Difference between revisions of "TSLAuth"

From Department of Computer Science
Line 1: Line 1:
 
This document is based on information at http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication
 
This document is based on information at http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication
 +
 +
== Introduction ==
 +
 +
This document describes an alternative authentication configuration for the Shuttleworth Lab (TLS).
  
 
== The Problem ==
 
== The Problem ==

Revision as of 15:47, 22 December 2009

This document is based on information at http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication

Introduction

This document describes an alternative authentication configuration for the Shuttleworth Lab (TLS).

The Problem

TSL currently uses an ugly configuration which consists of a combination of NIS/YP domain for Posix account information, and LDAP authentication for the UCT Novell NDS. Ideally we would like to just use the NDS but its users do not contain the unix posix account attributes and numerous requests over years to extend the schema to support these have got nowhere.

Additionally, NIS/YP is insecure and does not support useful stuff like account aging and expiration.

Solution

The ideal solution is to move to a pure LDAP configuration. This is possible using OpenLDAP with pass-through authentication.

I like this solution because all of the work is done on the authentication server keeping the client configuration simpler.

Details

On saco1:

Install slapd, sasl2-bin (for saslauthd)

Slapd Configuration

/etc/ldap/slapd.conf (slapd configuration file): Nothing special required.

To run the maximum debugging:

slapd -g openldap -u openldap -f /etc/ldap/slapd.conf -d 65535

Create a user object and set the userPassword attribute to {SASL}username where username is the username on the remote LDAP system.

SASL2 and Saslauthd Configuration

/usr/lib/sasl2/slapd.conf (libsasl2 configuration file):

mech_list: plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux

Notes: - When userPassword attribute begins with {SASL} slapd passes authentication over the the libsasl2 libraries. - chmod a+rx /var/run/saslauthd and /etc/init.d/apparmor stop so that slapd can read the saslauthd socket - Before starting saslauthd export LDAPTLS_REQCERT=allow (needs to be added to /etc/init.d/saslauthd)

- Note

/etc/saslauthd.conf:

ldap_servers: ldap://callisto.cs.uct.ac.za/ ldap_version: 3 ldap_search_base: ou=people,dc=cs,dc=uct,dc=ac,dc=za ldap_scope: sub ldap_auth_method: bind ldap_filter: (uid=%u)

Testing

saslauthd

testsaslauthd -u 01247611 -p xxx

= slapd pass-through authentication

ldapsearch -x -h saco1.cs.uct.ac.za -b "ou=people,dc=nodomain" -D "cn=Craig Balfour,ou=people,dc=nodomain" -w xxx