Limit Groups On Clusters With Ldap and quattor

File overview

  • /etc/ldap.conf
  • /etc/pam.d/system-auth
  • /etc/nsswitch.conf
  • Template

/etc/ldap.conf

As far as I understand there are 2 ways of limiting a box to a specific group. The first is to add every user to the specific group on the ldap server. And then configure the client to read this. The 2 values in ldap.conf are 
# Group to enforce membership of
pam_groupdn cn=c3,ou=group,dc=example,dc=edu

# Group member attribute
pam_member_attribute memberUid

So the ldap entry would look something like 

# dev, posixGroups, priv, root, com
dn: cn=c3,ou=posixGroups,dc=example,dc=org
cn: c3
objectClass: posixGroup
objectClass: top
gidNumber: 1016
memberUid: cn=didi,ou=People,dc=example,dc=org
memberUid: cn=jan,ou=People,dc=example,dc=org

This of course is a nice way of maneging dynamic groups but if you want to add a member you always have to fiddle with the ldap server and if you have a huge amount of users you can quickly loose the orientation (try doing this with 21717 users) The second way is to add a filter to the ldap search that pam_ldap / nss_ldap does.

As explained in my post http://computingfunnyfacts.blogspot.com/2008/01/pamfilter-not-working.html you have to very careful what you specify as a pam filter.

TIPP: Look at what the ldap server is processing. With $ slapd -d 256 you can get a nice queried overview.

To configure this with quattor you can use the authconfig module: 

"/software/components/authconfig/method/ldap/enable" = true;
"/software/components/authconfig/method/ldap/nssonly" = false;
"/software/components/authconfig/method/ldap/conffile" = "/etc/ldap.conf";
"/software/components/authconfig/method/ldap/servers" = list ( "lolol.cern.ch" );
"/software/components/authconfig/method/ldap/basedn" = "dc=example,dc=edu";
"/software/components/authconfig/method/ldap/tls/enable" = false;
"/software/components/authconfig/method/ldap/binddn" = "cn=Manager,dc=example,dc=edu";
"/software/components/authconfig/method/ldap/bindpw" = "NFW";
"/software/components/authconfig/method/ldap/rootbinddn" = "cn=Manager,dc=example,dc=edu";
"/software/components/authconfig/method/ldap/port" = 389;
"/software/components/authconfig/method/ldap/timeouts/idle" = 3600;
"/software/components/authconfig/method/ldap/timeouts/bind" = 300;
"/software/components/authconfig/method/ldap/timeouts/search" = 300;
"/software/components/authconfig/method/ldap/pam_filter" = "gidNumber=1012";

Here the interesting part is the pam_filter which is supported from version 1.1.5

/etc/pam.d/system-auth

The default entry in system-auth is 

account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
which is not enough to fail if the user is not in the specified group.

So you have to change this into 


account     required      /lib/security/$ISA/pam_ldap.so

this is best done through quattor with the authconfig module again. Just add 


"/software/components/authconfig/pamadditions/system/conffile"="/etc/pam.d/system-auth";
"/software/components/authconfig/pamadditions/system/section"="account";
"/software/components/authconfig/pamadditions/system/lines"=list( nlist(
"order","last",
"entry","required /lib/security/$ISA/pam_ldap.so"
));
this will overwrite the entry with a more stricter configuration.

/etc/nsswitch.conf

Nswitch should be configured correctly by default but here just be sure the configuration I have been using: 

# cat /etc/nsswitch.conf | egrep -v "(^#|^$)"
passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns
bootparams: files
ethers:     files
netmasks:   files
networks:   files
protocols:  files ldap
rpc:        files
services:   files ldap
netgroup:   files ldap
publickey:  files
automount:  files ldap
aliases:    files

Template

Here an example template with some security important stuff removed: 

############################################################
#
# object template profile_lolol
#
# Generated automatically with /distribution/remedy/programs/CDBAddHost script.
#
# Created Thu Jun  2 11:52:22 2005 by remedy
#
# Do NOT edit.
#
############################################################

object template profile_lolol;
include stages/prod;

#
# include profile_base for use of typed properties
#
include pro_declaration_profile_base;
"/software/components/access_control/privileges/acl_root/user/ribalba/0/targets"=list("+node::lolol");
"/software/components/access_control/privileges/acl_interactive/user/me/0/targets"=list("+node::lolol");

#
# used resources
#
include pro_hardware_elonex_2800_64;
include netinfo_lolol;
include pro_type_lxdev_slc4;
#include pro_service_java_sun;
"/hardware/contract" = create("pro_hardware_contract_it_3319");

"/system/cluster/subname" = "zuul";
"/system/function" = "Zuul dev machine / Didi, Jan - FIO/FS";

#
# "deregister" this box
#
"/software/packages" = pkg_del("CERN-CC-regis_client");
"/software/components/regisclient/active" = false;
"/software/components/sindes/all" = "";
delete "/software/components/sindes/items/group-header";
delete "/software/components/sindes/items/passwd-header";
"/software/packages" = pkg_del("ncm-localhomedir");
delete "/software/components/localhomedir";
delete "/system/accounts";

#
# Sendmail options
#
"/software/components/sendmail/localusers" = push("root");
"/software/components/sendmail/localusers" = push("operator");

#
# ncm-accounts
#
"/software/packages" = pkg_repl("ncm-accounts","3.0.5-1","noarch");

#
# So lets do some dev work
#
"/software/components/accounts/ldap" = true;

"/software/components/accounts/active" = true;
"/software/components/accounts/rootpwd" = "$1$HAHAHAHAHAHHAHA";
"/software/components/accounts/shadowpwd" = true;

#
# /etc/group : works fine!
#
"/software/components/accounts/groups" = nlist("ct",nlist("comment","undef","gid",1023),
                                           "ci",nlist("comment","undef","gid",1016),
                                          );

#
# /etc/passwd:
#  - does not create /home/operator
#  - quotes (") around the gecos field
#
"/software/components/accounts/users" =
nlist("operator",nlist(
                   "comment"    , "Computer Operations",
                   "homeDir"    , "/home/operator",
                   "createHome" , true,
                   "groups"     , list(1023), # group names or gid's?
                   #"groups"     , list("ct"), # group names or gid's?
                   "password"   , "$1$HAHAHAHAHAHAHAHAHAHAHA",
                   "shell"      , "/bin/tcsh",
                   "uid"        , 616,
                  ),
  "oracle",nlist(
                   "comment"    , "Oracle Support",
                   "homeDir"    , "/ORA/dbs01/oracle/home",
                   "createHome" , true,
                   "groups"     , list(1016), # group names or gid's?
                   "password"   , "$1$HAHAHAHAHAHAHAHAHAHAHAH",
                   "shell"      , "/bin/bash",
                   "uid"        , 1286,
                  ),
  );

#
# ncm-authconfig
#
"/software/components/authconfig/active" = true;

"/software/components/authconfig/safemode" = false; # When set to true, no actual configuration will change

"/software/components/authconfig/usemd5"    = true; # Enable the use of MD5 hashed password
"/software/components/authconfig/useshadow" = true; # Enable the use of shadow password files
"/software/components/authconfig/usecache"  = true; # Enable or disable nscd operation
"/software/components/authconfig/startstop" = true; # ??? Undocumented ???

"/software/components/authconfig/method/files/enable" = true;

#"/software/components/authconfig/method/afs/enable" = false;
#"/software/components/authconfig/method/afs/cell" = "cern.ch";

"/software/components/authconfig/method/ldap/enable" = true;
"/software/components/authconfig/method/ldap/nssonly" = false;
"/software/components/authconfig/method/ldap/conffile" = "/etc/ldap.conf";
"/software/components/authconfig/method/ldap/servers" = list ( "lolol.cern.ch" );
"/software/components/authconfig/method/ldap/basedn" = "dc=example,dc=edu";
"/software/components/authconfig/method/ldap/tls/enable" = false;
"/software/components/authconfig/method/ldap/binddn" = "cn=Manager,dc=example,dc=edu";
"/software/components/authconfig/method/ldap/bindpw" = "NFW";
"/software/components/authconfig/method/ldap/rootbinddn" = "cn=Manager,dc=example,dc=edu";
"/software/components/authconfig/method/ldap/port" = 389;
"/software/components/authconfig/method/ldap/timeouts/idle" = 3600;
"/software/components/authconfig/method/ldap/timeouts/bind" = 30;
"/software/components/authconfig/method/ldap/timeouts/search" = 30;

"/software/components/authconfig/method/ldap/pam_filter" = "gidNumber=1012";

"/software/components/authconfig/method/nis/enable" = false;
"/software/components/authconfig/method/nis/domain" = "nikhef.nl";
"/software/components/authconfig/method/nis/servers" = list ( "ajax.nikhef.nl" );

"/software/components/authconfig/method/krb5/enable" = false;
"/software/components/authconfig/method/krb5/kdcs" = list ( "kdc.nikhef.nl" );
"/software/components/authconfig/method/krb5/adminserver" = list ( "krbadmin.nikhef.nl" );
"/software/components/authconfig/method/krb5/realm" = "NIKHEF.NL";

"/software/components/authconfig/pamadditions/system/conffile"="/etc/pam.d/system-auth";
"/software/components/authconfig/pamadditions/system/section"="account";
"/software/components/authconfig/pamadditions/system/lines"=list( nlist(
  "order","last",
  "entry","required      /lib/security/$ISA/pam_ldap.so"
));



"/hardware/serialnumber" = "ch445-521-77";
# machine moved on 27.02.07 from  = "ri17";

include pro_monitoring_hardware_elonex_2800;



"/hardware/cards/nic/0/hwid" = "xxxxxxxxxxxx";
include serial_map_lxc2ri25;
include diskinfo_lxb5477;

# machine moved on 02.03.07 from  = "ri17";

"/hardware/rack/name" = "ri17";

-- Main.GeerdDietgerHoffmann - 04 Feb 2008

at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)