Install LemonLDAP::NG SSO/IAM on Nethserver

dnutan · July 10, 2021, 8:25am

Could be a bug:

Shane_Treweek · July 10, 2021, 8:42am

ok i applied the fix and although not completely fixed

Status : [
{
‘localhost’ => ‘OK’
}
];
Saved under number 15
Status : [
{
‘localhost’ => ‘OK’
}
];
Saved under number 16
Status : [
{
‘localhost’ => ‘OK’
}
];
Saved under number 17
Status : [
{
‘localhost’ => ‘OK’
}
];
Odd number of elements in hash assignment at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager/Cli.pm line 71, line 1.
ldapExportedVars seems to be a hash, modification refused at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager/Cli.pm line 78, line 1.
Saved under number 18
Status : [
{
‘localhost’ => ‘OK’
}
];
Saved under number 19
Status : [
{
‘localhost’ => ‘OK’
}
];

a lot better then before

Shane_Treweek · July 10, 2021, 8:56am

my ( $self, %pairs ) = @_;
and die “$key seems to be a hash, modification refused”;

seem to be the issue
not sure what it means though

danb35 · July 10, 2021, 10:31am

I’ve had the warnings too, but as far as I can see they were just cosmetic. But this one might not be:

Odd number of elements in hash assignment at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager/Cli.pm line 71, line 1.
ldapExportedVars seems to be a hash, modification refused at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager/Cli.pm line 78, line 1.

Is this using AD or LDAP? I may need to make some edits to the config script templates.

Edit: Looks like I was setting the exported vars incorrectly; update is pushed to the repo.

Edit 2: You can return LLNG to its almost-stock configuration by removing all the lmConf-n.json files in /var/lib/lemonldap-ng/conf/ except the first one.

danb35 · July 10, 2021, 12:41pm

It does, and it’s pretty easy to set up–the instructions above are updated with this.

Shane_Treweek · July 10, 2021, 3:31pm

im using ad but that works now thanks

Shane_Treweek · July 11, 2021, 2:28am

ok so i got it to work sort of its not always saving the changes i make in the manager were would the logs be located not sure if its a permissions thing or other error

Shane_Treweek · July 11, 2021, 3:37am

not sure why but it seems to be doing what its told now

on another note i was looking in the manager and it does support kerberos and so does cockpit so might work for integration

also might save a bit of time if making changes a lot to the metadata on some applications instead of downloading metadata file the url for nexctcloud is
https://your.nextcloud.domain.com/index.php/apps/user_saml/saml/metadata
for Wordpress its
https://your.wordpress.domain.com/wp-login.php?saml_metadata

and while im at it to integrate wordpress i use the OneLogin SAML SSO Plugin as it is free to configure all options as far as im aware.
step 1.
install OneLogin SAML SSO Plugin on wordpress activate but don’t enable saml authentication yet in the plugin
step 2.
over in the lemonldap manager follow the same instructions i gave for ep
adding https://your.wordpress.domain.com/wp-login.php?saml_metadata for the metadata url save and ignore any errors

step 3.
enter the following info in the plugin in word press

IdP Entity Id = https://auth.yourdomain/saml/metadata
Single Sign On Service Url = https://auth.yourdomain/saml/singleSignOn

change Single Log Out Service Url = https://auth.yourdomain/saml/singleLogout
to Single Log Out Service Url = https://auth.yourdomain/saml/AA/SOAP
X.509 Certificate = public key cert from signature in the manager
enable the following in options
Create user if not exists
Update user data
Force SAML login
set Match Wordpress account by to Username

ATTRIBUTE MAPPING

Username = uid
E-mail = mail
Nickname = cn
Role = role

NOTE i created the following groups in nethserver wordpressadmin, wordpressedditor, wordpressauthor, wordpresscontributor and wordpresssubscriber then i added them in wordpress under ROLE MAPPING in SSO options

Administrator = CN=wordpressadmin,CN=Users,DC=ad,DC=domain,DC=com,DC=au
Editor = CN=wordpressedditor,CN=Users,DC=ad,DC=domain,DC=com,DC=au
Author = CN=wordpressauthor,CN=Users,DC=ad,DC=domain,DC=com,DC=au
Contributor = CN=wordpresscontributor,CN=Users,DC=ad,DC=domain,DC=com,DC=au
Subscriber = CN=wordpresssubscriber,CN=Users,DC=ad,DC=domain,DC=com,DC=au
under Regular expression for multiple role values= /CN=([A-Z0-9\s _-]*);/i

CUSTOMIZE ACTIONS AND LINKS
enable the following:

Prevent reset password
Prevent change password
Prevent change mail

ADVANCED SETTINGS
Encrypt nameID
Sign AuthnRequest
Sign LogoutRequest
Sign LogoutResponse
Reject Unsigned Messages
Retrieve Parameters From Server
set NameIDFormat to urn:oasis:names:tc:SAML:1.1:nameid-format:windows
in requestedAuthnContext select the last three ie urn:oasis:names:tc:SAML:2.0:ac:classes:password
under Service Provider X.509 Certificate and Service Provider Private Key enter the certs from signature in saml settings in lemonldap manager

danb35 · July 14, 2021, 12:22pm

Content now moved to the wiki. @Shane_Treweek, if you like, you can add Wordpress and Education Perfect under the SAML2 section if you like.

Shane_Treweek · July 17, 2021, 2:22am

I’m in the process of setting up GLPI and I’ve installed the saml plugin and configured it just trying to locate the plugins metadata to finish the setup in Manager

Actually now I think of it Mabey the saml plugin only authenticates and needs a plugin for service provider

Shane_Treweek · July 22, 2021, 1:45am

ok zammed simply click the gear in bottom left then go to security and select third party applications enable Automatic account link on initial logon

then enable saml

settings are
IDP SSO Target URL=https://auth.domain.com/saml/singleSignOn
IDP Certificate= the public cert under signature in lldapmanager
leave the next field blank
Name Identifier Format=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

In the manager create the sp
for metadata url https://zammad.domain.com/auth/saml/metadata and load
under exported attributes see bellow

Under Authenticated Response chose email
and make the following changes under ldap exported attributes

obviously some of the attributes dont apply yet to the current config(im working on mapping other attributes)
Update:
Ok ive got signing and encryption working but not checking of the signing see bellow

Shane_Treweek · July 22, 2021, 5:59am

I was just thinking does anyone think it would be useful to be able to have wifi authentication with saml

Andy_Wismer · July 22, 2021, 6:40am

@Shane_Treweek, @danb35

Hi

Been playing around with OpenWRT the last 2 days - the intention testing it out before I reflash my Netgear WLan AP (Or brick it!).

One of my reasons is that the Netgear WLan Routers are very common, and they only support router mode, not really AP mode. That means NO remote access or administration for these boxes, a limitation OpenWRT would remove…

To test OpenWRT, I was pleasantly surprised that they support using a Raspberry PI as a WLan AP… Version 3b is what I’m testing right now, my RP4 is ready as the next test candidate…
Just use BalenaEtcher to flash the MicroSD (16 GB ample enough), and it’s running!

OpenWRT allows much more options for Auth (and other functions) the original maker does not…
And you can make any supported WLan router into a full WLan AP… Better SNMP reporting is one option more…

This post as a “follow up” for your WLan Auth input…

My 2 cents
Andy

danb35 · July 22, 2021, 10:44am

Are you thinking something like a captive portal? It seems a logical application for SSO, but naturally whatever system is handling the captive portal would need to support SAML (or OIDC, which I think would really be my preference if possible–it’s much simpler to configure). I have Unifi at home, and it looks like the only external authentication it supports is RADIUS; pfSense (and thus, I expect, OPNsense) supports RADIUS as well as LDAP/AD. Neither appear to support SAML or OIDC.

Shane_Treweek · July 22, 2021, 11:01am

also i found if (in nextcloud) you change the urls under Identity Provider Data so they look like

https://auth.domain/saml/metadata
https://auth.domain/saml/singleSignOn
https://auth.domain/saml/AA/SOAP
https://auth.domain/saml/singleLogout

under Signatures and encryption offered
enable the first 4 options

under Signatures and encryption required
enable the first 3 options

under General
Enable both options

and for now (until i can figure out how to pass the certs without giving the private key)
under Service Provider Data
select windows
and enter the public and private key from encryption on lldpng manager

and on the manager under nextcloud
set Authentication response to windows
under signature enable all
under security
Encryption mode set to assertion
and set Enable use of IDP initiated URL to enable
and Authentication level to 1
reload the metadata and save.
signing both log on and off works and passes checks and encryption works

Shane_Treweek · July 22, 2021, 11:10am

Sounds promising

danb35 · July 23, 2021, 1:20pm

LLNG version 2.0.12 is released:
https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-12-is-out/

mark_nl · July 23, 2021, 4:54pm

BTW, nothing serious but every time this topic bumbs-up I think of it
(so getting it out of my system now )

While (re)building SOGo noticed there is a lasso package in the centos repositories; it is older and seems not to provide perl-bindings.

As said nothing serious, just something to keep in mind;
the lasso package delivered by lemonldap-ng replaces the distro’s package.

oneitonitram · July 26, 2021, 11:09am

I have fired up my test server, and i am in the process on doing multiple deployments, also included the Lemonldap software, as well as the others softwires that would need to be authenticated by it.

I also came accross your article on ssh certificate which is very interesting concept.
you did put it out quit well on your documentation advanced:ssh_certificates [danb35’s Wiki] (familybrown.org)

What am curious is. did you deploy your own certificate server. was it deployed on Debian, Centos or Nethserver.
How well is it working so far on your end.

I want to attempt building and setting it up, as a way to learn a few things, but also to try and implement the same on my organization, since we have multiple people who ssh into servers, and we make use of freelance system admins, need to see how well this can resolve the matter.

let me know your current setup and use case as it really is interesting

Shane_Treweek · July 24, 2021, 11:56pm

that worked
still errors but getting closer

/root/lemon_config.sh

[Sat Jul 24 23:57:33 2021] [LLNG:1605] [error] No configuration available
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Can’t use string ("") as a subroutine ref while “strict refs” in use at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
[Sat Jul 24 23:57:35 2021] [LLNG:1608] [error] No configuration available
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Can’t use string ("") as a subroutine ref while “strict refs” in use at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
[Sat Jul 24 23:57:37 2021] [LLNG:1612] [error] No configuration available
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Can’t use string ("") as a subroutine ref while “strict refs” in use at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
[Sat Jul 24 23:57:38 2021] [LLNG:1615] [error] No configuration available
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Can’t use string ("") as a subroutine ref while “strict refs” in use at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
[Sat Jul 24 23:57:40 2021] [LLNG:1618] [error] No configuration available
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Can’t use string ("") as a subroutine ref while “strict refs” in use at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
[Sat Jul 24 23:57:41 2021] [LLNG:1621] [error] No configuration available
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Can’t use string ("") as a subroutine ref while “strict refs” in use at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
[Sat Jul 24 23:57:43 2021] [LLNG:1625] [error] No configuration available
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Can’t use string ("") as a subroutine ref while “strict refs” in use at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
[Sat Jul 24 23:57:45 2021] [LLNG:1628] [error] No configuration available
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Can’t use string ("") as a subroutine ref while “strict refs” in use at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.