2,306
edits
Changes
Jump to navigation
Jump to search
mLine 1:
Line 1: − + − + − + − + + + Line 18:
Line 20: − + Line 57:
Line 59: − https://www.youtube.com/watch?v=kSCx3tzC0cA+ + + + − + − https://www.youtube.com/watch?v=LVY3WbakcOE&list=PL8B125D10F99838F7+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
→Troubleshooting
== TODO ==
==TODO==
Check: https://www.digitalocean.com/community/tutorials/how-to-authenticate-client-computers-using-ldap-on-an-ubuntu-12-04-vps<br />
Check: https://www.digitalocean.com/community/tutorials/how-to-authenticate-client-computers-using-ldap-on-an-ubuntu-12-04-vps<br />
ADD: TO_WIKI
ADD: TO_WIKI<br />
== LDAP: Lightweight Directory Access Protocol ==
https://wiki.debian.org/LDAP
=== Server setup ===
==LDAP: Lightweight Directory Access Protocol==
===Server setup===
sudo apt-get install sldap
sudo apt-get install sldap
sudo apt-get install ldap-utils
sudo apt-get install ldap-utils
https://www.youtube.com/watch?v=DM_UQVVVtoY
https://www.youtube.com/watch?v=DM_UQVVVtoY
=== Client setup (PAM: Pluggable Authentication Modules ===
===Client setup (PAM: Pluggable Authentication Modules===
sudo apt-get install libpam-ldap
sudo apt-get install libpam-ldap
sudo apt-get install nscd
sudo apt-get install nscd
/etc/init.d/nscd restart
/etc/init.d/nscd restart
==/etc/ldap.secret==
echo -n ldapsearchpassword > ldap.secret
sudo mv ldap.secret /etc/ldap.secret
chmod 600 /etc/ldap.secret
== More Info ==
==/etc/ldap.conf==
<nowiki>###DEBCONF###
##
## Configuration of this file will be managed by debconf as long as the
## first line of the file says '###DEBCONF###'
##
## You should use dpkg-reconfigure to configure this file via debconf
##
#
# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
# Uno de los 2 sobra
host rtldap01.rra.lan
uri ldaps://rtldap01.rra.lan
# The distinguished name of the search base.
base dc=rtLDAP01,dc=igrupobbva
ldap_version 3
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=admin,dc=rtLDAP01,dc=igrupobbva
# The port.
# Optional: default is 389.
#port 389
port 636
# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
bind_policy soft
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password md5
# Netscape SDK LDAPS
ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes
#tls_checkpeer no
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertfile /etc/ldap/ca_server.pem
#tls_cacertdir /etc/ssl/certs
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0
# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache
# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5
nss_initgroups_ignoreusers _apt,backup,bin,daemon,games,gnats,irc,list,lp,mail,man,messagebus,mysql,news,proxy,root,sshd,sync,sys,syslog,systemd-bus-proxy,systemd-network,systemd-resolve,systemd-timesync,uucp,uuidd,vboxadd,www-data,rra</nowiki>
== TLS1.2 ==
==/etc/ldap/ldap.conf==
<nowiki>#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE cn=admin,dc=rtLDAP01,dc=igrupobbva
URI ldaps://rtldap01.rra.lan
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ldap/ca_server.pem
TLS_REQCERT never</nowiki>
==/etc/ldap/ca_server.pem==
<nowiki>-----BEGIN CERTIFICATE-----
MIIDAzCCAeugAwIBAgIMWMfFMzfYZ9ruHdHrMA0GCSqGSIb3DQEBCwUAMBsxGTAX
BgNVBAMTEHJ0TERBUCBTZXJ2ZXIgRVMwIhgPMjAxNzAzMTQxMDI1NTVaGA8yMDI3
MDMxMjEwMjU1NVowGzEZMBcGA1UEAxMQcnRMREFQIFNlcnZlciBFUzCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcM49P9hq7IzJFb6OT+ffutrkI2V23D
EIC9e8MKAV5McPYebbm/RCTFb12vlVAX9OjlyYCatZewr7j94bDXjGpWb3v2oDll
yt9PhtrwvUX1tpmq66ANRSF4oQpqfJjzRpV85f0bokGgsSRWWEf4elskA+pZCSzh
/H2RTGbqRwfubS6qFNaI+1Jg0z2D69vMmo25fawi7oQ2sEY7zxJEOaXYfeLmNXm1
PNXDpzyexOQVK6u0z+e4zpHJN14z4JAyqDNPY4v0mx6H//l3M1ZZfe5l7kM7YKuZ
AUOsqkgCGMTJ8lfN4xyR+7NmPM104qFaeS3jOMr1D1uKGd+KPvfK9CcCAwEAAaND
MEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBRr
OqqVkZ3F8rUDjB2e94oid3PLJTANBgkqhkiG9w0BAQsFAAOCAQEAtOA92GJ1ZbfL
Lr5t9MADd4RiqLl36VjCdChHlTvLmXWqbu7962TA730ZmsouiUeFxVCGdLKqmEbH
r7mPfAFjWTfDMUV5YGKeZrtYrQqnLsewyHjsl3DHR536vIOabj7wHiukc8ecy6Mg
p7tMUHExmOYPmgn3u9gFosFGd38aKvFfPJjep+DOKkYZCICdM5a9p6b5lLy9pbGN
lUvj0WAGp6KFr2LlKHVC6YU/JiyPnnC/wOeQaZuG3SWyhS0VO3QHghk/bHYVZLIx
wUBQLiqETyOj08Mq3fFJRM8dQcEdfjMxpeFiDo/7sIvLwEfpLuzDsxuflIR0RTs1
Qwlshp1/+Q==
-----END CERTIFICATE-----</nowiki>
==More Info==
https://www.youtube.com/watch?v=LVY3WbakcOE&list=PL8B125D10F99838F7<br />
http://www.server-world.info/en/note?os=Debian_8&p=openldap&f=4
==TLS1.2==
TODO: Desarrollar
TODO: Desarrollar
Examples olcTLSCipherSuite (cn=config??)<br />
Examples olcTLSCipherSuite (cn=config??)<br />
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:+SSLv3:-SSLv2<br />
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:+SSLv3:-SSLv2<br />
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2<br />
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2<br />
==Troubleshooting==
ldapsearch -x -d 1 -ZZ
ldapsearch -x -LLL uid=xe50582
ldapsearch -h rtLDAP01.igrupobbva -b dc=rtLDAP01,dc=igrupobbva -x uid=xe50582
ldapsearch -x -h freeipa.rra.lan -b dc=rra,dc=lan "(&(objectclass=posixaccount)(objectClass=person)(uid=xe50582))"
getent passwd
getent group
==LDAP SSH Keys==
*Modify LDAP to enable SSH keys storage (google)
*/etc/ssh/sshd_config --> AuthorizedKeysCommand /bin/ldapkeyfile
*/etc/ssh/sshd_config --> AuthorizedKeysCommandUser nobody
/bin/ldapkeyfile
<source lang="bash">#!/usr/bin/env bash
ldapsearch -h rtLDAP01.igrupobbva -b dc=rtLDAP01,dc=igrupobbva -x '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
</source>