Post on 17-Dec-2015
LDAP and Kerberos:An Overview
Leveraging services provided by Active Directory for Unix/Linux authentication, authorization and name services
Jason TestartComputer Science Computing FacilityUniversity of Waterloo
March 2007
Summary
Kerberos is for authentication only and provides Single Sign-on (SSO)
LDAP can be used for authentication, authorization, and name services (no SSO)
Active Directory is a kerberized directory service with an LDAP interface
Use Kerberos for authentication, LDAP for authorization and name services
What do these technologies give us? Eliminate password synchronization Speed-up system deployment Reduce development time when a new
platform is introduced
Improve the end-user experienceImprove the end-user experience
LDAP
Name services using the Lightweight Directory Access Protocol
What is LDAP?
A protocol for accessing a directory service What’s a directory service? Think DNS. Database backend – do we care? Schema: attributes with OIDs (à la SNMP) Objects organized in a tree structure (DIT) Operations: bind, search, modify LDIF: text file format for describing directory
contents
Schema
Attribute – like a variable in a programming language, it holds a value
ObjectClass – a special attribute that all directory entries must have, as it acts as a template for the data (enforces a kind of internal consistency)
AD Schema:http://msdn.microsoft.com/library/en-us/ad/ad/active_directory_schema.asp
Unix Schema: http://www.ietf.org/rfc/rfc2307.txt
Types of Object Classes
Structural – only one per entry! Auxiliary – supplements structural Abstract – can’t be used directly; only as an
ancestor of another class (eg. “top”)
Schema Examples
objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction of an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) )
attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'The absolute path to the home directory' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
Snippets of OpenLDAP’s RFC 2307 schema implementation:
Directory Information Tree (DIT) dc=ldap,dc=student,dc=cs,dc=student,dc=uwaterloo,dc=ca
ou=People ou=Groups ou=Hosts
uid=jatestar
uid=jattest
uid=wcwince
DN and RDN of a directory entry RDN – a unique attribute among all siblings
of a single parent in the DIT(eg. “uid=jatestar”)
DN – concatenation of RDNs when following the path from the entry (node) to the root of the DIT(eg. “uid=jatestar, ou=people, dc=ldap, dc=student, dc=cs, dc=uwaterloo, dc=ca)
Directory Entry Example
jatestar:x:1449:1449:Jason Testart [CSCF],DC2555B,x37174,,:/u4/jatestart:/xhbin/tcsh
dn: uid=jatestar, ou=ldap, ou=people, dc=student, dc=cs, dc=uwaterloo, dc=caobjectClass: topobjectClass: personobjectClass: posixAccountcn: Jason Testartsn: Testartuid: jatestaruidNumber: 1449gidNumber: 1449homeDirectory: /u4/jatestartloginShell: /xhbin/tcshgecos: Jason Testart [CSCF],DC2555B,x37174,,
Entry in /etc/passwd:
Becomes the following LDIF:
Some LDAP Interfaces
LDIF - ldapsearch, ldapmodify, ldp.exe(see “man ldif, man ldapsearch, etc…)
Perl - Net::LDAP(see http://ldap.perl.org/)
C/C++ - OpenLDAP API (likely others…)(see “man 3 ldap”)
ADSI - Windows specific(see http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/adsilinks.asp)
When interfacing, you need…
Server hostname Bind DN Base DN (if searching) SSL?
Note: An Active Directory domain controller will accept the value of theuserPrincipalName attribute as the binddn.
(eg. “jatestar@nexus.uwaterloo.ca” is friendlier than “CN=Jason J Testart (jatestar),OU=CSCF,OU=Staff,OU=Accounts,OU=Computer Science,OU=Faculties,DC=NEXUS,DC=UWATERLOO,DC=CA”)
What object classes does AD use for users?
ldapsearch -x -W -H "ldaps://canadenis.student.cs.uwaterloo.ca“ \ -D "jatestar@student.cs.uwaterloo.ca" \-b "dc=student,dc=cs,dc=uwaterloo,dc=ca“ \ "(cn=jatestar)" objectClass
Query:
Yields:
dn: CN=jatestar,OU=Users,OU=CS,DC=student,DC=cs,DC=uwaterloo,DC=caobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: user
Need Unix attributes in AD
The user objectClass is missing needed attributes that RFC 2307 provides
So, extend the schema in AD, but be careful! Differences between MS-SFU-2.0, MS-SFU-
3.5 and schema provided by Windows Server 2003 R2
Maximize use of client attribute mappings!
Attribute Mappings
Example: “When I ask for the gecos attribute value, fetch the value of cn from the directory instead”
Minimize duplication of data in the directory (ie. redundant attributes)
In some cases, doing this allows you to avoid extending the schema of a directory
Groups
posixGroup uses memberUid, which is the uid of the member
groupofUniqueNames uses the member attribute, which is the DN of the member
Attribute mappings may be inappropriate, redundancy may be unavoidable
Netgroups may give additional functionality, with additional complexity
Applying the knowledge (client-side) Make sure you know what directory attributes
that you are using! Tell /etc/nsswitch.conf to use the nss_ldap
library from padl.com Edit the ldap.conf appropriately to point to AD
and define the attribute maps No need to add users/groups in /etc/passwd
or /etc/group!
Kerberos
Using Active Directory Kerberos for Unix/Linux authentication
What is Kerberos?
Authentication protocol Secure SSO Trusted 3rd party Mutual Authentication
Some Kerberos Terminology
User Principal Host/Service Principal Instance Realm KDC TGT Credential cache
Principals
username[/instance]@REALM servicename/FQDN@REALM
jatestar@NEXUS.UWATERLOO.CA nfs/gl01.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA host/cpu14.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA imap/services02.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA
Examples:
Credential Cache (on a Mac)
$ klistTicket cache: FILE:/tmp/krb5cc_1000Default principal: jatestar@STUDENT.CS.UWATERLOO.CA
Valid starting Expires Service principal12/13/06 01:06:50 12/13/06 11:05:03 krbtgt/STUDENT.CS.UWATERLOO.CA@STUDENT.CS.UWATERLOO.CA renew until 12/14/06 01:06:5012/13/06 01:06:38 12/13/06 11:05:03 fs02$@STUDENT.CS.UWATERLOO.CA renew until 12/14/06 01:06:5012/13/06 01:10:23 12/13/06 11:05:03 host/cpu20.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA renew until 12/14/06 01:06:50
AD Domain == Kerberos v5 Realm Domain controllers provide KDC functionality A “domain” is synonymous with “realm” Joining a Windows computer to a domain
means you are creating a host principal in the realm
No multipart principal names in AD, so mappings are needed for instances
Adding a Unix host to AD
Create a user account for the host/service (eg. cpu04-host)
Map the account to a service principal:host/cpu04.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA
Set the account password Generate a krb5.keytab file Stick the keytab file in /etc/krb5 on cpu04 Done on all student.cs CPU servers
Adding a Unix host to AD (sans GUI)% ldapmodify -x -W -H ldaps://canadenis -D “Administrator@student.cs.uwaterloo.ca”dn: cn=cpu04-host,OU=Service Principals,DC=student,DC=cs,DC=uwaterloo,DC=cachangetype: addcn: cpu04-hostobjectClass: usersAMAccountName: cpu04-hostdisplayName: cpu04-hostdescription: Kerberos host service principal for cpu04userAccountControl: 2097664
ktpass –princ host/cpu04.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA –mapuser cpu04-host –password S0m3Rand0mPaZZw0rd –out cpu04-host.keytab
Create the account using LDIF (from a Linux box):
Do the mapping and generate a keytab file (on the domain controller):
Tell Unix login to authenticate against AD Set-up an appropriate /etc/krb5.conf Modify the PAM authentication stack to use
the pam_krb5 module
Lots of work for simple authentication! Could have used ldap, or radius, etc… Kerberos gives us Single Sign-On Can take advantage of domain trusts! Most apps use SASL and GSSAPI to support
Kerberos 5
SSH and SSO
Configure SSH clients and servers to use GSSAPI for authentication
Mac Lab user can ssh to a CPU server without a password (no ssh keys or .shosts required)
Honours .k5login file (handy for course accounts)
Possibilities with NFS (v3+), IMAP, SMTP AUTH, HTTP, etc…
SSO Demo (Linux client to AD) Show krb5.conf Login to realm (kinit) Show file shares on NetApp Query our entry on domain controller Show resulting credential cache (klist) Logout of realm (kdestroy)
Using slapd (OpenLDAP) with AD OpenLDAP supports Kerberos via
SASL/GSSAPI Can map entities in a realm with entries in the
directory Use authz-regexp directive in slapd.conf See:
http://www.openldap.org/doc/admin23/sasl.html
References
LDAP System Administration by Gerald Carter (O’Reilly)
Kerberos The Definitive Guide by Jason Garman (O’Reilly)
Unified Windows® and UNIX® Authorization Using Microsoft® Active Directory LDAP as a Directory Store by Ellie Berriman (Network Appliance Inc.)
Unified Windows® and UNIX® Authentication Using Microsoft® Active Directory Kerberos by Ellie Berriman (Network Appliance Inc.)