Talk:Centralized authentication using OpenLDAP

From Gentoo Wiki
Jump to:navigation Jump to:search
This is a talk page. Please add newer comments below older ones, and sign your comments using four tildes (~~~~). When adding a new section (at the bottom of the page), please mark it as "open for discussion" by using {{talk|open}} so it will show up in the list of open discussions.

Client notes

Talk status
This discussion is done.

LAM (Ldap Account Manager) is a free (GPL-licensed) similiar with net-nds/phpldapadmin web client.

But it is still not in portage (gentoo overlay).

I'm not enough familiar with web-utils ebuilding. So, if anybody is interested in this tool, add it into tree first.

looks like not bug #149081 and bug #214841 --Cronolio (talk) 18:17, 2 June 2017 (UTC)

Online Configuration

Talk status
This discussion is done.

SwifT, why you've droped note about limitations of LDIF backend?

One of the features of commonly used by OLC LDIF-backend is that it doesn't allow file removing (and, possibly, file operations at all, including renaming). You can for example add overlay, but you can not remove it.

When using OLC-style configuration this may produce some unpleasant surprises.

This guide should be converted to make use of OpenLDAP's online configuration instead of using a slapd.conf. Upstream recommends not to use the slapd.conf file anymore since several years.

--Eliasp (talk) 00:10, 11 January 2014 (UTC)

Made the initial description of OLC (aka cn=config). Description will be enchanced. Please, review it, my English is… not well enough. To my mind, we should NOT try to make the guide shorter or easier, but first of all divide it into two (or even up to four, since OpenLDAP is not the only directory implementation in portage tree) parts:
  1. General Overview,
  2. Server setup and _mainatanance_ (!) (separate articles for OpenLDAP, 389 etc),
  3. Server's usage for authenfication purposes.
  4. Followed with descriptions of usage for certification distribution and so long

--Anarchist Oct 27 10:02:47 UTC 2014

I am willing to write a guide. Openldap is a Mountain of config that potentially could have pitfalls. I need someone to review my method.

To start a guide that uses the following.

  1. atest stable version of openldap.
  2. Using Start tls on port 389.
  3. Include an authenticatoin exacmple using sssd(as this seems like the nice way).
  4. Use LAM Ldap Account Manager in the guide. This seems sane and I believe will make any guide ten times shorter.

Let me know what do you think. --James.cordell (talk) 10:39, 16 April 2014 (UTC)

Anything that might make the guide shorter or easier to follow is greatly welcomed. I have no experience with LAM AM so by all means, go ahead. I was considering splitting things up in separate pages (the guide currently uses a multi-stage approach to end where it is, but that approach does make it less easy to follow). --SwifT (talk) 20:08, 16 April 2014 (UTC)

I have added lots of bits. Including the slaptest. The guide would be better with the simpler sssd for client authentication. This would be an alternative to pam_ldap nss_ldap etc. What do you think? maybe there should be seperate guides. Also should hdb be used instead of ldbm, hdb is the recommended one?

--James.cordell (talk) 15:58, 25 April 2014 (UTC)

I'm allot happier with that. It needs normal people to test it now :)

--James.cordell (talk) 01:09, 28 April 2014 (UTC)

Test help needed

Talk status
This discussion is done.

Gentoo users of rsyslog and systemd — please contact me to verify some app-specific questions in article.


LDAP in 2021

Talk status
This discussion is still ongoing.
  • slapd.ldif does not work out of the box, incomplete beyond the red warnings of the text, e.g. modules are named .so and not .la, also schemas end with ldif and are not correctly migrated from slapd.conf
  • there will be no basic structure, e.g. an object of type organiation, phpldapadmin cannot deal with this situation
  • schemas in use are a little bit off, e.g. memberuid of type PosixGroup is supported by phpldapadmin after it was created once for a user but is not part of for example phpldapadmin-UI, it is not trivial to have secondary groups for PosixAccount
  • slapd.ldif contains sample blocks (ACLs) indented with tabs, slapadd sees this as syntax error, must be spaces instead
  • TLS configuration is not present in slapd.ldif and it is a bit tedious (with blank lines and order) to get it in there
  • the overall structure of the article does not yield a working and reliable/ secure configuration in finite time without deeper knowledge of the tools (not only LDAP itself)
  • security implications are not clearly outlined, server cert, CA, optional client certs (simply disabled in a side note), password algorithms, management role(s)
  • according to the guide USE sasl must be enabled, if not the ACL for root to modify frontend,config does not work and no account is allowed to modify this templating config at all
  • on client side the default options are read from /etc/ldap.conf and not /etc/openldap/ldap.conf, also copying it from server to client is not necessary
  • the guide does not explain the ldapread-user, certain sections illustrate its use but it seems to have slipped through
  • the ACLs of the guide seem to prohibit anonymous binds (to the LDAP server)/ no ACLs exist to read *, this might be related to ldapread-user being used instead, PAM will not be able to map the username (from login input) to a uid (from LDAP server)
Unauthorized (anonymous) network access to userbase looks live VERY bad idea -- Anarchist (talk) 20:17, 25 December 2021 (UTC + 3)
The best solution would be describing proper (more secure than simple user/password method) configuring of SASL.

!! It seems pointless to have a user object in the LDAP allowed to read * and put this into client's /etc/ldap.conf. This file must be world readable, also for PAM. Thus any binddn's credentials leak out in cleartext. Seems as if PAM with LDAP requires anonymous binds with the ACL revoking access to all for password attribute. !!

I suggest to clearly state a goal with a target structure and at least the role manager and a single user with multiple groups and a few additional elements like E-Mail and maybe one or two services.

Next section would work through the various stages: installation, configuration with TLS and basic structure, start of service, ldapadd a few basic things (posix groups, a user, secondary groups). Finally link to phpldapadmin (to be created) to have it basically working for what is was meant for: centralized authentication.

Current status: hard to get up and running at all. --Onkobu (talk) 21:12, 11 December 2021 (UTC)

Thanks for the nicely detailed heads up! Feel free to change anything yourself, if you like ;).
I don't use LDAP, and I don't know if many editors do either, so this may not get high priority because of everything else that needs doing... but your comments could point someone here who is looking for something to do! I'm sure many users could really benefit from anything that could be fixed.
If you ever feel like having a go, remember that no matter if changes aren't perfect, or if the formatting is a bit off, as long as edits make things a bit better, it's a step in the right direction ;). The contributor's guide gives a few tips on how to easily make contributions ;).
-- Kyoreln (talk) 22:02, 11 December 2021 (UTC)
Thanks for the fast reply. My intention was to use it as a starting point for others digging through this after all these years. Sure there is also an alternative missing to have centralized authentication. If I have it up and running/ completed the list here, I'll rewrite it. --Onkobu (talk) 22:14, 12 December 2021 (UTC)
Great :). Thanks for the additions to the list already!!
-- Kyoreln (talk) 23:02, 12 December 2021 (UTC)
A first batch of changes is done. I moved advanced configuration topics (logging, replication, performance tuning) to sub pages. Sorry for the mail spam with the multiple changes. I also started to pull the TLS-CA-things into a sub page of Certificates. The client side is now in a working condition. I switched to nss-pam-ldapd in favor of sys-auth/pam_ldap/ sys-auth/nss_ldap since seems not to be responsible anymore and a maintainer is needed. I'll add this later again with a proper paragraph for the dirty details/ differences, e.g. /etc/ldap.conf on client side but not by copying the server's.
Next will be the LDIF chunks to get O, OUs, migrate groups and have at least one user that logs in. Tools like phpldapadmin require even more work. --Onkobu (talk) 21:08, 19 December 2021 (UTC)
Wow, that's amazing :) Seems really good! Don't worry about multiple edits, it's actually better for seeing what has changed, bit by bit. I think it may even send just one change notification mail, and only reset once the changes have been viewed.
There are a couple of things we do in a particular way, just stylistically, on the wiki - but I'd just not worry about it and carry on like that, and I'll touch up the wiki specificities when you are done, if that's OK?
Thanks for these big edits! -- Ris (talk) 01:01, 20 December 2021 (UTC)
Changes reverted for heavily breaking translations. If I could have, I would have reverted to Special:Diff/1039131, but this was too difficult. I could put some info back, but unsure what is what at this point. --Grknight (talk) 15:42, 20 December 2021 (UTC)
Reinstated the most important edit from what I could tell. --Grknight (talk) 16:15, 20 December 2021 (UTC)
I will put the anything else back if I can figure out how to do it properly, if that will work ? An edit conflict just seems to have eaten my previous reply, does that happen Brian Evans (Grknight)  ?
Don't worry Onkobu , I think that the issue is just source formatting or something along those lines, I'll see if I can put things back with proper formatting as soon as I can ;) -- Ris (talk) 16:22, 20 December 2021 (UTC)
Hi Onkobu , I hope everything is restored up to where you left it now, except the sub page split outs, which are hopefully reintegrated into the main article. There wasn't anything extra on those pages was there ?
I gather that the "translate tags", that look like "<!--T:102-->" should remain in place. As I understand it, splitting out to new pages or touching the tags impacts preexisting translations... so the translation system limitations force this to be one big page, for now. This all should probably be explained up front in the wiki help pages, but I'm not even sure if it's mentioned - I'll see about adding warnings about them. -- Ris (talk) 00:12, 22 December 2021 (UTC)