Difference between revisions of "Client Authentication:Ubuntu via sssd/ldap"

From SME Server
Jump to navigationJump to search
m
Line 13: Line 13:
 
These lines are a translation of the method given by Daniel: https://wikit.firewall-services.com/doku.php/tuto/ipasserelle/authentification/ubuntu_sssd_on_sme. Many thanks to him for it.
 
These lines are a translation of the method given by Daniel: https://wikit.firewall-services.com/doku.php/tuto/ipasserelle/authentification/ubuntu_sssd_on_sme. Many thanks to him for it.
  
 +
==Backup==
 +
{{Warning box|This process may lock you out of the client machine. Make sure that on the client machine you have a local only user account with a name that is different to any users on the server e.g. 'localadminuser'
 +
It is worth taking a backup of the following files
 +
/etc/pam.d/common-account
 +
/etc/pam.d/common-auth
 +
/etc/pam.d/common-password
 +
/etc/pam.d/common-session
 +
/etc/pam.d/common-session-noninteractive
 +
}}
 +
 +
cp /etc/pam.d/common* /home/myhome/backup
 +
 +
==Assumptions==
 
In this how-to we assume that:
 
In this how-to we assume that:
 
  the host name of the SME is "sme-server" and the domain is "domain.tld".
 
  the host name of the SME is "sme-server" and the domain is "domain.tld".
Line 18: Line 31:
 
==Configuration of the SME-server==
 
==Configuration of the SME-server==
 
There is little configuration required in SME server.  
 
There is little configuration required in SME server.  
*The only thing to do is to create a user (named "auth" in this how-to) via the server-manager and to give him a valid password ("something_very_secret" in the how-to).
+
*The only thing to do is to create a user (named "auth" in this how-to) via the server-manager and to give them a valid password ("something_very_secret" in the how-to).
 
It is not required to make "auth" member of any group.
 
It is not required to make "auth" member of any group.
  
 
*In addition, it is recommended to install and configure [[PHPki]] in order to make the managing of the self-created certificates easier.
 
*In addition, it is recommended to install and configure [[PHPki]] in order to make the managing of the self-created certificates easier.
  
==Configuration of the client Ubuntu==
+
==Configuration of the Ubuntu client==
 
===Installation of the required packages===
 
===Installation of the required packages===
 
  sudo apt-get install sssd libnss-sss libpam-sss auth-client-config
 
  sudo apt-get install sssd libnss-sss libpam-sss auth-client-config
 
===Create a symbolic link===
 
===Create a symbolic link===
There seems to be a bug in the version of sssd from Ubuntu and therefore following links must be created:
+
There seems to be a bug in the version of sssd from Ubuntu and therefore the following links must be created:
 
  ln -s /usr/lib /usr/modules
 
  ln -s /usr/lib /usr/modules
 
Without it, sssd can't manage membership to the groups in LDAP (source http://us.generation-nt.com/bug-599644-sssd-unable-resolve-ldap-group-memberships-help-200739341.html)
 
Without it, sssd can't manage membership to the groups in LDAP (source http://us.generation-nt.com/bug-599644-sssd-unable-resolve-ldap-group-memberships-help-200739341.html)
  
===Manage the CA of the SME===
+
===Managing the CA on SME===
after having installed PHPki, go to https://www.domain.tld/phpki and download on the client machine the certificate of authority (ca-certificates.crt).
+
after having installed PHPki, go to https://www.domain.tld/phpki and download the certificate of authority (ca-certificates.crt) to the client machine .
  
 
Place a copy of it or of another CA into /etc/ssl/certs/ and give the 644 permissions:
 
Place a copy of it or of another CA into /etc/ssl/certs/ and give the 644 permissions:
  cp ~/download/ca-certificates.crt /etc/ssl/certs/
+
  cp ~/Downloads/ca-certificates.crt /etc/ssl/certs/
 
  chmod 644 /etc/ssl/certs/ca-certificates.crt
 
  chmod 644 /etc/ssl/certs/ca-certificates.crt
  
 
===Configure SSSD===
 
===Configure SSSD===
The configuration of sssd is achieved in a classical way (as for Ubuntu or Fedora for exemple) and is made by the file /ets/sssd/sssd.conf.
+
The configuration of sssd is achieved in a standard way (as per Ubuntu or Fedora for example) and is made by the file /ets/sssd/sssd.conf.
  
* At the beginning of this file, the used domain has to be set. In sssd, a domain can be taken as a source of content. it is possible to set several domains in order of priority.  
+
* At the beginning of this file, the used domain has to be set. In sssd, a domain can be taken as a source of content. It is possible to set several domains in order of priority.  
 
* And deeper in the file, we will add the configuration of the domain  
 
* And deeper in the file, we will add the configuration of the domain  
  
If the file doesn't exist by default it has to be created and it needs to get the permissions 600 to allow the daemon to start:
+
If the file doesn't exist by default it has to be created and it needs to get the permissions 600 to allow the daemon to start.
 +
On Ubuntu clients using sudo you may need to get a root shell first:
 +
 
 +
sudo -i
  
 +
Now we can copy and paste this into the terminal:
 
  cat <<'_EOF' > /etc/sssd/sssd.conf
 
  cat <<'_EOF' > /etc/sssd/sssd.conf
 
  [sssd]
 
  [sssd]
Line 86: Line 103:
 
  #ldap_access_filter = (|(posixMemberOf=admins)(uid=backup))
 
  #ldap_access_filter = (|(posixMemberOf=admins)(uid=backup))
 
  _EOF
 
  _EOF
+
 
 +
Now we need to set the correct permissions on the file:
 
  chmod 600 /etc/sssd/sssd.conf
 
  chmod 600 /etc/sssd/sssd.conf
  
{{Tip box|Make sure that the file /etc/ssl/certs/ca-certificates.crt contains the CA that has sign the certificate of the SME (if  PHPki is used, a version > 0,82-13 is required).}}
+
{{Tip box|Make sure that the file /etc/ssl/certs/ca-certificates.crt contains the CA that has signed the certificate of the SME (if  PHPki is used, a version > 0,82-13 is required).}}
  
 
===Configure the system to use SSSD as a source of authentication:===
 
===Configure the system to use SSSD as a source of authentication:===
Line 126: Line 144:
 
And enable this:
 
And enable this:
 
  sudo auth-client-config -a -p sss
 
  sudo auth-client-config -a -p sss
 +
 +
Now you should be able to reboot and login as a LDAP member
  
 
[[Category:Howto]]
 
[[Category:Howto]]

Revision as of 16:00, 10 May 2016

Warning.png Warning:
This how-to should be validated by Daniel before you use it!!.



Warning.png Warning:
This is based upon limited testing and a small number of users.


Introduction

This how-to shows how to configure a SME-server (>=8b6) and a client Ubuntu for a LDAP based SSSD authentication of the client machine on the configured user accounts of the SME.

The main advantage in comparaison to nss_ldap is that the authentication information stays in the cache and the authentication can therefore still work even in offline mode (when the server not available).

Nevertheless, the creation of a local user with the admin rights is recommended for the emergency case.

These lines are a translation of the method given by Daniel: https://wikit.firewall-services.com/doku.php/tuto/ipasserelle/authentification/ubuntu_sssd_on_sme. Many thanks to him for it.

Backup

Warning.png Warning:
This process may lock you out of the client machine. Make sure that on the client machine you have a local only user account with a name that is different to any users on the server e.g. 'localadminuser'

It is worth taking a backup of the following files /etc/pam.d/common-account /etc/pam.d/common-auth /etc/pam.d/common-password /etc/pam.d/common-session /etc/pam.d/common-session-noninteractive 


cp /etc/pam.d/common* /home/myhome/backup

Assumptions

In this how-to we assume that: 

the host name of the SME is "sme-server" and the domain is "domain.tld".

Configuration of the SME-server

There is little configuration required in SME server.

  • The only thing to do is to create a user (named "auth" in this how-to) via the server-manager and to give them a valid password ("something_very_secret" in the how-to).

It is not required to make "auth" member of any group.

  • In addition, it is recommended to install and configure PHPki in order to make the managing of the self-created certificates easier.

Configuration of the Ubuntu client

Installation of the required packages

sudo apt-get install sssd libnss-sss libpam-sss auth-client-config

Create a symbolic link

There seems to be a bug in the version of sssd from Ubuntu and therefore the following links must be created: 

ln -s /usr/lib /usr/modules

Without it, sssd can't manage membership to the groups in LDAP (source http://us.generation-nt.com/bug-599644-sssd-unable-resolve-ldap-group-memberships-help-200739341.html)

Managing the CA on SME

after having installed PHPki, go to https://www.domain.tld/phpki and download the certificate of authority (ca-certificates.crt) to the client machine .

Place a copy of it or of another CA into /etc/ssl/certs/ and give the 644 permissions: 

cp ~/Downloads/ca-certificates.crt /etc/ssl/certs/
chmod 644 /etc/ssl/certs/ca-certificates.crt

Configure SSSD

The configuration of sssd is achieved in a standard way (as per Ubuntu or Fedora for example) and is made by the file /ets/sssd/sssd.conf.

  • At the beginning of this file, the used domain has to be set. In sssd, a domain can be taken as a source of content. It is possible to set several domains in order of priority.
  • And deeper in the file, we will add the configuration of the domain

If the file doesn't exist by default it has to be created and it needs to get the permissions 600 to allow the daemon to start. On Ubuntu clients using sudo you may need to get a root shell first: 

sudo -i

Now we can copy and paste this into the terminal: 

cat <<'_EOF' > /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP

[nss]

[pam]

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://sme-server.domain.tld
ldap_default_bind_dn = uid=auth,ou=Users,dc=domain,dc=tld
ldap_default_authtok = something_very_secret
ldap_default_authtok_type = password
ldap_search_base = dc=domain,dc=tld
ldap_user_search_base = ou=Users,dc=domain,dc=tld
ldap_group_search_base = ou=Groups,dc=domain,dc=tld
ldap_user_object_class = inetOrgPerson
ldap_user_gecos = cn
ldap_tls_reqcert = hard
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_id_use_start_tls = true
# uncomment below if the SME is a “iPasserelle”
#ldap_user_shell = desktopLoginShell
# comment below if the SME is a “iPasserelle”
override_shell = /bin/bash
cache_credentials = true
enumerate = true
# It is possible to filter the logins via a LDAP-filer
# by commenting the both lines below.
# In this exemple, only the users member of the group netusers
# will be valid on this host.
# posixMemberOF is a parameter only for a iPasserelle
#access_provider = ldap
#ldap_access_filter = (|(posixMemberOf=admins)(uid=backup))
_EOF

Now we need to set the correct permissions on the file: 

chmod 600 /etc/sssd/sssd.conf


Information.png Tip:
Make sure that the file /etc/ssl/certs/ca-certificates.crt contains the CA that has signed the certificate of the SME (if PHPki is used, a version > 0,82-13 is required).


Configure the system to use SSSD as a source of authentication:

Use the tool auth-client-config: 

vim /etc/auth-client-config/profile.d/sss

and add following lines: 

[sss]
nss_passwd=     passwd:         compat sss
nss_group=      group:          compat sss
nss_shadow=     shadow:         compat
nss_netgroup=   netgroup:       nis
 
pam_auth=       auth           [success=3 default=ignore]      pam_unix.so nullok_secure try_first_pass
                auth           requisite                       pam_succeed_if.so uid >= 500 quiet
                auth           [success=1 default=ignore]      pam_sss.so use_first_pass
                auth           requisite                       pam_deny.so
                auth           required                        pam_permit.so
 
pam_account=   account         required                        pam_unix.so
               account         sufficient                      pam_localuser.so
               account         sufficient                      pam_succeed_if.so uid < 500 quiet
               account         [default=bad success=ok user_unknown=ignore]    pam_sss.so
               account         required                        pam_permit.so
 
pam_password=  password        sufficient                      pam_unix.so obscure sha512
               password        sufficient                      pam_sss.so use_authtok
               password        required                        pam_deny.so

pam_session=   session         required                        pam_mkhomedir.so skel=/etc/skel/ umask=0077
               session         optional                        pam_keyinit.so  revoke
               session         required                        pam_limits.so
               session         [success=1 default=ignore]      pam_sss.so
               session         required                        pam_unix.so

And enable this: 

sudo auth-client-config -a -p sss

Now you should be able to reboot and login as a LDAP member

Retrieved from "https://wiki.koozali.org/index.php?title=Client_Authentication:Ubuntu_via_sssd/ldap&oldid=31275"