Joining Google LDAP?

NethServer Version: 7.9.2009
Module: Accounts Provider/SSSD

Hi

I’m a school network admin, I’ve got a job that Nethserver seems a good fit for (an authenticated proxy for our Chromebooks).

I’m trying to use our google domain as an LDAP provider, basically following the instructions here:
https://support.google.com/a/answer/9089736?hl=en&ref_topic=9173976#zippy=%2Csssd-red-hat-enterprise-and-centos

The problem is I’m then following the Nethserver gui to bind a remote LDAP provider, and it accepts the hostname and port, but then I can’t get any further - I need to be able to import the certificate which google requires for authentication.

I’m happy enough following the instructions that Google have provided in the above link for setting up sssd manually, but my concern is the warning at the top of the SSSD.conf file on my nethserver telling me not to modify it - I also fear that the setup that I accomplish manually might not then be reflected in the Nethserver GUI when I’m coming to continue the setup of the proxy etc.

How should I proceed? Many thanks in advance!

Do you mean the cert for nethserver if so it’s usually a let’s encrypt cert that is auto renewed aprox 35 days but the updated can be auto scripted as for the format what format do they require the cert to be in as that can be scripted and automatically handled with Cron tab also using Google api the entire process of every time the nethserver cert is renewed can be scripted to then take the required certs export them to the correct format then upload to Google and trigger a refresh on there end to update the cert

No, I don’t mean that, in fact I’ve already got a letsencrypt cert set up on the server. :grinning_face_with_smiling_eyes:

A certificate is required to authenticate with the Google LDAP server (I’ve already downloaded it). From the instructions linked you can see how it would be used with sssd directly:

Create the file /etc/sssd/sssd.conf with the following contents:
 
[sssd]
services = nss, pam
domains = example.com

[domain/example.com]
ldap_tls_cert = /etc/sssd/ldap/Google.crt
ldap_tls_key = /etc/sssd/ldap/Google.key
ldap_tls_reqcert = never
ldap_uri = ldaps://ldap.google.com
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_user_uuid = entryUUID

My question is what is the ‘correct’ way to do this on nethserver- do I just ignore the warning on the conf file and go for it (making sure not to reconfigure LDAP via the gui)? Is there any chance the certificate auth could be added to the gui?

so do you mean your trying to use google as the dc and using nethserver setup with ldap but as replication ie slave because if thats the case it’s all handled through the gui

or do you mean google requires the nethserver to respond to a “handshake like request” from google to authorize the link to pull down the ldap data.

the reason I’m asking is I havent used google for ldap myself but as you mentioned

i agree and am trying to understand a bit more about why this is necessary (ie cert) as this integration would be useful to make into a how to

So after properly reading your first post I’m guessing your trying to set up ldaps if thats the case that should be able to be handled through nethserver gui when you try to setup users and groups you first have the option between AD and LDAP select ldap then it asks something along the lines of do you want to join existing domain or make this the main dc select want to join and follow the prompts

also (and i could be wrong) but i think ssd is mainly used for samba ad dc

Yes, I am trying to setup LDAPS - I want accounts on the Google Domain to pull down to my nethserver.

My hope is that by doing this the chromebooks (which are logged in with accounts from our google domain) will be able to seamlessly authenticate against the nethserver based proxy server for internet access - basically in the same way that our Windows network authenticates with our proxy server using kerberos without any user interaction.

I’ve tried using the nethserver GUI to set up the connection, but the google instructions seem quite clear that I must use the certificate to authenticate with their LDAP server, but the GUI offers no way to add the certificate as part of the setup of the remote LDAP server - it does offer the opportunity to put in some other authentication, but this is not sufficient.

In short I have clicked join, followed the prompts, and got stuck as there is no way to input the required certificate.

@ruklaw have a read of this https://www.reddit.com/r/linuxadmin/comments/o7wsq5/anyone_authenticating_samba_standalone_against/

especially these parts

'It looks like Google more or less pivoted to offering AD as a service instead of developing all the individual components needed. Which is a shame, because while AD has pretty much eaten the corporate identity management world, it does have its weak points.'

'Google has no incentive to work with Samba and ldap, it relies on SMBv1 and that is going away, so you might just get it working and then have the rug pulled from under you. There is also the problem that you shouldn't run sssd with Samba >= 4.8.0'

ok i think the way to go about this is to use Google Cloud Directory Sync

'GCDS doesn't migrate any content (such as email messages, calendar events, or files) to your Google Account. You use GCDS to synchronize your Google users, groups, and shared contacts to match the information in your LDAP server.'

Also this works with both ad and openldap so it gives you both options so from my understanding you set nethserver up as main ldap or ad and this service syncs the data into it.

It’s a bit convoluted but google want you to use there addons for example i originally wanted the option to whitelist certain youtube videos and block the rest you used to be able to do that now i think you need the education or enterprise licence and pay for filter addon

It is possible to modify configuration files with a template-custom:

That is possible, because setting up SSSD correctly is not enough for the UI. It needs to retrieve user & group listings, through direct LDAP queries. In this case the LDAP clients are implemented as Perl scripts here:

  • /usr/libexec/nethserver/list-users
  • /usr/libexec/nethserver/list-groups

As they don’t rely on OpenLDAP libraries, I’d try to you can’t customize also /etc/openldap/ldap.conf, to set up TLS :frowning:

Instead, some code changes to /usr/share/perl5/vendor_perl/NethServer/LdapClient.pm are probably needed to implement the custom client certificate setup (the Net::LDAP module seems to have custom certificate handling with clientcert/clientkey options).

If you have any question feel free to ask!

2 Likes

Many thanks to both, you’ve given me something I can work with.

It is interesting reading those threads on reddit about Google LDAP, it sounds like it perhaps isn’t the robust system I was hoping!

I’ll give GCDS a go and see how I get on.

In my opinion I don’t think it’s a matter of being robust or not as much as it’s about google trying to get you to use their products rather than a mix kind of like when a company makes a software that plays nice with others then after a few years changes things just enough so you need to buy something else to make it work