LDAP and Kerberos 5: An Overview
advertisement
LDAP and Kerberos: An Overview Leveraging services provided by Active Directory for Unix/Linux authentication, authorization and name services March 2007 Jason Testart Computer Science Computing Facility University of Waterloo Summary Kerberos is for authentication only and provides Single Sign-on (SSO) LDAP can be used for authentication, authorization, and name services (no SSO) Active Directory is a kerberized directory service with an LDAP interface Use Kerberos for authentication, LDAP for authorization and name services What do these technologies give us? Eliminate password synchronization Speed-up system deployment Reduce development time when a new platform is introduced Improve the end-user experience LDAP Name services using the Lightweight Directory Access Protocol What is LDAP? A protocol for accessing a directory service What’s a directory service? Think DNS. Database backend – do we care? Schema: attributes with OIDs (à la SNMP) Objects organized in a tree structure (DIT) Operations: bind, search, modify LDIF: text file format for describing directory contents Schema Attribute – like a variable in a programming language, it holds a value ObjectClass – a special attribute that all directory entries must have, as it acts as a template for the data (enforces a kind of internal consistency) AD Schema: http://msdn.microsoft.com/library/enus/ad/ad/active_directory_schema.asp Unix Schema: http://www.ietf.org/rfc/rfc2307.txt Types of Object Classes Structural – only one per entry! Auxiliary – supplements structural Abstract – can’t be used directly; only as an ancestor of another class (eg. “top”) Schema Examples Snippets of OpenLDAP’s RFC 2307 schema implementation: objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction of an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) ) attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'The absolute path to the home directory' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) Directory Information Tree (DIT) DN and RDN of a directory entry RDN – a unique attribute among all siblings of a single parent in the DIT (eg. “uid=jatestar”) DN – concatenation of RDNs when following the path from the entry (node) to the root of the DIT (eg. “uid=jatestar, ou=people, dc=ldap, dc=student, dc=cs, dc=uwaterloo, dc=ca) Directory Entry Example Entry in /etc/passwd: jatestar:x:1449:1449:Jason Testart [CSCF],DC2555B,x37174,,:/u4/jatestart:/xhbin/tcsh Becomes the following LDIF: dn: uid=jatestar, ou=ldap, ou=people, dc=student, dc=cs, dc=uwaterloo, dc=ca objectClass: top objectClass: person objectClass: posixAccount cn: Jason Testart sn: Testart uid: jatestar uidNumber: 1449 gidNumber: 1449 homeDirectory: /u4/jatestart loginShell: /xhbin/tcsh gecos: Jason Testart [CSCF],DC2555B,x37174,, Some LDAP Interfaces LDIF - ldapsearch, ldapmodify, ldp.exe (see “man ldif, man ldapsearch, etc…) Perl - Net::LDAP (see http://ldap.perl.org/) C/C++ - OpenLDAP API (likely others…) (see “man 3 ldap”) ADSI - Windows specific (see http://www.microsoft.com/windows2000/techinfo/howitworks/ activedirectory/adsilinks.asp) When interfacing, you need… Server hostname Bind DN Base DN (if searching) SSL? Note: An Active Directory domain controller will accept the value of the userPrincipalName attribute as the binddn. (eg. “jatestar@nexus.uwaterloo.ca” is friendlier than “CN=Jason J Testart (jatestar),OU=CSCF,OU=Staff,OU=Accounts, OU=Computer Science,OU=Faculties,DC=NEXUS,DC=UWATERLOO,DC=CA”) What object classes does AD use for users? Query: ldapsearch -x -W -H "ldaps://canadenis.student.cs.uwaterloo.ca“ \ -D "jatestar@student.cs.uwaterloo.ca" \ -b "dc=student,dc=cs,dc=uwaterloo,dc=ca“ \ "(cn=jatestar)" objectClass Yields: dn: CN=jatestar,OU=Users,OU=CS,DC=student,DC=cs,DC=uwaterloo,DC=ca objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user Need Unix attributes in AD The user objectClass is missing needed attributes that RFC 2307 provides So, extend the schema in AD, but be careful! Differences between MS-SFU-2.0, MS-SFU3.5 and schema provided by Windows Server 2003 R2 Maximize use of client attribute mappings! Attribute Mappings Example: “When I ask for the gecos attribute value, fetch the value of cn from the directory instead” Minimize duplication of data in the directory (ie. redundant attributes) In some cases, doing this allows you to avoid extending the schema of a directory Groups posixGroup uses memberUid, which is the uid of the member groupofUniqueNames uses the member attribute, which is the DN of the member Attribute mappings may be inappropriate, redundancy may be unavoidable Netgroups may give additional functionality, with additional complexity Applying the knowledge (client-side) Make sure you know what directory attributes that you are using! Tell /etc/nsswitch.conf to use the nss_ldap library from padl.com Edit the ldap.conf appropriately to point to AD and define the attribute maps No need to add users/groups in /etc/passwd or /etc/group! Kerberos Using Active Directory Kerberos for Unix/Linux authentication What is Kerberos? Authentication protocol Secure SSO Trusted 3rd party Mutual Authentication Some Kerberos Terminology User Principal Host/Service Principal Instance Realm KDC TGT Credential cache Principals username[/instance]@REALM servicename/FQDN@REALM Examples: jatestar@NEXUS.UWATERLOO.CA nfs/gl01.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA host/cpu14.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA imap/services02.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA Credential Cache (on a Mac) $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: jatestar@STUDENT.CS.UWATERLOO.CA Valid starting Expires Service principal 12/13/06 01:06:50 12/13/06 11:05:03 krbtgt/STUDENT.CS.UWATERLOO.CA@STUDENT.CS.UWATERLOO.CA renew until 12/14/06 01:06:50 12/13/06 01:06:38 12/13/06 11:05:03 fs02$@STUDENT.CS.UWATERLOO.CA renew until 12/14/06 01:06:50 12/13/06 01:10:23 12/13/06 11:05:03 host/cpu20.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA renew until 12/14/06 01:06:50 AD Domain == Kerberos v5 Realm Domain controllers provide KDC functionality A “domain” is synonymous with “realm” Joining a Windows computer to a domain means you are creating a host principal in the realm No multipart principal names in AD, so mappings are needed for instances Adding a Unix host to AD Create a user account for the host/service (eg. cpu04-host) Map the account to a service principal: host/cpu04.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA Set the account password Generate a krb5.keytab file Stick the keytab file in /etc/krb5 on cpu04 Done on all student.cs CPU servers Adding a Unix host to AD (sans GUI) Create the account using LDIF (from a Linux box): % ldapmodify -x -W -H ldaps://canadenis -D “Administrator@student.cs.uwaterloo.ca” dn: cn=cpu04-host,OU=Service Principals,DC=student,DC=cs,DC=uwaterloo,DC=ca changetype: add cn: cpu04-host objectClass: user sAMAccountName: cpu04-host displayName: cpu04-host description: Kerberos host service principal for cpu04 userAccountControl: 2097664 Do the mapping and generate a keytab file (on the domain controller): ktpass –princ host/cpu04.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA –mapuser cpu04-host –password S0m3Rand0mPaZZw0rd –out cpu04-host.keytab Tell Unix login to authenticate against AD Set-up an appropriate /etc/krb5.conf Modify the PAM authentication stack to use the pam_krb5 module Lots of work for simple authentication! Could have used ldap, or radius, etc… Kerberos gives us Single Sign-On Can take advantage of domain trusts! Most apps use SASL and GSSAPI to support Kerberos 5 SSH and SSO Configure SSH clients and servers to use GSSAPI for authentication Mac Lab user can ssh to a CPU server without a password (no ssh keys or .shosts required) Honours .k5login file (handy for course accounts) Possibilities with NFS (v3+), IMAP, SMTP AUTH, HTTP, etc… SSO Demo (Linux client to AD) Show krb5.conf Login to realm (kinit) Show file shares on NetApp Query our entry on domain controller Show resulting credential cache (klist) Logout of realm (kdestroy) Using slapd (OpenLDAP) with AD OpenLDAP supports Kerberos via SASL/GSSAPI Can map entities in a realm with entries in the directory Use authz-regexp directive in slapd.conf See: http://www.openldap.org/doc/admin23/sasl.html References LDAP System Administration by Gerald Carter (O’Reilly) Kerberos The Definitive Guide by Jason Garman (O’Reilly) Unified Windows® and UNIX® Authorization Using Microsoft® Active Directory LDAP as a Directory Store by Ellie Berriman (Network Appliance Inc.) Unified Windows® and UNIX® Authentication Using Microsoft® Active Directory Kerberos by Ellie Berriman (Network Appliance Inc.)
