FreedomTunnel/DeploymentNotes: Difference between revisions
imported>Bnewbold m →GOSA LDAP bits: style |
imported>Bnewbold copy paste from FreedomTunnel (originally charles) |
||
(One intermediate revision by the same user not shown) | |||
Line 42: | Line 42: | ||
498 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif | 498 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif | ||
</pre> | </pre> | ||
= Other Pasted Notes = | |||
== Centralized authentication == | |||
Setup everything on my network that takes a password (workstations/network gear/wpa/www apps etc) to talk to OpenLDAP/Kerberos/FreeRadius. This way I will have a centralized auth store with policy control etc. One password for everything. In the event I have an application that can't use SSO, I can still have a common password for it. | |||
What do I have that is capable of talking to these back ends? | |||
* All Linux boxes (use Kerberos/OpenLDAP for logins) | |||
* All Windows boxes (use Kereros/OpenLDAP/FreeRadius for logins) | |||
* Web apps (most support LDAP directly, some I use the kerberos module and pam auth) | |||
* Cisco gear (FreeRadius) | |||
* Nanostation2 based wireless access points running OpenWRT (wpa2 enterprise to FreeRadius backend) | |||
== Components == | |||
* LDAP (this is the backend to everything else) | |||
* 802.1x system for wired/wireless clients (one needs to be on the network in order to access auth backend). This would be a white list of authorized mac addresses. Any network access would result in prompt for credentials | |||
* Kerberos (this is used for workstation logins) | |||
* FreeRadius (this is used by cisco gear and for wireless user authentication) | |||
* Clients authenticating | |||
All the below components run on a VPS with Centos5.5. Up in the cloud (at my $dayjob which is a very large IAAS provider). | |||
== LDAP == | |||
LDAP is the back end for everything else (freeradius/kerberos serves as authentication methods for clients, talking to LDAP as authorization system). So it is key to have a working LDAP installation before doing anything else. | |||
Followed HOWTO [http://www.linuxmail.info/openldap-setup-howto/ here]: | |||
yum install openldap-servers openldap-clients | |||
base.ldif: | |||
dn: dc=knownelement,dc=com | |||
dc: knownelement | |||
objectClass: domain | |||
users.ldif | |||
dn: ou=People,dc=knownelement,dc=com | |||
ou: People | |||
objectClass: organizationalUnit | |||
dn: uid=charles,ou=People,dc=knownelement,dc=com | |||
uid: charles | |||
cn: Wyble Charles | |||
displayName: Charles Wyble | |||
givenName: Charles | |||
sn: Wyble | |||
objectClass: inetOrgPerson | |||
userPassword: password | |||
mail: charles@knownelement.com | |||
ldapadd -x -D "cn=Manager,dc=knownelement,dc=com" -w secretstuff -f base.ldif | |||
ldapadd -x -D "cn=Manager,dc=knownelement,dc=com" -w secretstuff -f users.ldif | |||
== Kerberos == | |||
* http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-kerberos.html | |||
* http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-kerberos-clients.html | |||
== FreeRADIUS == | |||
== 802.1x == | |||
== Clients == | |||
=== Web applications === | |||
* Tattler / Memex (drupal based applications) | |||
* Thinkup | |||
* Piwigo | |||
* OpenDocMan | |||
* Status.net | |||
* Wordpress | |||
* Redmine | |||
* Mediawiki | |||
* EyeOS | |||
* Thunderbird | |||
=== Network gear === | |||
* Cisco switches/routers: one howto for FreeRADIUS/LDAP and cisco gear is [http://jenniferhuber.blogspot.com/2010/07/using-open-source-radius-server-in-your.html here] | |||
* OpenWRT wireless gear | |||
=== Workstations === | |||
* Windows | |||
* Linux | |||
** Debian | |||
** RedHat | |||
== Source material == | |||
Here are links to various howtos I referenced to put this wiki page together. | |||
http://blog.harritronics.com/2011/06/primer-authentication-radius-kerberos.html#comment-form | |||
http://techpubs.spinlocksolutions.com/dklar/kerberos.html | |||
http://techpubs.spinlocksolutions.com/dklar/ldap.html | |||
http://www.rjsystems.nl/en/2100-d6-openldap-provider.php#tree | |||
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS | |||
http://www.eduroamus.org/node/45 | |||
http://serverfault.com/questions/206054/how-to-integrate-radius-with-kerberos << highly relevant | |||
Copy/paste of relevant bits | |||
Here's how you make freeradius check a user/password combo against a Kerberos server, and authorize against your LDAP backend---stick this in your radius.conf: | |||
modules { | |||
krb5 { | |||
keytab = ${confdir}/radius.keytab | |||
service_principal = radius/radius.example.com | |||
} | |||
ldap { | |||
cache = no | |||
server = "ldap" | |||
identity = "uid=freeradius,ou=Accounts,dc=example,dc=com" | |||
password = secret | |||
basedn = "dc=com" | |||
filter = "(krbPrincipalName=%{User-Name})" | |||
base_filter = "(objectClass=radiusprofile)" | |||
tls { | |||
start_tls = no | |||
# tls_cacertfile = /path/to/cacert.pem | |||
# tls_cacertdir = /path/to/ca/dir/ | |||
# tls_certfile = /path/to/radius.crt | |||
# tls_keyfile = /path/to/radius.key | |||
# tls_randfile = /path/to/rnd | |||
# tls_require_cert = "demand" | |||
} | |||
default_profile = "uid=freeradius,ou=Accounts,dc=example,dc=com" | |||
profile_attribute = "radiusProfileDn" | |||
access_attr = "dialupAccess" | |||
dictionary_mapping = ${raddbdir}/ldap.attrmap | |||
ldap_connections_number = 5 | |||
groupname_attribute = cn | |||
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" | |||
#groupmembership_attribute = radiusGroupName | |||
timeout = 4 | |||
timelimit = 3 | |||
net_timeout = 1 | |||
# compare_check_items = yes | |||
# do_xlat = yes | |||
# access_attr_used_for_allow = yes | |||
# set_auth_type = yes | |||
} | |||
} | |||
This assumes you've added the correct radius schema (ships with freeradius, IIRC) into your LDAP directory, and it should point you in the right direction---I don't do 802.1X, but I do use this config to handle other kerberos-via-radius access control scenarios, and it's been running in production for a while now. Obviously, users are logging in with their full kerberos principals (rather than just usernames). | |||
Radius / krb integration http://wiki.freeradius.org/Rlm_krb5 | |||
http://danieljamesscott.org/index.php << various java/apache/ldap/krb resources | |||
=== 802.1x/RADIUS/WiFi Setup === | |||
The whole kit and kaboodle from the looks of things: | |||
* http://www.readmespot.com/question/f/47815/setting-up-radius---ldap-for-wpa2-on-ubuntu | |||
* http://vuksan.com/linux/dot1x/802-1x-LDAP.html | |||
* http://vuksan.com/linux/LDAP_authentication_under_Linux.html | |||
* http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html | |||
* http://tldp.org/HOWTO/html_single/8021X-HOWTO/#confradius |
Latest revision as of 05:57, 14 June 2012
FreedomTunnelDeploymentGuide
Keeping notes on how things were deployed. This allows conversion to chef recipe later.
Server setup:
1) http://www.rjsystems.nl/en/2100-d6-openldap-provider.php << Basic server setup.
2)run dpkg-reconfigure slapd) to get the basic functionality setup.
3) Attempt to add schemas:
581 ldapadd -x -D cn=admin,cn=config,dc=corp,dc=thefnf,dc=net -W -f openldap/goserver.ldif
will fail.
Fix is at:
http://www.saruman.biz/wiki/index.php/OpenLDAP#Adding_or_modifying_the_cn.3Dconfig_admin_password
GOSA Setup
Pretty straight forward LAMP deployment.
GOSA LDAP bits
464 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/goserver.ldif 466 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/goto.ldif 467 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/gofon.ldif 468 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/goto.ldif 469 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/gosystem.ldif 470 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/goto.ldif 475 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif 476 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/goserver.ldif 480 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif 482 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif 484 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif 487 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif 494 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif 497 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/samba3.ldif 498 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif
Other Pasted Notes
Centralized authentication
Setup everything on my network that takes a password (workstations/network gear/wpa/www apps etc) to talk to OpenLDAP/Kerberos/FreeRadius. This way I will have a centralized auth store with policy control etc. One password for everything. In the event I have an application that can't use SSO, I can still have a common password for it.
What do I have that is capable of talking to these back ends?
- All Linux boxes (use Kerberos/OpenLDAP for logins)
- All Windows boxes (use Kereros/OpenLDAP/FreeRadius for logins)
- Web apps (most support LDAP directly, some I use the kerberos module and pam auth)
- Cisco gear (FreeRadius)
- Nanostation2 based wireless access points running OpenWRT (wpa2 enterprise to FreeRadius backend)
Components
- LDAP (this is the backend to everything else)
- 802.1x system for wired/wireless clients (one needs to be on the network in order to access auth backend). This would be a white list of authorized mac addresses. Any network access would result in prompt for credentials
- Kerberos (this is used for workstation logins)
- FreeRadius (this is used by cisco gear and for wireless user authentication)
- Clients authenticating
All the below components run on a VPS with Centos5.5. Up in the cloud (at my $dayjob which is a very large IAAS provider).
LDAP
LDAP is the back end for everything else (freeradius/kerberos serves as authentication methods for clients, talking to LDAP as authorization system). So it is key to have a working LDAP installation before doing anything else.
Followed HOWTO here:
yum install openldap-servers openldap-clients base.ldif: dn: dc=knownelement,dc=com dc: knownelement objectClass: domain users.ldif dn: ou=People,dc=knownelement,dc=com ou: People objectClass: organizationalUnit
dn: uid=charles,ou=People,dc=knownelement,dc=com uid: charles cn: Wyble Charles displayName: Charles Wyble givenName: Charles sn: Wyble objectClass: inetOrgPerson userPassword: password mail: charles@knownelement.com ldapadd -x -D "cn=Manager,dc=knownelement,dc=com" -w secretstuff -f base.ldif ldapadd -x -D "cn=Manager,dc=knownelement,dc=com" -w secretstuff -f users.ldif
Kerberos
- http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-kerberos.html
- http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-kerberos-clients.html
FreeRADIUS
802.1x
Clients
Web applications
- Tattler / Memex (drupal based applications)
- Thinkup
- Piwigo
- OpenDocMan
- Status.net
- Wordpress
- Redmine
- Mediawiki
- EyeOS
- Thunderbird
Network gear
- Cisco switches/routers: one howto for FreeRADIUS/LDAP and cisco gear is here
- OpenWRT wireless gear
Workstations
- Windows
- Linux
- Debian
- RedHat
Source material
Here are links to various howtos I referenced to put this wiki page together.
http://blog.harritronics.com/2011/06/primer-authentication-radius-kerberos.html#comment-form
http://techpubs.spinlocksolutions.com/dklar/kerberos.html
http://techpubs.spinlocksolutions.com/dklar/ldap.html
http://www.rjsystems.nl/en/2100-d6-openldap-provider.php#tree
http://www.eduroamus.org/node/45
http://serverfault.com/questions/206054/how-to-integrate-radius-with-kerberos << highly relevant
Copy/paste of relevant bits
Here's how you make freeradius check a user/password combo against a Kerberos server, and authorize against your LDAP backend---stick this in your radius.conf:
modules { krb5 { keytab = ${confdir}/radius.keytab service_principal = radius/radius.example.com }
ldap { cache = no server = "ldap" identity = "uid=freeradius,ou=Accounts,dc=example,dc=com" password = secret basedn = "dc=com" filter = "(krbPrincipalName=%{User-Name})" base_filter = "(objectClass=radiusprofile)"
tls { start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" }
default_profile = "uid=freeradius,ou=Accounts,dc=example,dc=com" profile_attribute = "radiusProfileDn" access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" #groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes
# set_auth_type = yes } }
This assumes you've added the correct radius schema (ships with freeradius, IIRC) into your LDAP directory, and it should point you in the right direction---I don't do 802.1X, but I do use this config to handle other kerberos-via-radius access control scenarios, and it's been running in production for a while now. Obviously, users are logging in with their full kerberos principals (rather than just usernames).
Radius / krb integration http://wiki.freeradius.org/Rlm_krb5
http://danieljamesscott.org/index.php << various java/apache/ldap/krb resources
802.1x/RADIUS/WiFi Setup
The whole kit and kaboodle from the looks of things:
- http://www.readmespot.com/question/f/47815/setting-up-radius---ldap-for-wpa2-on-ubuntu
- http://vuksan.com/linux/dot1x/802-1x-LDAP.html
- http://vuksan.com/linux/LDAP_authentication_under_Linux.html
- http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html
- http://tldp.org/HOWTO/html_single/8021X-HOWTO/#confradius