task is usually left for the enterprise experts. Linux traditionally uses NIS but there is a strong preference of LDAP over NIS nowsadays because LDAP has better support for encryption, ie the wrong party cannot decipher or decrypt the data send over the network.

There were a few LDAP implementations available in the market but I still find good LDAP documentation lacking in general. The steep learning curve and complicated command line syntax scares people away. Very often, Sys admins have to search high and low to find the right answers. There were good attempts recently to make everything more user friendly though – checkout the Redhat Directory Server (Thank you redhat). Something worth mentioning is another integrated solution – FREEIPA. If you are using Centos, the Directory Server package (centos-ds) is available in the c5-testing repository.

The openldap project is a stable LDAP implementation that has been around for a while. I have been using it and like it very much. I know how intimidating LDAP can be for beginners and therefore, I wanted to write a tutorial on it. The recent low-key business period had given me a good chance to come up with something. The objective of this tutorial is to setup a openLDAP authentication server as quickly as possible, I will not go into detail of how LDAP works but will provide the relevant configuration parameters. If you are interested in the details, I have provided some good links at the end of the tutorial. This tutorial does assume that you know a bit of linux and is comfortable with the command line and have basic networking concepts. I am using Centos but the process should be similar across other linux distros. If you have firewall and selinux turned on, I suggest turning them off first during the setup and turn it back on later when you got everything working. If you follow the instructions correctly, you should have a secure authentication server within a short time. Enough of story, let us start.

Scenario

Imagine we have 2 servers, athena.dev and argos.dev. athena.dev is the client and is to athenticate against the LDAP server (argos.dev) via TLS for both ssh and samba (allows sharing from windows). Both machines are running on Centos 5.3. We are going to add a new LDAP user “bernard” from athena.dev. If everything is successful, we should be able to ssh into athena.dev and access bernard’s home directory from windows as well.

Before we start, make sure that athena.dev and argos.dev must resolve to unique IPs. Ideally, you should have a DNS server sitting somewhere in the network. If you find it too complicated to set one up now, just add the ip to your /etc/host file on both machines, ie something like

192.168.1.100 athena.dev
192.168.1.101 argos.dev

Ping the domain and make sure it works.

1. Setup Server (argos.dev)
*As a root user, install from centos base

yum install openldap-servers openldap-clients nss_ldap

* Edit your /etc/openldap/slapd.conf so that it looks like this

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

TLSCACertificateFile /etc/pki/tls/certs/ldap.pem
TLSCertificateFile /etc/pki/tls/certs/ldap.pem
TLSCertificateKeyFile /etc/pki/tls/certs/ldap.pem
TLSClientVerify demand
database        bdb
suffix          "dc=argos,dc=dev"
rootdn          "cn=Manager,dc=argos,dc=dev"
rootpw  {SSHA}3+F6jATchWGLKNtxtc7SlnfVa2NetAWJ
directory       /var/lib/ldap/

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDomainName    eq

* If you are using your own domain name, then your machine must be a FQDN
* Update the rootpw field in /etc/openldap/slapd.conf. Paste the {SSH} encrypted passwd from the command below:

slappasswd

* Use the sample ldap database

cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG

* The next task is to create a quick self signed certificate.

cd /etc/pki/tls/certs/
make ldap.pem
chown ldap:ldap ldap.pem

(Enter defaults for all questions except the common name/hostname. You need to use a FQDN, ie argos.dev in this case.)

* We need to get the client key from ldap.pem

grep -A 100 CERTIFICATE ldap.pem > client.pem

Setup Client (athena.dev)

* As a root user, install the required files. You will need the rpmforge repo for smbldap-tools.

yum install openldap-clients nss_ldap samba smbldap-tools --enablerepo=rpmforge

* In command line, configure the authentication settings

authconfig-tui
// check "use LDAP" and "USE LDAP AUTHENTICATION", then "NEXT"
// check "Use TLS". For server, "ldap://argos.dev/", BASE DN: dc=argos,dc=dev

(The authconfig-tui command actually does a few more things in the backend like configuring the nsswtich.conf and pam settings but we will skip them for now to avoid confusion.)

* copy the client certificate over to athena.dev

scp root@argos.dev:/etc/pki/tls/certs/client.pem /etc/openldap/cacerts

* Edit your /etc/ldap.conf file. Towards the end of file should be something like this:

uri ldap://argos.dev/
tls_cacert /etc/openldap/cacerts/client.pem
ssl start_tls

* Edit /etc/openldap/ldap.conf. Your file should be something like this:

URI ldap://argos.dev/
BASE dc=argos,dc=dev
TLS_CACERT /etc/openldap/cacerts/client.pem

* We now need to copy a the samba LDAP schema over to argos.dev

scp /usr/share/doc/sama-3.0.33/LDAP/samba.schema root@argos.dev:/etc/openldap/schema

* in argos.dev, start ldap if not already done and turn it on by default

service ldap start
chkconfig ldap on

* Back to athena.dev. Next configure /etc/smbldap-tools/smbldap_bind.conf. You can copy and paste this whole lot:

slaveDN="cn=Manager,dc=argos,dc=dev"
slavePw="your_password"
masterDN="cn=Manager,dc=argos,dc=dev"
masterPw="your_password"

* configure /etc/smbldap-tools/smbldap.conf. You can copy and paste this whole lot:

sambaDomain="PDC-SRV"
slaveLDAP="argos.dev"
slavePort="389"
masterLDAP="argos.dev"
masterPort="389"
ldapTLS="1"
ldapSSL="0"
verify="require"
cafile="/etc/openldap/cacerts/client.pem"
suffix="dc=argos,dc=dev"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="999999"
userSmbHome=""
userProfile=""
userHomeDrive="H:"
userScript="%U.bat"
mailDomain="argos.dev"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

(tips: I modified these files from the originals. you might want to make backup first.)

* Do a quick test and check that ldap is working correctly. If it is not working, look at the troubleshoot section near the end of the tutorial.

ldapsearch -x
// You should see an empty db. It shouldn't throw any error.

* If everything looks OK, let us populate the LDAP db using the magic of samba-tools

smbldap-populate
// this command will prompt you enter the root password.

* Now let us add a user called bernard from athena.dev

// add one test user called bernard
smbldap-useradd -a -m bernard
smbldap-passwd bernard
// This is enough to get things working. If interested, you can add more user details using smbldap-userinfo

* configure /etc/samba/smb.conf to something like this. I modified the file from /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smb.conf

[global]
   workgroup = IDEALX-NT
   netbios name = PDC-SRV
   security = user
   enable privileges = yes
   server string = Samba Server %v
   encrypt passwords = Yes
   passdb backend = ldapsam:ldap://argos.dev/
   ldap admin dn = cn=Manager,dc=argos,dc=dev
   ldap ssl = start_tls
   ldap suffix = dc=argos,dc=dev
   ldap group suffix = ou=Groups
   ldap user suffix = ou=Users
   ldap machine suffix = ou=Computers

[homes]
   comment = LAM IT Home Directories
   force create mode = 0660 
   force directory mode = 0770
   writable = yes

* restart samba

service smb restart

Time to check your work

If you have been following everything correctly so far, you should have implemented a secure authenticated system in your network. Congratulations! Time to do some checking:

* In athena.dev, try to login

ssh bernard@localhost

* bernard doesnt exists in athena.dev and it should authenticate against argos.dev – the ldap server. You can check this using tcpdump. Open up a new terminal and run

tcpdump -i eth0 port ldap -v -X

* You should see the data packets exchange between athena.dev and argos.dev. You shouldn’t be able to decipher anything because it has been encrypted with TLS.
* In windows, try mapping it to the samba share, ie \\athena.dev\homes. You should be in bernard’s home directory after logging in.
* In athena.dev, see the user information using

smbldap-usershow bernard

Troubleshooting and Tips

* Use “tcpdump” to check if your passwd is truly encrypted.
* In argos.dev, you can call the ldap daemon directly to provide more debugging information.

service ldap stop
/usr/sbin/slapd -h ldap:/// -u ldap -d9

* “testparm” is good to debug samba config
* To check samba connection using command line. In athena.dev,

smbclient -L localhost -U user

* Finally, don’t forget to look at the logs, ie /var/log/secure, /var/log/messages, /var/log/samba

* ldap uses port 389 and ldaps uses 636. I used TLS over port 389. You can choose to use ldaps, in which case you need to add “ssl on” in /etc/ldap.conf. You can also use firewall to disable port 389 or 636. “netstat” is a good command to check if the correct ports are opened or not.

* Other than smbldap-populate, you can use openldap built in migration scripts to populate the ldap database quickly , ie the scripts in /usr/share/openldap/migration. Personally, I don’t really like it because it brings in many junks (you can configure it of course).

* TLS encrypts the passwd via the network. If you are like, you can install kerberos as well. There are other benefits of using kerberos.

* If you are using firewall, remember to turned it back on and enable port 389. Port 22 should be enabled by default.

What’s Next

* You might have noticed that smbldap-useradd tries to create a user dir, ie /home/bernard on the local machine. This directory will not be accessible from other machine. If this is not something desirable, what we need here is a global user directory accessible from any machine. To do that, we can change the userHome directive in /etc/smbldap-tools/smbldap.conf to “/home/data/%U”, then NFS share /home/data in the network. If you have selinux or firewall turned on, you need to make changes to the booleans and ports.

* There are many good ldap management console out there. Something with a GUI is a good start. I tried phpldapadmin before, not bad.

* If you are using a web-based management console, add ssl to apache so that we encrypt the console as well.

* If you have password protection for certain web dirs, try to get apache authenticate against ldap as well. It is not hard. You just need to install the apache ldap module.

Good LDAP + Samba Resource:

I might have left out some details in this tutorial. These resources might help.

* http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS
* http://www.openldap.org/doc/admin24/index.html
* http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/
* http://download.gna.org/smbldap-tools/docs/smbldap-tools/
* http://www.nomis52.net/?section=docs&page=samldap

Conclusion

It is definitely confidence boosting to be able to setup a secure ldap server. As a caution, the settings I use here is very generic and suits just for this tutorial. If you are doing a live deployment, you will have to tweak the parameters for your own needs. I recommend doing more readings even after getting this work for the first time.

I spend quite abit of time to write this tutorial. If you do find it useful, please leave a comment and tell the whole world about it!!!

Peace out,

Bernard Peh
18 Sept 2009

Author: bpeh

Bernard Peh is a great passioner of web technologies and one of the co-founder of Sitecritic.net Website Design and Reviews. He works with experienced web designers and developers everyday, developing and designing commercial websites. He specialises mainly in SEO and PHP programming.

11 thoughts on “Setting Up A Secure Linux Authentication Server Quickly (LDAP + TLS + SAMBA)”

  1. Your submit is quite very good, most on the time when I visit blogs they are total crap plus the content articles are written purely for seek engine visitors. But inside your case this is extremely excellent, direct to the point and straightforward.

  2. howdy there, i just found your site via google, and i would like to tell that you write exceptionally good on your website. i am very struck by the mode that you compose, and the message is good. in any case, i would also like to acknowledge whether you would love to exchange links with my website? i will be more than happy to reciprocate and insert your link off in the link section. looking for your answer, i would like to convey my appreciation and gooday!

  3. It was really interesting, I`ve bookmarked your website and will follow your arcivity from now. Can I share this on my blog ?

  4. Hi, my english isnt extremely but I feel by regulary visits of the blog it are going to be better within the next time. You have a beneficial wrting style that is easy to understand and can assists people like me to learn english. I will be now a regulary visitor of your blog.

  5. I lately read the manga to view if this anime is worth the hype, and in my judgment it is worth watching. For those who do not interpret any manga or acknowledge anything about it, Bakuman presents us a peek at the sweat put into preparing one, and the tension and uncertainness a mangaka goes through. I feel Bakuman establishes a pragmatic view of what goes on behind the scenes to produce a manga, well as real as it can be given it is Shoujo and they need to move the narrative to keep it gripping.

  6. Good weblog. I acquired a lot of good information. We?ve already been keeping an eye on fraxel treatments with regard to some time. It?utes interesting how it retains moving, yet a few of the core elements stay exactly the same.

  7. Its like you read my mind! You appear to know a lot about this, like you wrote the book in it or something. I think that you could do with a few pics to drive the message home a little bit, but other than that, this is great blog. A fantastic read. I’ll definitely be back.

Comments are closed.