Authenticate Linux Clients against LDAP

coresystem
advanced

(Wolfgang Höfer) #1

Scenario

Nethserver + nfsserver + linuxclient

I didn’t manage to get the nfs-server running on Nethserver,
so I use a dedicated machine for the nfs service.
As consequence, the homedirectories for the linux machines reside on the nfs server
and are not the same as those on the nethserver!
At the moment there is no synchronisation between the folders on Nethserver
and the nfs-server. That means, that your Windows-Clients will not see
the files, created by linux machines!

Modify Nethserver


yum install nethserver-directory

Common part for NFS-Server and Linuxclient


The first part of the installation is the same for the nfs-server and the client.
I made a script (see end of the page) that does all the steps automatically.
This here ist just the detailed description.

Step 1: Installing the software

aptitude install libnss-ldap libpam-ldap nscd ldap-utils nfs-kernel-server -y

For the client nfs-common should be enough - but the nfs-kernel-server works, too.
The following dialogs just set parameters in textfiles. We will modify them later
by and - so fill in, whatever you want :slight_smile:

Step 2: Hosts - File /etc/hosts

If you have an working DNS server, this step might be obsolete.
If not, fill in the IP’s of your nethserver, nfsserver and client:

aaa.bbb.ccc.ddd    nethserver.example.com  nethserver
kkk.lll.mmm.nnn    nfsserver.example.com   nfsserver
rrr.sss.ttt.uuu    thisclient.ecample.com  thisclient

For me, I comment out the 127.0.1.1 line.

Step 3: pam

Delete use_authtok in /etc/pam.d/common-password

Step 4: nsswitch

Add ldap to /etc/nsswitch.conf

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

Step 5: Create new /etc/ldap.conf

base dc=directory,dc=nh
uri ldap://${NETHSERVER_IP}/
ldap_version 3
binddn cn=libuser,dc=directory,dc=nh
rootbinddn cn=libuser,dc=directory,dc=nh
pam_password md5
ssl start_tls
nss_initgroups_ignoreusers avahi, avahiautoipd, backup, bin, colord, daemon, dnsmasq, games, gnats, hplip, irc, kernoops, libuuid, list, lp, mail, man, mdm, messagebus, news, proxy, pulse, root, rtkit, saned, speech-dispatcher, sshd, statd, sync, sys, syslog, tftp, usbmux, uucp, www-data

Step 6: Create new /etc/ldap/ldap.conf
Fill in your IP !

BASE    dc=directory,dc=nh
URI     ldap://${NETHSERVER_IP}:389  
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT never

Step 7: Secret

Get the secret of libuser from the nethserver. You find it like so (on the server)

cat /var/lib/nethserver/secrets/libuser

Paste it in /etc/ldap.secret


This ist ONLY for the Linuxclient !!!

Step 8: Create homes

mkdir -p /var/lib/nethserver/home
chmod -R 777 /var/lib/nethserver

Step 9: /etc/fstab

Add the line and fill in your IP

${NFS_IP}://home /var/lib/nethserver/home nfs auto,bg 0 0 

Step 10: Reboot

Be careful! If you do not yet have the NFS-Server, you will get a timeout, mounting the homes!


This is only for the NFS-Server

Step 10: Create Export directories

# create exportdirectories
mkdir -p /nfsexports/home
mkdir -p /nfsexports/data
chmod -R 777 /nfsexports

# create a local data-directory
mkdir -p /opt/data
chmod -R 777 /opt/data

Step 11: Create bindmounts in /etc/fstab

Add the following lines

/home   /nfsexports/home  none  bind  0  0
/home   /nfsexports/data  none  bind  0  0

step 12: Create /etc/exports

Add the following lines

/nfsexports       172.16.0.0/16(rw,fsid=0,insecure,no_subtree_check,async)
/nfsexports/home 172.16.0.0/16(rw,nohide,insecure,no_subtree_check,async)
/nfsexports/data 172.16.0.0/16(rw,nohide,insecure,no_subtree_check,async)

Step 13: Usermanagement
Unfortunately I didn’t manage to the pam-modules working, that create Userhomes at login across nfs-mounts. So you have to create the homedirectories for the users and set the Ownership.

EXTRA

If you do a user-import with a csv-file, they will get the wrong loginshell. To change that, follow the steps:

Step A: Create a file with the "dn"s:

ldapsearch -Y EXTERNAL dn|grep People|grep -v "^#" > dn.csv

Step B: Modify the file

Delete all users, you don’t want to change

Step C: Create a script to produce a LDIF-File

Newline=$'\n'
IFS=$Newline

for dn in `cat dn.csv`;
do
   echo $dn >> bashing.ldif
   echo "changetype: modify" >> bashing.ldif
   echo "replace: loginshell" >> bashing.ldif
   echo "loginshell: /bin/bash" >> bashing.ldif
   echo "" >> bashing.ldif
done

Step D: Import the LDIF-File

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f bashing.ldif

SCRIPT

I hope, the pasting didn’t ruin the script :slight_smile: I tested it with some machines - and it worked.
It can be used to install a nfsserver AND a ldapclient
There might be a timeout, when the clientmachine boots, because of a timing-problem.
The mounting of the home-dirs could happen before the network is ready.
(the nfs-server install-part is not yet testet ( function at the bottom of the script)!

#!/bin/bash

DLG_TITLE="Ldap_client_config"

# Some dialogs for the settings 
NETHSERVER_FQDN=$(whiptail --title "$DLG_TITLE" --inputbox "Full Nethservername?" 10 60 nethy.niedernburg.intranet 3>&1 1>&2 2>&3)
NETHSERVER_IP=$(whiptail --title "$DLG_TITLE"  --inputbox "IP of Nethserver?" 10 60 172.16.253.3 3>&1 1>&2 2>&3)

NFS_IP=$(whiptail --title "$DLG_TITLE" --inputbox "IP of NFS Server?" 10 60 172.16.253.5 3>&1 1>&2 2>&3)
NFS_HOSTNAME=$(whiptail --title "$DLG_TITLE" --inputbox "HOSTNAME of NFS Server?" 10 60 nfsserver 3>&1 1>&2 2>&3)

MYSECRET=$(whiptail --title "$DLG_TITLE" --inputbox "Ldap secret of libuser" 10 60 secretsescret 3>&1 1>&2 2>&3)

# if we dont get the IP, we can enter it here
MY_IP=`ip addr show eth0|grep inet|head -n1|cut -d" " -f6|cut -d"/" -f1`
CLIENT_IP=$(whiptail --title "$DLG_TITLE" --inputbox "IP of this machine" 10 60 $MY_IP 3>&1 1>&2 2>&3)

# split the FQDN in hostame and domain parts
OLD_IFS="$IFS"
IFS="."
eval 'arr=($NETHSERVER_FQDN)'
NETHSERVER_HOSTNAME=${arr[0]}
dc1=${arr[1]}
dc2=${arr[2]}
IFS="$OLD_IFS"


################## changing files ...

# /etc/pam.d/common-password: delete use_authok
sed -i s/use_authtok// /etc/pam.d/common-password

# /etc/nsswitch : add ldap as search location
sed -i s/compat/compat\ ldap/ /etc/nsswitch.conf

# /etc/hosts 
sed -i s/127.0.1.1/#127.0.1.1/ /etc/hosts
echo $CLIENT_IP  ${HOSTNAME}.$dc1.$dc2  $HOSTNAME >> /etc/hosts
echo $NETHSERVER_IP $NETHSERVER_FQDN   $NETHSERVER_HOSTNAME >> /etc/hosts
echo $NFS_IP $NFS_HOSTNAME.$dc1.$dc2 $NFS_HOSTNAME >> /etc/hosts

# create content of /etc/ldap.conf
ldap1_conf=$(cat <<EOF
base dc=directory,dc=nh
uri ldap://${NETHSERVER_IP}/
ldap_version 3
binddn cn=libuser,dc=directory,dc=nh
bindpw $MYSECRET
rootbinddn cn=libuser,dc=directory,dc=nh
pam_password md5
ssl start_tls
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,dnsmasq,games,gnats,hplip,irc,kernoops,libuuid,list,lp,mail,man,mdm,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,statd,sync,sys,syslog,tftp,usbmux,uucp,www-data
EOF
)

# /etc/ldap.conf: make backup and write new file
cp /etc/ldap.conf /etc/ldap.conf.sik
echo "$ldap1_conf" > /etc/ldap.conf


# create content of /etc/ldap/ldap.conf
ldap2_conf=$(cat <<EOF
BASE    dc=directory,dc=nh
URI     ldap://${NETHSERVER_IP}:389  
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT never
EOF
)


# /etc/ldap.conf: make backup and write new file
cp /etc/ldap/ldap.conf /etc/ldap/ldap.conf.sik
echo "$ldap2_conf" > /etc/ldap/ldap.conf

# save password in file
echo "$MYSECRET" > /etc/ldap.secret


############### Splitting up between client and nfs-server

function client(){
        #update fstab
        mkdir -p /var/lib/nethserver/home
        chmod -R 777 /var/lib/nethserver
        echo "${NFS_IP}://home /var/lib/nethserver/home nfs auto,bg 0 0" >> /etc/fstab

        echo "Please reboot the machine now!"
}

function nfs(){
        # create exportdirectories
        mkdir -p /nfsexports/home
        mkdir -p /nfsexports/data
        chmod -R 777 /nfsexports

        # create a local data-directory
        mkdir -p /opt/data
        chmod -R 777 /opt/data

        # entries for the bindmounts in the /etc/fstab
        bindmounts=$(cat <<EOF
"/home   /nfsexports/home  none  bind  0  0"
"/home   /nfsexports/data  none  bind  0  0"
EOF
)

        # entries in /etc/exports
        exports=$(cat <<EOF
/nfsexports       172.16.0.0/16(rw,fsid=0,insecure,no_subtree_check,async)
/nfsexports/home 172.16.0.0/16(rw,nohide,insecure,no_subtree_check,async)
/nfsexports/data 172.16.0.0/16(rw,nohide,insecure,no_subtree_check,async)
EOF
)

echo "$exports" >> /etc/exports
echo "$bindmounts" >> /etc/fstab

}


OPTION=$(whiptail --title "Inst. Type" --menu "Choose your option" 15 60 4 \
"1" "Normal Ldapclient" \
"2" "NFS-Server"  3>&1 1>&2 2>&3)
 
exitstatus=$?

if [ $exitstatus = 0 ]; then
    case "$OPTION" in
        1) client ;;
        2) nfs;;
        *)  echo "should not happen";;
    esac
else
   echo "can that happen?"
fi

Ldap Query from another network
Permissions pam_mount cifs don't work
AD users not able to login in centos 7
(Alessio Fattorini) #2

Good howto! Thanks for your time, really appreciated!
Is there anyone who want to test it? Howtoteam:
@AbsyntH, @sitz, @etino, @nrauso


(Wolfgang Höfer) #3

Hi,

i am still testing my script. If it works, the client is installed in about
a Minute :slight_smile:
There are still small problemswith the nfs4 mounting - but i hope to have
it fixted this evening.
… if not - perhapssomeone can solve the remaining problems …


Ldap - connect from ubuntu/debian
Community Digest 3 - June 2015