FreedomTunnel/DeploymentNotes

From My Wiki
Revision as of 05:57, 14 June 2012 by imported>Bnewbold (copy paste from FreedomTunnel (originally charles))
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

FreedomTunnelDeploymentGuide

Keeping notes on how things were deployed. This allows conversion to chef recipe later.

Server setup:

1) http://www.rjsystems.nl/en/2100-d6-openldap-provider.php << Basic server setup.


2)run dpkg-reconfigure slapd) to get the basic functionality setup.

3) Attempt to add schemas: 

 581  ldapadd -x -D cn=admin,cn=config,dc=corp,dc=thefnf,dc=net -W -f openldap/goserver.ldif

will fail.

Fix is at:

http://www.saruman.biz/wiki/index.php/OpenLDAP#Adding_or_modifying_the_cn.3Dconfig_admin_password

GOSA Setup

Pretty straight forward LAMP deployment.

GOSA LDAP bits

  464  ldapadd  -QY EXTERNAL -H ldapi:/// -f openldap/goserver.ldif 
  466  ldapadd  -QY EXTERNAL -H ldapi:/// -f openldap/goto.ldif 
  467  ldapadd  -QY EXTERNAL -H ldapi:/// -f openldap/gofon.ldif 
  468  ldapadd  -QY EXTERNAL -H ldapi:/// -f openldap/goto.ldif 
  469  ldapadd  -QY EXTERNAL -H ldapi:/// -f openldap/gosystem.ldif 
  470  ldapadd  -QY EXTERNAL -H ldapi:/// -f openldap/goto.ldif 
  475  ldapadd  -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif 
  476  ldapadd  -QY EXTERNAL -H ldapi:/// -f openldap/goserver.ldif 
  480  ldapadd  -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif 
  482  ldapadd  -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif 
  484  ldapadd  -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif 
  487  ldapadd  -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif 
  494  ldapadd  -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif 
  497  ldapadd  -QY EXTERNAL -H ldapi:/// -f openldap/samba3.ldif 
  498  ldapadd  -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif

Other Pasted Notes

Centralized authentication

Setup everything on my network that takes a password (workstations/network gear/wpa/www apps etc) to talk to OpenLDAP/Kerberos/FreeRadius. This way I will have a centralized auth store with policy control etc. One password for everything. In the event I have an application that can't use SSO, I can still have a common password for it.

What do I have that is capable of talking to these back ends?

  • All Linux boxes (use Kerberos/OpenLDAP for logins)
  • All Windows boxes (use Kereros/OpenLDAP/FreeRadius for logins)
  • Web apps (most support LDAP directly, some I use the kerberos module and pam auth)
  • Cisco gear (FreeRadius)
  • Nanostation2 based wireless access points running OpenWRT (wpa2 enterprise to FreeRadius backend)

Components

  • LDAP (this is the backend to everything else)
  • 802.1x system for wired/wireless clients (one needs to be on the network in order to access auth backend). This would be a white list of authorized mac addresses. Any network access would result in prompt for credentials
  • Kerberos (this is used for workstation logins)
  • FreeRadius (this is used by cisco gear and for wireless user authentication)
  • Clients authenticating

All the below components run on a VPS with Centos5.5. Up in the cloud (at my $dayjob which is a very large IAAS provider).

LDAP

LDAP is the back end for everything else (freeradius/kerberos serves as authentication methods for clients, talking to LDAP as authorization system). So it is key to have a working LDAP installation before doing anything else.

Followed HOWTO here: 

yum install openldap-servers openldap-clients

base.ldif: 
   dn: dc=knownelement,dc=com
   dc: knownelement
   objectClass: domain

users.ldif
   dn: ou=People,dc=knownelement,dc=com
   ou: People
   objectClass: organizationalUnit

   dn: uid=charles,ou=People,dc=knownelement,dc=com
   uid: charles
   cn: Wyble Charles
   displayName: Charles Wyble
   givenName: Charles
   sn: Wyble
   objectClass: inetOrgPerson
   userPassword: password
   mail: charles@knownelement.com

ldapadd -x -D "cn=Manager,dc=knownelement,dc=com" -w secretstuff -f base.ldif 
ldapadd -x -D "cn=Manager,dc=knownelement,dc=com" -w secretstuff -f users.ldif

Kerberos

FreeRADIUS

802.1x

Clients

Web applications

  • Tattler / Memex (drupal based applications)
  • Thinkup
  • Piwigo
  • OpenDocMan
  • Status.net
  • Wordpress
  • Redmine
  • Mediawiki
  • EyeOS
  • Thunderbird

Network gear

  • Cisco switches/routers: one howto for FreeRADIUS/LDAP and cisco gear is here
  • OpenWRT wireless gear

Workstations

  • Windows
  • Linux
    • Debian
    • RedHat

Source material

Here are links to various howtos I referenced to put this wiki page together.

http://blog.harritronics.com/2011/06/primer-authentication-radius-kerberos.html#comment-form

http://techpubs.spinlocksolutions.com/dklar/kerberos.html

http://techpubs.spinlocksolutions.com/dklar/ldap.html

http://www.rjsystems.nl/en/2100-d6-openldap-provider.php#tree

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS

http://www.eduroamus.org/node/45

http://serverfault.com/questions/206054/how-to-integrate-radius-with-kerberos << highly relevant

Copy/paste of relevant bits


Here's how you make freeradius check a user/password combo against a Kerberos server, and authorize against your LDAP backend---stick this in your radius.conf: 

 modules {
   krb5 {
           keytab = ${confdir}/radius.keytab
           service_principal = radius/radius.example.com
   }

   ldap {
           cache = no
           server = "ldap"
           identity = "uid=freeradius,ou=Accounts,dc=example,dc=com"
           password = secret
           basedn = "dc=com"
           filter = "(krbPrincipalName=%{User-Name})"
           base_filter = "(objectClass=radiusprofile)"

           tls {
                   start_tls = no
                   # tls_cacertfile        = /path/to/cacert.pem
                   # tls_cacertdir         = /path/to/ca/dir/
                   # tls_certfile          = /path/to/radius.crt
                   # tls_keyfile           = /path/to/radius.key
                   # tls_randfile          = /path/to/rnd
                   # tls_require_cert      = "demand"
           }

           default_profile = "uid=freeradius,ou=Accounts,dc=example,dc=com"
           profile_attribute = "radiusProfileDn"
           access_attr = "dialupAccess"

           dictionary_mapping = ${raddbdir}/ldap.attrmap

           ldap_connections_number = 5

           groupname_attribute = cn
           groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
           #groupmembership_attribute = radiusGroupName
           timeout = 4
           timelimit = 3
           net_timeout = 1
           # compare_check_items = yes
           # do_xlat = yes
           # access_attr_used_for_allow = yes

           # set_auth_type = yes
   }
 }

This assumes you've added the correct radius schema (ships with freeradius, IIRC) into your LDAP directory, and it should point you in the right direction---I don't do 802.1X, but I do use this config to handle other kerberos-via-radius access control scenarios, and it's been running in production for a while now. Obviously, users are logging in with their full kerberos principals (rather than just usernames).

Radius / krb integration http://wiki.freeradius.org/Rlm_krb5

http://danieljamesscott.org/index.php << various java/apache/ldap/krb resources


802.1x/RADIUS/WiFi Setup

The whole kit and kaboodle from the looks of things:

Retrieved from "https://commons.thefnf.net/index.php?title=FreedomTunnel/DeploymentNotes&oldid=1755"