Red SWL (V): Debian Wheezy and ClearOS. SSSD authentication against native LDAP.

Hello friends!. Please, I repeat, read before «Introduction to a Network with Free Software (I): Presentation of ClearOS»And download the ClearOS Step-by-Step installation images package (1,1 mega), to be aware of what we are talking about. Without that reading it will be difficult to follow us.

System Security Service Daemon

The program SSSD o Daemon for the System Security Service, is a project of Fedora, which was born from another project -also from Fedora- called FreeIPA. According to its own creators, a short and freely translated definition would be:

SSSD is a service that provides access to different Identity and Authentication providers. It can be configured for a native LDAP domain (LDAP-based identity provider with LDAP authentication), or for an LDAP identity provider with Kerberos authentication. SSSD provides the interface to the system through NSS y PAM, and an insertable Back End to connect to multiple and different account origins.

We believe that we are facing a more comprehensive and robust solution for the identification and authentication of registered users in an OpenLDAP, than those addressed in the preceding articles, an aspect that is left to the discretion of everyone and their own experiences.

The solution proposed in this article is the most recommended for mobile computers and laptops, since it allows us to work disconnected, since the SSSD stores the credentials on the local computer.

Example network

• Domain Controller, DNS, DHCP: ClearOS Enterprise 5.2sp1.
• Controller Name: centos
• Domain Name: friends.cu
• Controller IP: 10.10.10.60
• ---------------
• Debian version: wheezy.
• Name of the team: debian7
• IP adress: Using DHCP

We check that the LDAP server is working

We modify the file /etc/ldap/ldap.conf and install the package ldap-utils:

: ~ # nano /etc/ldap/ldap.conf
[----] BASE dc = friends, dc = cu URI ldap: //centos.amigos.cu [----]

: ~ # aptitude install ldap-utils: ~ $ ldapsearch -x -b 'dc = friends, dc = cu' '(objectclass = *)': ~ $ ldapsearch -x -b dc = friends, dc = cu 'uid = strides'
: ~ $ ldapsearch -x -b dc = friends, dc = cu 'uid = legolas' cn gidNumber

With the last two commands, we check the availability of the OpenLDAP server of our ClearOS. Let's take a good look at the outputs of the previous commands.

Important: we have also verified that the Identification Service in our OpenLDAP server works correctly.

We install the sssd package

It is also recommended to install the package finger to make checks more drinkable than the ldapsearch:

: ~ # aptitude install sssd finger

Upon completion of the installation, the service ssd does not start due to missing file /etc/sssd/sssd.conf. The output of the installation reflects this. Therefore, we must create that file and leave it with the next minimum content:

: ~ # nano /etc/sssd/sssd.conf
[sssd] config_file_version = 2 services = nss, pam # SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain / ] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. domains = amigos.cu [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 # LDAP domain [domain / amigos.cu] id_provider = ldap
auth_provider = ldap
chpass_provider = ldap # ldap_schema can be set to "rfc2307", which stores group member names in the # "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in # the "member" attribute. If you do not know this value, ask your LDAP # administrator. # works with ClearOS ldap_schema = rfc2307
ldap_uri = ldap: //centos.amigos.cu
ldap_search_base = dc = friends, dc = cu # Note that enabling enumeration will have a moderate performance impact. # Consequently, the default value for enumeration is FALSE. # Refer to the sssd.conf man page for full details. enumerate = false # Allow offline logins by locally storing password hashes (default: false). cache_credentials = true
ldap_tls_reqcert = allow
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

Once the file has been created, we assign the corresponding permissions and restart the service:

: ~ # chmod 0600 /etc/sssd/sssd.conf
: ~ # service sssd restart

If we want to enrich the content of the previous file, we recommend executing man sssd.conf and / or consult the existing documentation on the Internet, starting with the links at the beginning of the post. Also consult man sssd-ldap. The package ssd includes an example in /usr/share/doc/sssd/examples/sssd-example.conf, which can be used to authenticate against a Microsoft Active Directory.

Now we can use the most drinkable commands finger y getent:

: ~ $ finger strides
Login: strides Name: Strides El Rey Directory: / home / strides Shell: / bin / bash Never logged in. No mail. No Plan.

: ~ $ sudo getent passwd legolas
legolas: *: 1004: 63000: Legolas The Elf: / home / legolas: / bin / bash

We still cannot authenticate as a user of the LDAP server. Before we must modify the file /etc/pam.d/common-session, so that the user's folder is automatically created when they start their session, if it does not exist, and then reboot the system:

[----]
session required pam_mkhomedir.so skel = / etc / skel / umask = 0022

### The above line must be included BEFORE
# here are the per-package modules (the "Primary" block) [----]

We restart our Wheezy:

: ~ # reboot

After logging in, disconnect the network using the Connection Manager and log out and back in. Faster nothing. Run in a terminal ifconfig and they will see that the eth0 it is not configured at all.

Activate the network. Please log out and log in again. Check again with ifconfig.

Of course, to work offline, it is necessary to log in at least once while OpenLDAP is online, so that the credentials are saved on our computer.

Let's not forget to make the external user registered in OpenLDAP a member of the necessary groups, always paying attention to the user created during the installation.

Note:

Declare option ldap_tls_reqcert = never, in the File /etc/sssd/sssd.conf, constitutes a security risk as stated on the page SSSD - FAQ. The default value is «demand«. See man sssd-ldap. However, in the chapter 8.2.5 Configuring Domains From the Fedora documentation, the following is stated:

SSSD does not support authentication over an unencrypted channel. Consequently, if you want to authenticate against an LDAP server, either TLS/SSL or LDAPS is required.

SSSD it does not support authentication over an unencrypted channel. Therefore, if you want to authenticate against an LDAP server, it will be necessary TLS / SLL o LDAP.

We personally think that the solution addressed it is sufficient for an Enterprise LAN, from a security point of view. Through the WWW Village, we recommend implementing an encrypted channel using TLS or «Transport Security Layer », between the client computer and the server.

We try to achieve this from the correct generation of Self Signed certificates or «self-signed “On the ClearOS server, but we couldn't. It is in fact a pending issue. If any reader knows how to do it, welcome to explain it!