TSLAuth

This document is based on information at http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication

Introduction

This document describes an alternative authentication configuration for the Shuttleworth Lab (TSL).

The Problem

TSL is a UCT computing facility available to all UCT staff and students. All staff and students are issued with a UCT username and password which they expect to be able to use to access all computing facilities on campus, including TSL. To reduce the administrative load involved in creating accounts and managing passwords it makes sense for TSL to make use of this username and password, rather than provisioning separate authentication credentials.

The UCT credentials are provided through the Novell E-Directory infrastructure and available for use through an LDAP API. Unfortunately, these accounts do not have the unix posix account attributes and therefore cannot be used on their own in a unix environment. Various attempts have been made over the last few years to get ICTS to extend the schema to support the posix account attributes but to no avail.

As a result, TSL uses a hybrid client configuration which uses the UCT credentials for authentication and a YP/NIS domain for the rest of the account information.

While this works, it is less than ideal for the following reasons:

• This complex client-side configuration needs to be implemented on every workstation
• YP/NIS is ugly and insecure
• YP/NIS does not support password aging, account expiry, etc.
• Account creation / management is cumbersome and contributes to the instability of the TSL server

The ideal solution is a pure LDAP one, where any complexity to managed on the authentication server and transparent to the TSL clients and file server.

Solution

The ideal solution is a pure LDAP one, where any complexity to managed on the authentication server and transparent to the TSL clients and file server.

This is possible using OpenLDAP with pass-through authentication as described in the rest of this document.

This solution still requires the provisioning of separate posix accounts in a TSL LDAP server. This can perhaps be automated by a daemon process which monitors the Novell E-Directory and provisions TSL accounts for any new organizationalPerson objects which appear. This service will automatically allocate uids and gids to the accounts and setup the pass-through authentication mapping.

This TSL authentication server can (should!) be a separate logical server, ideally with redundancy at least for the LDAP service.

Details

Authentication Server Configuration

This section describes the configuration of a basic TSL authentication server, auth1.tsl.uct.ac.za. This configuration can be implemented on a physical server or on a virtual machine.

Currently, no attempt is made to describe redundancy.

Software

The following software is required:

• slapd
• sasl2-bin (for saslauthd)
• ldap-utils

Slapd Configuration

No special slapd configuration is required. Slapd hands have authentication to the sasl2 libraries in it finds a password beginning with {SASL}. It uses the bit after the {SASL} as the username and realm. In our case we will not use realms so the username.

Setup a normal LDAP domain with a base of dc=tsl,dc=uct,dc=ac,dc=za. Use GQ or phpldapadmin for simplify management.

The LDAP userPassword attribute will look like this:

userPassword: {SASL}01247611

Here is a sample of a full user:

dn: cn=Craig Balfour,ou=people,dc=tsl,dc=uct,dc=ac,dc=za
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
givenName: Craig
sn: Balfour
cn: Craig Balfour
uid: craig
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/craig
loginShell: /bin/bash
structuralObjectClass: inetOrgPerson
userPassword: {SASL}01247611

Use the following command for debugging:

slapd -g openldap -u openldap -f /etc/ldap/slapd.conf -d 65535

SASL Configuration

This configuration includes the configuration of saslauthd and the libsasl2.

Configure /usr/lib/sasl2/slapd.conf (libsasl2 configuration file) as follows:

mech_list: plain
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux

Notes:

• When userPassword attribute begins with {SASL} slapd passes authentication over the the libsasl2 libraries. Local only accounts with have {MD5} passwords.
• Add openldap user to sasl group (and chmod a+rx /var/run/saslauthd?) and /etc/init.d/apparmor stop so that slapd can read the /var/run/saslauthd/mux socket.
• Before starting saslauthd export LDAPTLS_REQCERT=allow (needs to be added to /etc/init.d/saslauthd). Might be able to add this to the global LDAP client configuration on the authentication server.

Configure /etc/saslauthd.conf as follows:

ldap_servers: ldaps://srvslsidm001.uct.ac.za/ ldaps://srvslsidm002.uct.ac.za/
ldap_version: 3
ldap_search_base: ou=users,o=uct
ldap_scope: sub
ldap_auth_method: bind
ldap_filter: (cn=%u)
tls_cert_file: /etc/saslauthd/saco1.crt
tls_key_file: /etc/saslauthd/saco1.key
tls_ca_file: /etc/saslauthd/cs-ca.crt
tls_reqcert: allow

Testing

Test against the Novell E-Directory:

ldapsearch -x -H ldaps://srvslsidm001.uct.ac.za/ -b ou=users,o=uct -D "cn=01247611,ou=users,o=uct" -W 

Test the saslauthd configuration:

testsaslauthd -u 01247611 -p xxx

These the slapd pass-through authentication:

ldapsearch -x -h saco1.cs.uct.ac.za -b "ou=people,dc=nodomain" -D "cn=Craig Balfour,ou=people,dc=nodomain" -w xxx