Wiki source for SingleSignOn
<<{{color c="red" text="THIS PAGE IS DEPRECATED"}}
Please visit the current page [[SingleSignOn(FreeIPA)|here]].<<::c::
====Moving towards Single Sign-On====
[[https://help.ubuntu.com/community/SingleSignOn Ubuntu Guide to SingleSignOn]]
>>===See Also===
~- [[AdminEmail E-mail Management]]
~- [[CommonWorkstationIssues Common Issues]]>>
===Kerberos===
The Kerberos protocol, with the MIT version of Kerberos 5 being chosen, does the user authentication. Clients request TGTs (Ticket Granting Tickets) from the Authentication Service component of a Key Distribution Server, and upon completing the symmetric key verification is granted a Service Ticket. TGTs can be reused, until the timeout period of the kerberos principal, i.e. the user in this example, and Service Tickets can be reused until they expire, for their respective service. The reuseable tickets provide the SSO functionality. KDC and realm are configured through DNS, to reduce setup on clients (although krb5.conf may contain that info as well). Keytabs are created for machine principals that need to authenticate against the KDC and include the service principals requiring authentication. For instance, linux clients have host and service principals. Keytabs on linux client allow root to mount nfs shares.
Kerberos requires hostnames make sense, so FQDN of clients should resolve, and that clocks be in sync.
Keytabs must be protected as well as credential files stored in /tmp.
===OpenLDAP===
OpenLDAP (Lightweight Directory Access Protocol) provides the networking component for accessing the directory data stored in BDB. OpenLDAP serves just a simple directory store, no passwords, no sensitive information beyond user names. LDAP authorizes based on kerberos authentication via the GSSAPI glue layer, trusting that the kerberos has done its job and that the kerberos authenticated user is who she says she is. Various network services can hook into kerberized LDAP, if they have GSSAPI support.
There is no ldap password stored in slapd.conf. Root DN is determined like all other authenticated DNs, by authenticating through GSSAPI. Kinited usernames are mapped to DNs via authz-regexp in slapd.conf. ACLs defined in slapd.conf allow writes by self (excluding access to attributes such as [g/u]id, homeDirectory, password), and writes by root, defined as kerberos principal ldapadmin (not in ldap), and members in group ldapadmins.
===Security layers===
Cyrus SASL (Simple Authentication and Security Layer) provides basic encryption and supports various authentication mechanisms in the form of plugins, standing between authentication services and services requiring authentication. Plugins are CRAM-MD5, DIGEST-MD5, GSSAPI, PLAIN, SRP, and so on. These mechanisms take care of both server-side and client-side parts of the SASL negotiation.
GSSAPI (Generic Security Services API) is a common interface for services to make use of Kerberos. There are some differences between heimdal and mit kerberos, with the former being less developed as of late, which breaks GSSAPI support in fbsd cups - fbsd has heimdal in its base distribution.
PAM authentication stack and nsswitch were changed to make use of krb5. Pam_ldap is not used because it is not doing authentication. libpam-ccreds provides caching of credentials (which has been disabled due to client caching issues).
===NFSv4===
NFSv4 for filesharing, with basic krb5 authentication(sec=krb5), requiring RPCSEC_GSS. Greater levels of security are krb5i and krb5p, sys is the lowest level of security. krb* type security flavors means that nfs is using RPCSEC_GSS and only users/groups names and the kerberos tickets are sent over the wire, unlike sys security which uses uid/gid numbers and no encryption. With sec=krb5, only the authentication is encrypted.
If files are accessed only via nfsv4 (and not via samba, local, etc) then local locks and delegation can be enable, otherwise no. At least not until nfsv4 bug is fixed.
NFSv4 makes use of idmapd (nfsuserd on fbsd) for mapping users and groups.
Mounts are provided via ou=Mount, automountmaps. Home directories automatically mount upon request, using ldap homeDirectory as the automountKey that matches any directory under /export/home/ (an autofs convention where a '&' is replaced with the key used to lookup). User directory access should be restricted.
On group changes, client may need to remount the drive to reflect the new group (rpcsec.gss negotiation occurs at initial authentication request).
===Creating New Users===
To create new users, they must be added to LDAP, have their password set in Kerberos, be added to the necessary groups, and ideally be forced to change their passwords on login. We'll start by adding pedro:
To make any changes to ldap or kerberos, first get a ticket (either as ldapadmin or as a member in the ldap group tech) if needed:
%%(language-ref)
kinit mike
%%
Add the user to LDAP with the standard users group:
%%(language-ref)
ldapadduser pedro users
%%
This will add principal pedro with password of pedro to kerberos and needchange password flag set, as well as adding user pedro to ldap with group of users (gid 10100) and creating their home with contents from /etc/ldapscripts/skel.
Since he's a research intern, let's give him access to the research drive:
%%(language-ref)
ldapaddusertogroup pedro research
%%
Now the user should be setup with full access to the research drive and be forced to change their password on first login.
To reset his password, in case he cannot login:
%%(language-ref)
kadmin.local -q 'cpw -pw [password] [username]'
%%
Then, finally, force the user to change their password on next login:
%%(language-ref)
kadmin.local -q 'modprinc +needchange pedro'
%%
The above query commands of cpw and modprinc can also be executed within kadmin.local.
===Misc. commands===
kinit - Use me to authenticate.
klist
kadmin & kadmin.local
kdestroy
kpasswd
ktutil (keytab utility)
kdb5_util (kerberos database utility)
ldapsearch
ldapmodify
slapcat
slaptest
slapadd
ldap scripts:
ldapid
ldapadduser
ldapaddgroup
ldapaddusertogroup
ldapdeleteuser
ldapdeleteuserfromgroup
ldapdeletegroup
TODO
Postfix+LDAP
Hook LDAP into other services (wiki, mantis).
[[http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html Shared Address Book]]
More group software...
----
CategoryITDoc
Please visit the current page [[SingleSignOn(FreeIPA)|here]].<<::c::
====Moving towards Single Sign-On====
[[https://help.ubuntu.com/community/SingleSignOn Ubuntu Guide to SingleSignOn]]
>>===See Also===
~- [[AdminEmail E-mail Management]]
~- [[CommonWorkstationIssues Common Issues]]>>
===Kerberos===
The Kerberos protocol, with the MIT version of Kerberos 5 being chosen, does the user authentication. Clients request TGTs (Ticket Granting Tickets) from the Authentication Service component of a Key Distribution Server, and upon completing the symmetric key verification is granted a Service Ticket. TGTs can be reused, until the timeout period of the kerberos principal, i.e. the user in this example, and Service Tickets can be reused until they expire, for their respective service. The reuseable tickets provide the SSO functionality. KDC and realm are configured through DNS, to reduce setup on clients (although krb5.conf may contain that info as well). Keytabs are created for machine principals that need to authenticate against the KDC and include the service principals requiring authentication. For instance, linux clients have host and service principals. Keytabs on linux client allow root to mount nfs shares.
Kerberos requires hostnames make sense, so FQDN of clients should resolve, and that clocks be in sync.
Keytabs must be protected as well as credential files stored in /tmp.
===OpenLDAP===
OpenLDAP (Lightweight Directory Access Protocol) provides the networking component for accessing the directory data stored in BDB. OpenLDAP serves just a simple directory store, no passwords, no sensitive information beyond user names. LDAP authorizes based on kerberos authentication via the GSSAPI glue layer, trusting that the kerberos has done its job and that the kerberos authenticated user is who she says she is. Various network services can hook into kerberized LDAP, if they have GSSAPI support.
There is no ldap password stored in slapd.conf. Root DN is determined like all other authenticated DNs, by authenticating through GSSAPI. Kinited usernames are mapped to DNs via authz-regexp in slapd.conf. ACLs defined in slapd.conf allow writes by self (excluding access to attributes such as [g/u]id, homeDirectory, password), and writes by root, defined as kerberos principal ldapadmin (not in ldap), and members in group ldapadmins.
===Security layers===
Cyrus SASL (Simple Authentication and Security Layer) provides basic encryption and supports various authentication mechanisms in the form of plugins, standing between authentication services and services requiring authentication. Plugins are CRAM-MD5, DIGEST-MD5, GSSAPI, PLAIN, SRP, and so on. These mechanisms take care of both server-side and client-side parts of the SASL negotiation.
GSSAPI (Generic Security Services API) is a common interface for services to make use of Kerberos. There are some differences between heimdal and mit kerberos, with the former being less developed as of late, which breaks GSSAPI support in fbsd cups - fbsd has heimdal in its base distribution.
PAM authentication stack and nsswitch were changed to make use of krb5. Pam_ldap is not used because it is not doing authentication. libpam-ccreds provides caching of credentials (which has been disabled due to client caching issues).
===NFSv4===
NFSv4 for filesharing, with basic krb5 authentication(sec=krb5), requiring RPCSEC_GSS. Greater levels of security are krb5i and krb5p, sys is the lowest level of security. krb* type security flavors means that nfs is using RPCSEC_GSS and only users/groups names and the kerberos tickets are sent over the wire, unlike sys security which uses uid/gid numbers and no encryption. With sec=krb5, only the authentication is encrypted.
If files are accessed only via nfsv4 (and not via samba, local, etc) then local locks and delegation can be enable, otherwise no. At least not until nfsv4 bug is fixed.
NFSv4 makes use of idmapd (nfsuserd on fbsd) for mapping users and groups.
Mounts are provided via ou=Mount, automountmaps. Home directories automatically mount upon request, using ldap homeDirectory as the automountKey that matches any directory under /export/home/ (an autofs convention where a '&' is replaced with the key used to lookup). User directory access should be restricted.
On group changes, client may need to remount the drive to reflect the new group (rpcsec.gss negotiation occurs at initial authentication request).
===Creating New Users===
To create new users, they must be added to LDAP, have their password set in Kerberos, be added to the necessary groups, and ideally be forced to change their passwords on login. We'll start by adding pedro:
To make any changes to ldap or kerberos, first get a ticket (either as ldapadmin or as a member in the ldap group tech) if needed:
%%(language-ref)
kinit mike
%%
Add the user to LDAP with the standard users group:
%%(language-ref)
ldapadduser pedro users
%%
This will add principal pedro with password of pedro to kerberos and needchange password flag set, as well as adding user pedro to ldap with group of users (gid 10100) and creating their home with contents from /etc/ldapscripts/skel.
Since he's a research intern, let's give him access to the research drive:
%%(language-ref)
ldapaddusertogroup pedro research
%%
Now the user should be setup with full access to the research drive and be forced to change their password on first login.
To reset his password, in case he cannot login:
%%(language-ref)
kadmin.local -q 'cpw -pw [password] [username]'
%%
Then, finally, force the user to change their password on next login:
%%(language-ref)
kadmin.local -q 'modprinc +needchange pedro'
%%
The above query commands of cpw and modprinc can also be executed within kadmin.local.
===Misc. commands===
kinit - Use me to authenticate.
klist
kadmin & kadmin.local
kdestroy
kpasswd
ktutil (keytab utility)
kdb5_util (kerberos database utility)
ldapsearch
ldapmodify
slapcat
slaptest
slapadd
ldap scripts:
ldapid
ldapadduser
ldapaddgroup
ldapaddusertogroup
ldapdeleteuser
ldapdeleteuserfromgroup
ldapdeletegroup
TODO
Postfix+LDAP
Hook LDAP into other services (wiki, mantis).
[[http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html Shared Address Book]]
More group software...
----
CategoryITDoc
