Difference between revisions of "TSLAuth"
| Line 1: | Line 1: | ||
| This document is based on information at http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication | This document is based on information at http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication | ||
| + | |||
| + | == The Problem == | ||
| + | |||
| + | TSL currently uses an ugly configuration which consists of a combination of NIS/YP domain for Posix account information, and LDAP authentication for the UCT Novell NDS. Ideally we would like to just use the NDS but its users do not contain the unix posix account attributes and numerous requests over years to extend the schema to support these have got nowhere.  | ||
| + | |||
| + | Additionally, NIS/YP is insecure and does not support useful stuff like account aging and expiration.  | ||
| + | |||
| + | == Solution ==  | ||
| + | |||
| + | The ideal solution is to move to a pure LDAP configuration. This is possible using OpenLDAP with pass-through authentication.  | ||
| + | |||
| + | I like this solution because all of the work is done on the authentication server keeping the client configuration simpler.  | ||
| + | |||
| + | == Details == | ||
| On saco1: | On saco1: | ||
Revision as of 15:44, 22 December 2009
This document is based on information at http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication
Contents
The Problem
TSL currently uses an ugly configuration which consists of a combination of NIS/YP domain for Posix account information, and LDAP authentication for the UCT Novell NDS. Ideally we would like to just use the NDS but its users do not contain the unix posix account attributes and numerous requests over years to extend the schema to support these have got nowhere.
Additionally, NIS/YP is insecure and does not support useful stuff like account aging and expiration.
Solution
The ideal solution is to move to a pure LDAP configuration. This is possible using OpenLDAP with pass-through authentication.
I like this solution because all of the work is done on the authentication server keeping the client configuration simpler.
Details
On saco1:
Install slapd, sasl2-bin (for saslauthd)
Slapd Configuration
/etc/ldap/slapd.conf (slapd configuration file): Nothing special required.
To run the maximum debugging:
slapd -g openldap -u openldap -f /etc/ldap/slapd.conf -d 65535
Create a user object and set the userPassword attribute to {SASL}username where username is the username on the remote LDAP system.
SASL2 and Saslauthd Configuration
/usr/lib/sasl2/slapd.conf (libsasl2 configuration file):
mech_list: plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux
Notes: - When userPassword attribute begins with {SASL} slapd passes authentication over the the libsasl2 libraries. - chmod a+rx /var/run/saslauthd and /etc/init.d/apparmor stop so that slapd can read the saslauthd socket - Before starting saslauthd export LDAPTLS_REQCERT=allow (needs to be added to /etc/init.d/saslauthd)
- Note
/etc/saslauthd.conf:
ldap_servers: ldap://callisto.cs.uct.ac.za/ ldap_version: 3 ldap_search_base: ou=people,dc=cs,dc=uct,dc=ac,dc=za ldap_scope: sub ldap_auth_method: bind ldap_filter: (uid=%u)
Testing
saslauthd
testsaslauthd -u 01247611 -p xxx
= slapd pass-through authentication
ldapsearch -x -h saco1.cs.uct.ac.za -b "ou=people,dc=nodomain" -D "cn=Craig Balfour,ou=people,dc=nodomain" -w xxx
