Alwina's open source efforts

|

Specialized in FreeBSD and CentOS

Posts Tagged ‘LDAP’

VPN server with LDAP support

Friday, May 28th, 2010

1. Start with a standard FreeBSD installation.
2. Update the ports

# portsnap fetch
# portsnap extract

3. Install ldap client software

Install the ldap client software with pam and nss support on the OpenVPN server.

# cd /usr/ports/net/openldap24-client
# make install clean -DBATCH
# cd /usr/ports/security/pam_ldap
# make install clean -DBATCH
# ln -s /usr/local/lib/pam_ldap.so /usr/lib
# cd /usr/ports/net/nss_ldap
# make install clean -DBATCH

4. One configuration file for ldap

Combine the three ldap configuration file in one with symbolic links.
One configuration file for ldap is easier and less error-prone.

# cd /usr/local/etc
# ln -s /usr/local/etc/openldap/ldap.conf .
# ln -s /usr/local/etc/openldap/ldap.conf nss_ldap.conf

4. Edit configuration file for ldap

# vi /usr/local/etc/ldap.conf

Change the file like this:

The uppercase items correspond with openldap settings. You should adapt the parameters BASE, URI and TLS-CACERT to your situation. TLS_CACERT refers to the Certifcatie Authority certificate of your LDAP server.

The lowercase items correspond to nss_ldap and pam_ldap settings. You should adapt the parameters suffix binddn, bindpw, nss_base_passwd, and nss_base_shadows to your situation.

5. Edit configuration files for pam and nss

Change the confituration files to enable ldap.

# cd /etc/pam.d
# vi system

Change the file like this:

# vi /etc/nsswitch.com

Change the file like this:

6. Build openvpn from the ports

# cd /usr/prots/security/openvpn
# make install clean -DBATCH

7. Create certificate and key for openVPN

See the section “Creating openVPN certificates in the article Creating Certificates.

8. Configuration of openvpn

# mkdir -p /usr/local/etc/openvpn
# vi /usr/local/etc/openvpn/openvpn.conf

The content of the file:

The files ca.crt, server.crt, server.key and dh1024.pem correspond to the several files you need for supporting certificate based encryption within OpenVPN.
In the publication Creating certificates you can read how to generate these files.

# cd /usr/local/etc/openvpn
# mkdir ccs
# cd ccs
# vi testuser

Create the following file:

# vi /etc/rc.conf

Add the lines regarding openvpn, so the file should look like this:

9. Install openvpn on a client
Build and configure openvpn on a client (similar to step 6 and 7 described above).

10. Configure and test from the client

# vi /usr/local/etc/openvpn/openvpn.conf

Replace 87.253.140.80 with the remote ip of your openvpn server.
11194 is the portnumber you choose.

11. Enable ipfilter and ipnat on the openvpn server

First of all we need to enable ipfilter and ipnat.

# vi /etc/rc.conf

The file should look like this:

12. Configure ipfilter and ipnat
The providing setting in this example, supports the definities of rules on a per user basis.
In the following example we have a user with the following ip’s: local ip: 10.8.1.1, remote ip: 10.8.1.2.
We permit only the access of port 50050 of the ip: 172.16.0.1 on the remote network (seen from the client)/
Furthermore we map port 3389 of 10.8.1.2 to the port 50050 of 172.16.0.1.

# vi /etc/ipf.rules

The file should look like this:

# vi /etc/ipnat.rules

The file should look like this:

13. Start ipfilter and ipnat

# /etc/rc.d/ipfilter start
# /etc/rc.d/ipnat start

14. Test from the client

Is the openvpn server reachable?

Can I reach the network?

In the example I try to access the server with rdesktop on the default port number 3389.

# rdesktop 10.8.1.2

The result:

It works!!

Secure fileserver with LDAP

Saturday, May 15th, 2010

Introduction
This article describes how to setup a secure file server on a server running FreeBSD. This version is based on FreeBSD 7.3. It is likely to work on newer version without too much difficulty.

This walkthrough will setup a very secure file server that will root your users to their home directories. This will prevent users browsing all over your server. The file server handles the well supported and secure sftp service. Other services are not provided. We will show how to use an LDAP directory service for authentication.

Before you begin

1. Standard installation of FreeBSD
This articles asumes you have a working install of FreeBSD 7.3 for i386 logged in as root with the ports collection installed. You can use sysinstall, portsnap or similar to install the ports collections. A standard installation of FreeBSD is described in this article.

2. This article is based on an LDAP authentication. If you do not have an LDAP server up and running you could use this article to setup a standard openLDAP server.

3. Update /usr/ports

# portsnap fetch
# portsnap extract

Procedure

1. Install ssh2 from the ports

For improved security we take advantage of new functionality offered in this software.

# cd /usr/ports/security/ssh2
# make install clean -DBATCH

2. Adapt current sshd server (optional)

The file server we install will use the standard port 22. If this port is already active with an sshd-instance for remote login. We need to adapt the settings.

# vi /etc/ssh/sshd_config

Change the line:

#Port 22

so the line reads

Port 5022

So the “old” sshd server will listen to port 5022 for remote logins and will not interfere with the secure file server.

3. Restart sshd

# /etc/rc.d/sshd restart

4. Configure sshd2

# cd /usr/local/etc/ssh2
# cp sshd2_config.example sshd2_config
# vi sshd2_config

Remove the # from the line

#AllowedAuthentications hostbased, publickey,keyboard-interactive

so the line reads

AllowedAuthentications hostbased, publickey,keyboard-interactive

Add the lines:

AuthKbdInt.Optional        pam
ChRootGroups                .*

5. Edit /etc/rc.conf

Enable the sshd2 server.

# vi /etc/rc.conf

Add the line:

sshd2_enable=”YES”

6. Start the sshd2-server

# /usr/local/etc/rc.d/sshd2 start

Now your sftp server should be up and running.
You should be able to connect to this machine with

# sftp <user>@<ipnumber of your fileserver>

You are not yet able to connect, but it should prompt for a user name and a password.

7. Install openldap24-client, pam_ldap and nss_ldap

Now we proceed with getting the LDAP authentication in place. The software will be installed from the ports.

# cd /usr/ports/net/openldap24-client
# make install clean -DBATCH
# cd /usr/ports/security/pam_ldap
# make install clean -DBATCH
# ln -s /usr/local/lib/pam_ldap.so /usr/lib
# cd /usr/ports/net/nss_ldap
# make install clean -DBATCH

8. Create one ldap.conf file

The software requires several vesions of ldap-configuration files. To make life easier we simulate with symbolic links just one big configuration files. This is a lot easier to maintain and debug.

# cd /usr/local/etc
# ln -s /usr/local/etc/openldap/ldap.conf .
# ln -s /usr/local/etc/openldap/ldap.conf nss_ldap.conf

9. Edit the configuration file

# vi /usr/local/etc/ldap.conf

Change the file to create a file as shown:

Make sure you install the CA-certificate of the LDAP-server in the directory /usr/share/openlap (or another directory of choice).

The setting is based on the LDAP-schema as described in my article OpenLDAP server on FreeBSD. If you use another configuration you should adjust the configuration accordingly.

10. Install pam_mkhomedir

We want the automatic home directory creation at first access for our users. We need to install the corresponding software from the ports.

# cd /user/ports/security/pam_mkhomedir
# make install clean -DBATCH
# ln -s /usr/local/lib/pam_mkhomedir.so /usr/lib

The latter step is needed because we do not want the specify the complete path in the pam configuration files.

11. Configure PAM using LDAP for sshd2

# cp -pr /etc/pam.d/sshd etc/pam.d/sshd2
# vi /etc/pam.d/sshd2

Adapt the file so it looks like this (or similar):

12. Configure NSS using LDAP

# vi /etc/nsswitch.conf

Change the line with group: compat and change the line with passwd: compat.
After change the file should look like this (or similar):

13. Test the fileserver

Try the following command on a client:

sftp <user>@<ipnumber of your fileserver>

It should prompt for the applicable password. Now you should be able to login and transfer files. Users are restricted  to their home directories and can only use the sftp protocol and securily transfer files. Users are not allowed to remotely login.

Congratulations!! Your secure fileserver with LDAP authentication is up and running.

openLDAP server on FreeBSD

Friday, May 7th, 2010

Introduction
OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol”. This software can make it a lot easier to work on the the system (with a single centralized password), to get in touch with customers (centralized customer address book), and provide a reliable infrastructure for the future.

In this article I will describe the steps to prepare an OpenLDAP server  on FreeBSD in an actual production environment for alwina.org. The configuration is based on a directory with 3 type of branches:

  • People (OrganizationalUnit)
  • Groups (OrganizationalUnit)
  • Roles (OrganizationalUnit)

In the example I provide in this article these branches are subdivided as follows:

  • Groups: contains posixGroup “customers”. The objectclass “posixGroup” is mappable to Unix-groups
  • People: contains posixAccount “testuser”. The objectclass “posixAccount” is mappable to Unix-users.
  • Roles: contains organizationalRole “ldapmanager” and “ldapreader”.

In this posting I will not go in detail about the mapping these items to Unix-groups and users and authentication schemas. In forthcoming postings I hope to address these subjects.

Well, lets get started and get the LDAP server up and running!

Procedure

1. Standard FreeBSD installation
The first stap is a standard FreeBSD installation as described in standard FreeBSD Installation. A disk space 5GB should suffice.

2. Update /usr/ports
Make sure you have the most recent snapshots with the following commands:

# portsnap fetch
# portsnap extract

3. Install openLDAP
This may take some time!

# cd /usr/ports/net/openldap24-server
# make install clean -DBATCH

4. Create a secret password for SLAP
SLAP is the daemon supporting LDAP-services. The password for SLAP needs to be set. For this purpose we need to create the secret string. We can can use several encryption schemes:

{SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), SHA-1 with a seed.
{MD5} and {SMD5} use the MD5 algorithm (RFC 1321), SMD5 with a seed.
{CRYPT} uses the crypt(3).
{CLEARTEXT} indicates that the new password should be added to userPassword as clear text.

We choose the {MD5} because its broad support.

# slappasswd -h {MD5}

The result of this command:

Please copy the part {MD5}…..
We need to provide this string in the following step.

# cd /usr/local/etc/openldap
# vi slapd.conf

5. Edit slapd.conf

Make the following changes:

  • Add the schema’s cosine.schema, inetorgperson.schema and nis.schema
  • Uncomment and add some lines about read / write access (look for the word access)
  • Add the line with “allow bind_v2″
  • Add the line with password-hash {md5}
  • Change the line with the suffix with “dc=alwina,dc=org”
  • Change the rootdn line with “cn=Manager,dc=alwina,dc=org”
  • Change the word “secret” with the MD5-string from the previous step “{MD5}…..”

The file should look like this now:

6. Configuration of the database

This is really easy, just copy the configuration file.

# mv DB_CONFIG.example /var/db/openldap-data/DB_CONFIG

7. Edit ldap.conf

The file ldap.conf is used for accessing LDAP services.  This file needs to be configures.

# vi ldap.conf

Make the following changes:

  • Uncomment the lines with BASE, URI, SIZELIMIT, TIMELIMIT, and DEREF
  • Change the lines with BASE and URI

The result should look like this:

8. Start the openLDAP server

# vi /etc/rc.conf

Add the following line:

slapd_enable=”YES”

You can start the server with the following command:

# /usr/local/etc/rc.d/slapd start

You can check if slapd runs with the following command:

# sockstat -4

The output should contain at least one line with the word slapd and shows the ip’s and ports it is listening on. For instance:

9. Create initial tree

First we need to create a file that contains the initial entries.

# vi alwina.ldif

This file should exactly look as described. Please mind empty lines and spaces!

dn: dc=alwina,dc=org
objectClass: dcObject
objectClass: organization
o: Alwina
dc: alwina

dn: ou=People,dc=alwina,dc=org
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Groups,dc=alwina,dc=org
ou: Groups
objectClass: top
objectClass: organizationalUnit

dn: ou=Roles,dc=alwina,dc=org
ou: Roles
objectClass: top
objectClass: organizationalUnit

dn: cn=customers,ou=Groups,dc=alwina,dc=org
objectClass: posixGroup
objectClass: top
cn: customers
gidNumber: 5001

dn: uid=testuser,ou=People,dc=alwina,dc=org
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: testuser
cn: Test User
sn: TestUser
givenName: Test
displayName: Testuser
uidNumber: 5001
gidNumber: 5001
gecos: Testuser
homeDirectory: /home/testuser
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
mail: testuser@alwina.com
postalCode: 2132DL
l: Hoofddorp
o: Voorbeeld
mobile: 0616xxx
homePhone: 3123xxxxx
title: System Tester
postalAddress:
initials: TU
loginShell: /bin/sh
shadowExpire: -1

dn: cn=ldapmanager,ou=Roles,dc=alwina,dc=org
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ldapmanager
description: LDAP manager user for unrestricted read/write
userPassword:

dn: cn=ldapreader,ou=Roles,dc=alwina,dc=org
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ldapreader
description: LDAP reader for unrestrited reads
userPassword:

Once this file is created we can create the initial tree with the following command:

# ldapadd -x -D “cn=Manager,dc=alwina,dc=org” -W -f alwina.ldif

The command should display the added entries.

10. Install and use ldapvi tool the edit the ldap directory (optional step)

For manually editting the ldap directory the handy tool ldapvi is available. You can install it from the ports with the following steps:

# cd /usr/ports/sysutils/ldapvi
# make install clean -DBATCH
# rehash

Once installed you can easily enter or correct the ldap directory.

# ldapvi –ldap-conf -D “cn=Manager,dc=alwina,dc=org”

11. Create LDAP-password for Manager

With this step we set the password fot the special roles “ldapmanager” with complete manage control over the ldap directory  and “ldapreader” with readaccess over ldap directory.
Not that “ldapmanager” has similar access rights as the manager of the openLDAP server (“cn=Manager,dc=alwina,dc=org”). The latter is not explicitely defined in the directory.

# ldappasswd -x -D “cn=ldapreader,ou=Roles,dc=alwina,dc=org” -W -S
# ldappasswd -x -D “cn=ldapmanager,ou=Roles,dc=alwina,dc=org” -W -S

12. Restart the openLDAP service

# /usr/local/etc/rc.d/slapd restart

13. Check the service

Perform the following command to check the directory service:

# ldapsearch -D “cn=ldapreader,ou=Roles,dc=alwina,dc=org” -W

The result should look like this:

Your openLDAP service is up and running.

Now it is time to secure your openLDAP server with an encryption schema. OpenLDAP supports two similar kinds of encryption, SSL and TLS.

TLS stands for “Transport Layer Security”. Services that employ TLS tend to connect to the same services without TLS. An LDAP server could handle unsecured and TLS-secured services on the same port.
SSL stands for “Secure Socket Layer”, and services that implement SSL do not listen on the same port as their non-SSL counterparts.

In the following steps we will adjust our LDAP-server to use TLS, as SSL is concidered deprecated.

14. Obtain a set of SSL keys/certificates

There are many ways to obtain SSL/TLS certificates with. You could obtain a set from a provider or generate a self-signed certificate/key pairs yourself with the pre installed openssl tool from OpenSSL. Please note that there is no need for commercial certificates like Thawte’s in our case. In the example I just re-used a free certificate I obtained from StartCOM. If you do not have a set of SSL keys/certiticates available, do the following steps to generate a self signed certificate:

  • Build the certificate authority (CA)
  • Generate certificate + key for your LDAP-server

The SSL keys/certificate files I will use:

  • ca.pam = Certificate Authority
  • sub.class1.server.ca.pem = Chain Certificate
  • SSL.crt = Server Certificate
  • SSL.key = Server Key [ Keep secret ]

15. Place the SSL keys/certificates on your system

Perform the following steps on your server:

# cd /usr/local/etc/openldap
# mkdir private

Copy the Server Certificate and Server Key files to the newly created directory (SSL.crt and SSL.key).

If you need to generate a self signed certificate, you could do the following additional steps:

# cd /usr/local/etc/openldap/private

Create the certificate and the key for the Certificate Authority with the following command.

# openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt

Choose common name ca.<your domain>.

Create the  key for your server and a certificate signing request (server.csr).

# openssl req -days 3650 -nodes -new -keyout server.key -out server.csr

Choose common name ldap.<your domain>.

Finally create the signed certificate out of the certificate request.

# openssl x509 -req -days 3650 -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -CAcreateserial

This completes the extra steps needed to create self signed certificates.

16. Continue with the following steps:

# cd /usr/local/etc/openldap
# chown -R ldap:ldap private
# chmod -R 700 private

Move the Certificate Authority and the Chain Certificate files to a public place:

# mkdir -p /usr/share/openldap
# mv /usr/local/etc/ldap/private/ca.pam /usr/share/openldap
# mv /usr/local/etc/ldap/private/sub.class1.server.ca.pem /usr/share/openldap
# cd /usr/share/openldap
# chmod 755 *

17. Edit slapd.conf

# vi /usr/local/etc/openldap/slapd.conf

Add the following:

security ssf=256
TLSCertificateFile /usr/local/etc/openldap/private/SSL.crt
TLSCertificateKeyFile /usr/local/etc/openldap/private/SSL.key
TLSCACertificateFile /usr/share/openldap/sub.class1.server.ca.pem /usr/share/openldap/ca.pem

The order of the files in TLSCACertificateFile is important.
In case you generated a self signed certificate, there is no chain certificate. You can just omit it.

18. Restart your openLDAP service

# /usr/local/etc/rc.d/slapd restart

Check is it is up and running:

# sockstat -4 | grep slapd

You should see a line with the listening port.
If there is an error, you could check /var/log/debug.log for further information.

19. Check if confidentiality is required by the server now

Check is security is required:

# ldapsearch -x -D “cn=Manager,dc=alwina,dc=org” -W

Now you should get an error “Confidentiality required”.

20. Edit ldap.conf

# vi /usr/local/etc/openldap/ldap.conf

Add the following line:

TLS_CACERT    /usr/share/openldap/ca.pem

21. Check if it works now

# ldapsearch -x -D “cn=Manager,dc=alwina,dc=org” -W -Z

The -Z option enables TLS.

Now you should see a response like this:

You can ignore the security warning.

After entering the password the result should be like this:

Your fully secured openLDAP server is up and running. Congratulations!

In forthcoming posting I will explain how to use and take advantage of your openLDAP server.