1 / 32

LDAP and Kerberos: An Overview

LDAP and Kerberos: An Overview. Leveraging services provided by Active Directory for Unix/Linux authentication, authorization and name services. Jason Testart Computer Science Computing Facility University of Waterloo. March 2007. Summary.

Download Presentation

LDAP and Kerberos: An Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. LDAP and Kerberos:An Overview Leveraging services provided by Active Directory for Unix/Linux authentication, authorization and name services Jason Testart Computer Science Computing Facility University of Waterloo March 2007

  2. Summary • Kerberos is for authentication only and provides Single Sign-on (SSO) • LDAP can be used for authentication, authorization, and name services (no SSO) • Active Directory is a kerberized directory service with an LDAP interface • Use Kerberos for authentication, LDAP for authorization and name services

  3. What do these technologies give us? • Eliminate password synchronization • Speed-up system deployment • Reduce development time when a new platform is introduced Improve the end-user experience

  4. LDAP Name services using the Lightweight Directory Access Protocol

  5. What is LDAP? • A protocol for accessing a directory service • What’s a directory service? Think DNS. • Database backend – do we care? • Schema: attributes with OIDs (à la SNMP) • Objects organized in a tree structure (DIT) • Operations: bind, search, modify • LDIF: text file format for describing directory contents

  6. Schema • Attribute – like a variable in a programming language, it holds a value • ObjectClass – a special attribute that all directory entries must have, as it acts as a template for the data (enforces a kind of internal consistency) • AD Schema:http://msdn.microsoft.com/library/en-us/ad/ad/active_directory_schema.asp • Unix Schema: http://www.ietf.org/rfc/rfc2307.txt

  7. Types of Object Classes • Structural – only one per entry! • Auxiliary – supplements structural • Abstract – can’t be used directly; only as an ancestor of another class (eg. “top”)

  8. Schema Examples Snippets of OpenLDAP’s RFC 2307 schema implementation: objectclass ( NAME 'posixAccount' DESC 'Abstraction of an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) ) attributetype ( NAME 'homeDirectory' DESC 'The absolute path to the home directory' EQUALITY caseExactIA5Match SYNTAX SINGLE-VALUE )

  9. Directory Information Tree (DIT)

  10. DN and RDN of a directory entry • RDN – a unique attribute among all siblings of a single parent in the DIT(eg. “uid=jatestar”) • DN – concatenation of RDNs when following the path from the entry (node) to the root of the DIT(eg. “uid=jatestar, ou=people, dc=ldap, dc=student, dc=cs, dc=uwaterloo, dc=ca)

  11. Directory Entry Example Entry in /etc/passwd: jatestar:x:1449:1449:Jason Testart [CSCF],DC2555B,x37174,,:/u4/jatestart:/xhbin/tcsh Becomes the following LDIF: dn: uid=jatestar, ou=ldap, ou=people, dc=student, dc=cs, dc=uwaterloo, dc=ca objectClass: top objectClass: person objectClass: posixAccount cn: Jason Testart sn: Testart uid: jatestar uidNumber: 1449 gidNumber: 1449 homeDirectory: /u4/jatestart loginShell: /xhbin/tcsh gecos: Jason Testart [CSCF],DC2555B,x37174,,

  12. Some LDAP Interfaces • LDIF - ldapsearch, ldapmodify, ldp.exe(see “man ldif, man ldapsearch, etc…) • Perl - Net::LDAP(see http://ldap.perl.org/) • C/C++ - OpenLDAP API (likely others…)(see “man 3 ldap”) • ADSI - Windows specific(see http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/adsilinks.asp)

  13. When interfacing, you need… • Server hostname • Bind DN • Base DN (if searching) • SSL? Note: An Active Directory domain controller will accept the value of theuserPrincipalName attribute as the binddn. (eg. “jatestar@nexus.uwaterloo.ca” is friendlier than “CN=Jason J Testart (jatestar),OU=CSCF,OU=Staff,OU=Accounts,OU=Computer Science,OU=Faculties,DC=NEXUS,DC=UWATERLOO,DC=CA”)

  14. What object classes does AD use for users? Query: ldapsearch -x -W -H "ldaps://canadenis.student.cs.uwaterloo.ca“ \ -D "jatestar@student.cs.uwaterloo.ca" \-b "dc=student,dc=cs,dc=uwaterloo,dc=ca“ \ "(cn=jatestar)" objectClass Yields: dn: CN=jatestar,OU=Users,OU=CS,DC=student,DC=cs,DC=uwaterloo,DC=ca objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user

  15. Need Unix attributes in AD • The user objectClass is missing needed attributes that RFC 2307 provides • So, extend the schema in AD, but be careful! • Differences between MS-SFU-2.0, MS-SFU-3.5 and schema provided by Windows Server 2003 R2 • Maximize use of client attribute mappings!

  16. Attribute Mappings • Example: “When I ask for the gecos attribute value, fetch the value of cn from the directory instead” • Minimize duplication of data in the directory (ie. redundant attributes) • In some cases, doing this allows you to avoid extending the schema of a directory

  17. Groups • posixGroup uses memberUid, which is the uid of the member • groupofUniqueNames uses the member attribute, which is the DN of the member • Attribute mappings may be inappropriate, redundancy may be unavoidable • Netgroups may give additional functionality, with additional complexity

  18. Applying the knowledge (client-side) • Make sure you know what directory attributes that you are using! • Tell /etc/nsswitch.conf to use the nss_ldap library from padl.com • Edit the ldap.conf appropriately to point to AD and define the attribute maps • No need to add users/groups in /etc/passwd or /etc/group!

  19. Kerberos Using Active Directory Kerberos for Unix/Linux authentication

  20. What is Kerberos? • Authentication protocol • Secure • SSO • Trusted 3rd party • Mutual Authentication

  21. Some Kerberos Terminology • User Principal • Host/Service Principal • Instance • Realm • KDC • TGT • Credential cache

  22. Principals • username[/instance]@REALM • servicename/FQDN@REALM Examples: • jatestar@NEXUS.UWATERLOO.CA • nfs/gl01.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA • host/cpu14.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA • imap/services02.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA

  23. Credential Cache (on a Mac) $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: jatestar@STUDENT.CS.UWATERLOO.CA Valid starting Expires Service principal 12/13/06 01:06:50 12/13/06 11:05:03 krbtgt/STUDENT.CS.UWATERLOO.CA@STUDENT.CS.UWATERLOO.CA renew until 12/14/06 01:06:50 12/13/06 01:06:38 12/13/06 11:05:03 fs02$@STUDENT.CS.UWATERLOO.CA renew until 12/14/06 01:06:50 12/13/06 01:10:23 12/13/06 11:05:03 host/cpu20.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA renew until 12/14/06 01:06:50

  24. AD Domain == Kerberos v5 Realm • Domain controllers provide KDC functionality • A “domain” is synonymous with “realm” • Joining a Windows computer to a domain means you are creating a host principal in the realm • No multipart principal names in AD, so mappings are needed for instances

  25. Adding a Unix host to AD • Create a user account for the host/service (eg. cpu04-host) • Map the account to a service principal:host/cpu04.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA • Set the account password • Generate a krb5.keytab file • Stick the keytab file in /etc/krb5 on cpu04 • Done on all student.cs CPU servers

  26. Adding a Unix host to AD (sans GUI) Create the account using LDIF (from a Linux box): % ldapmodify -x -W -H ldaps://canadenis -D “Administrator@student.cs.uwaterloo.ca” dn: cn=cpu04-host,OU=Service Principals,DC=student,DC=cs,DC=uwaterloo,DC=ca changetype: add cn: cpu04-host objectClass: user sAMAccountName: cpu04-host displayName: cpu04-host description: Kerberos host service principal for cpu04 userAccountControl: 2097664 Do the mapping and generate a keytab file (on the domain controller): ktpass –princ host/cpu04.student.cs.uwaterloo.ca@STUDENT.CS.UWATERLOO.CA –mapuser cpu04-host –password S0m3Rand0mPaZZw0rd –out cpu04-host.keytab

  27. Tell Unix login to authenticate against AD • Set-up an appropriate /etc/krb5.conf • Modify the PAM authentication stack to use the pam_krb5 module

  28. Lots of work for simple authentication! • Could have used ldap, or radius, etc… • Kerberos gives us Single Sign-On • Can take advantage of domain trusts! • Most apps use SASL and GSSAPI to support Kerberos 5

  29. SSH and SSO • Configure SSH clients and servers to use GSSAPI for authentication • Mac Lab user can ssh to a CPU server without a password (no ssh keys or .shosts required) • Honours .k5login file (handy for course accounts) • Possibilities with NFS (v3+), IMAP, SMTP AUTH, HTTP, etc…

  30. SSO Demo (Linux client to AD) • Show krb5.conf • Login to realm (kinit) • Show file shares on NetApp • Query our entry on domain controller • Show resulting credential cache (klist) • Logout of realm (kdestroy)

  31. Using slapd (OpenLDAP) with AD • OpenLDAP supports Kerberos via SASL/GSSAPI • Can map entities in a realm with entries in the directory • Use authz-regexp directive in slapd.conf • See:http://www.openldap.org/doc/admin23/sasl.html

  32. References • LDAP System Administration by Gerald Carter (O’Reilly) • Kerberos The Definitive Guide by Jason Garman (O’Reilly) • Unified Windows® and UNIX® Authorization Using Microsoft® Active Directory LDAP as a Directory Store by Ellie Berriman (Network Appliance Inc.) • Unified Windows® and UNIX® Authentication Using Microsoft® Active Directory Kerberos by Ellie Berriman (Network Appliance Inc.)

More Related