25 February 2009 08:14 -
The sequel of my setup of openldap on FreeBSD 7.1. This time the configuration of the clients.
If you want to read the short introduction to setting up a server, then you can find
it
here
The first thing we need to do is install the necessary packages. For the configuration
described here we need at least the following (or newer versions of course):
nss_ldap-1.264_1
openldap-client-2.4.13
pam_ldap-1.8.4_1
pam_mkhomedir-0.1
sudo-1.6.9.20
After installation of these packages we can start to configure everything. First we have to make a
/usr/local/etc/ldap.conf. Mine contains the following lines:
host hildr.jeroen.se
base dc=jeroen,dc=se
uri ldaps://hildr.jeroen.se/
binddn uid=nss,dc=jeroen,dc=se
bindpw xxxxxxxxxx
rootbinddn cn=Manager,dc=jeroen,dc=se
port 389
pam_check_host_attr yes
nss_base_passwd ou=People,dc=jeroen,dc=se
nss_base_shadow ou=People,dc=jeroen,dc=se
nss_base_group ou=Group,dc=jeroen,dc=se
ssl on
tls_checkpeer no
tls_reqcert allow
tls_ciphers HIGH:MEDIUM:-SSLv2
sudoers_base ou=SUDOers,dc=jeroen,dc=se
In the configuration above nss is the user that will be used for connecting to the ldap server. This
user should exist in LDAP of course. We also have to set the appropriate password by the bindpw option.
And do not forget to change the other options to fit your situation as well.
Now we have created the ldap.conf file, we link
/usr/local/etc/nss_ldap.conf to /usr/local/etc/ldap.conf.
rm /usr/local/etc/nss_ldap.conf
ln -s /usr/local/etc/ldap.conf /usr/local/etc/nss_ldap.conf
We also have to
create a /usr/local/etc/ldap.secret file which normally contains the password of the
root user for connecting to the ldap. Because we will not be connecting as root user to
our ldap server from the clients it is enough to run the following commands:
touch /usr/local/etc/ldap.secret
chmod 600 /usr/local/etc/ldap.secret
Believe it or not, but we are almost done configuring already. We just have to make sure
that the directory where the user home directories are being placed exists. After that we have
to edit 3 files. First /etc/nsswitch.conf, which should look like this:
group: files ldap
group_compat: nis
hosts: files dns
networks: files
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
Then /etc/pam.d/sshd, which should look like this:
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass ignore_unknown_user
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required /usr/local/lib/pam_ldap.so ignore_unknown_user
account required pam_unix.so
# session
#session optional pam_ssh.so
session required /usr/local/lib/pam_mkhomedir.so debug umask=0077 skel=/usr/local/share/skel
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
And finally /etc/pam.d/system
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account required /usr/local/lib/pam_ldap.so ignore_unknown_user
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_lastlog.so no_fail
session required /usr/local/lib/pam_mkhomedir.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
After all this we should be able to login with the ldap user accounts on the client. Assuming of
course the user is correctly configured in the OpenLDAP server.
17 February 2009 19:46 -
Most of the time I am underway I have GPS logging op my location enabled on my
n810. So I thought it would be nice to make a map of where I have been in 2009.
This is work in progress of course , but since 1 January 2009 I have been
here:
To be continued.
17 February 2009 08:37 -
Today a small blog post to explain how I have setup my openldap server at home for authentication.
It is not an in detail explanation, but should give a good start if you can do some
thinking yourself.
For this setup I had the following requirements:
- The data between the ldap server and the client should be encrypted.
- Access should be restricted to given hosts. That is a user which has acces on machine A
may not have acces on machine B by default.
- Sudo rights should also be managed by openldap.
First I had to install the openldap-server port with:
cd /usr/ports/net/openldap23-server
make install clean
And of course I had to enable it in /etc/rc.conf by adding the lines:
slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldaps://192.168.0.80/ ldap://127.0.0.1/"'
slapd_sockets="/var/run/openldap/ldapi"
Then I had to edit my /usr/local/etc/openldap/slapd.conf configuration file:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/ldapns.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/sudo.schema
The above code includes all the necessary ldap schemes. It should be noted that the sudo.schema
should be taken from the installation of the sudo port and copied to the openldap/schema directory.
The ldapns.schema is needed for limiting of users to hosts. This schema can be found
here
The next settings we need to set in the slapd.conf are the access rights. I use 2 user to
do more than authentication against the ldap server: Manager and nss. Which gives me the
following access settings:
access to attrs=userPassword
by dn="cn=Manager,dc=jeroen,dc=se" write
by anonymous auth
by * none
access to *
by dn="cn=Manager,dc=jeroen,dc=se" write
by dn="uid=nss,dc=jeroen,dc=se" read
by anonymous auth
And the last settings I had to make in the slapd.conf file where the
initial password for the root user (Manager):
rootdn "cn=Manager,dc=jeroen,dc=se"
rootpw {SSHA}9cyD+AfBLx0jvSSL7iJ7tMMB4hl2mN0P
And the settings for SSL, which assumes your keys are in /usr/local/etc/openldap/ssl/server.pem:
#TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCACertificateFile /usr/local/etc/openldap/ssl/server.pem
TLSCertificateFile /usr/local/etc/openldap/ssl/server.pem
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/server.pem
TLSVerifyClient never
The rest of the settings in slapd.conf were left to their default value. So I then started slapd with
/usr/local/etc/rc.d/slapd start
That is basically all you have to do to get slapd running. I used the following ldif file
to get the intial data into the ldap server:
dn: dc=jeroen,dc=se
objectclass: dcObject
objectclass: organization
o: jeroen dot se
dc: jeroen
dn: cn=Manager,dc=jeroen,dc=se
objectclass: organizationalRole
cn: Manager
After this I used phpldapadmin to fill my ldap server with more data. I will
post the configuration I use on the clients in the coming days.
11 February 2009 18:46 -
If you are like me administrating lots of unix servers where you have to do
different tasks at different servers simultaneously then you can easily lose track of which
screen window is doing what on your laptop. My solution for this in the zsh
shell is using the following in my .zshrc:
preexec()
{
if echo ${TERMCAP} | grep screen > /dev/null
then
screen -X title ${1}
fi
}
precmd()
{
if echo ${TERMCAP} | grep screen > /dev/null
then
screen -X title $(echo $PWD | sed "s#$HOME#~#")
fi
}
This sets the title of a window where a command is running to the name of the
command being run. When no command is running it sets it to the current
working directory. The advantage is that I no longer have to set the titles manually.
The disadvantage is that the titles can get very long. Therefor I have in my .screenrc
the following line:
bind l windowlist
Which allows me to quickly get the window list with ^Al.
09 February 2009 18:48 -
Just thinking of it: The average dutch person commutes 2 x 39 minutes a day. Which totals
to 78 minutes. The average dutch person watches 182 minutes of TV per day. Total amount
of watching TV and commuting 260 minutes per day (aka 4 hours 20 minutes).
So lets take in account the time I commute (4 hours 45 minutes) and watch
TV (none or I watch TV while commuting). Also part of my commute time is work
time (1 hour 15 minutes).
The funny thing is the average person says I have a long commute time. So lets calculate
the time left per day when removing commute time, TV time and work time (based on 8 hours a day).
Average dutch person: 24 * 60 - 78 - 182 - 480 = 700 minutes per work day
Me: 24 * 60 - 285 - 0 - 405 = 750 minutes per work day.
06 February 2009 08:11 -
This week I learned a nice trick with brace expansion when using the bash or
zsh shell from a colleague from me. I already used brace expansion in simple
for loops like:
for i in {1..5}
do
echo $i
done
But as he demonstrated, you can also use it in constructs like:
cp file{,.20090206}
Which expands to
cp file file.20090206
04 February 2009 08:09 -
Last week I thought a little about naming volumegroups on SANs, logical volumes,
hosts and (micro)SD cards. They all have one thing in common, if you have a lot
of them you hardly can avoid numbering them. The only problem with this is of course
small typos that can lead to disasters. Fortunately there are of course solutions for this.
After some thinking I thought about using checksums in the numbering, which makes
it harder to create a disaster with just one typo. The best scheme I could find
to work for this was using the ISBN numbering scheme.
So i.e. I now number my (micro)SD cards as follows:
- jni-60001
- jni-10002
- ...
- jni-12761
- jni-72762
- jni-22763
- etc.
As you probably can see the first number is the checksum digit. A number is
valid if and only if the checksum digit + 2 times the second number + 3 times
the third number + 4 times the fourth number ... modulo 11 = 0. Note that the checksum digit
can also be X to indicate a value of 10.
If you look at the jni-60001 number. The checksum is 6. And the 1 is multiplied by 5. Summarized
this makes 11, which modulo 11 is of course 0. So this is a correct number. But what if we make
a typo i.e.:
- jni-60010, this becomes (6+4) modulo 11 = 10, which is not valid.
- jni-60002, this becomes (6+10) modulo 11 = 5 , which is not valid.
- jni-60019, this becomes (6+4+45) modulo 11 = 0 , which is valid. But then you already have
made 2 typos.
Of course I created a script for this that does all the hard work. It can be found
here.
