FlossUK 2015 presentation
Most authentication implementations either use 'plain old' LDAP, sometimes in combination with Kerberos and/or Samba. Lately there is also an interest in FreeIPA, especially on RHEL based platforms.
We created a setup using the LDAP server OpenDJ, AD Kerberos, the SSSD client system daemon and additional tools & scripts.
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Linux AD integration with OpenDJ
1. Linux centralized identity and authentication
interoperability with AD
Pieter Baele – pieter.baele@gmail.com
FlossUK DevOps Spring 2015 @ York
25 March, 2015
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 1 / 28
2. Presentation overview
The history of our implementation
Concepts and principles
Choices: server and cient-side
Tooling
The design
Monitoring
References
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 2 / 28
3. history
of our LDAP implementation
Situation in 2009: a growing Linux environment (less then 100 servers),
no LDAP. A bigger Unix environment exists with it’s own Sun Directory
Server.
central management of (some) users: let’s use Puppet
manually - with scripts - create users on the Sun Directory Server
add them - manually - to Puppet
good for application users, not funny when you have 100 real users to
add
So let’s develop a nice directory architecture!
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 3 / 28
4. Concepts and requirements
HA using replication and load-balancing
traceability and auditing
secure
practical ACL support (only on groups)
transport security - TLS, SSF factor
some SSO functionality + fallback (PTA)
accounts not maintained by us, automatic decommissioning
ensuring UID and GID’s are unique across the enterprise
applications: local users
central store for sudo rules
support
KISS (complexity introduces risks)
no need to duplicate things if they exist already
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 4 / 28
5. Implementation choice
server-side
the ’classic’ LDAP approach
Samba + Winbind
other LDAP servers in general
Unix attributes and Active Directory
the Red Hat way - IPA
realmd
the hybrid approach: OpenDJ as Directory Server, AD Kerberos and
some duct tape.
Tried most of the above...
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 5 / 28
6. Implementation choice server
the classic approach
everybody knows the classic approach, right?
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 6 / 28
7. Implementation choice server
the classic approach
everybody knows the classic approach, right?
OpenLDAP
sometimes with MIT or Heimdal Kerberos
and maybe with some bits of Cyrus-SASL - SASLauthd
welcome to the world of LDIF
almost heaven for LDAP gurus
perfect when there is the need for speed (MDB...amazing)
perfect for custom implementations (backends - overlays)
no special benefit for our case
Support: so who is the expert?
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 6 / 28
8. Implementation choice server
Winbind / Active Directory
Winbind
join the system to AD
AD SID to Posix Attribute mapping
trusted domains
do you want those components on your server?
Active Directory
ID mapping uses SFU/IMU extensions in AD
maintained by another team
do we really want windows to manage our entries?
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 7 / 28
9. Implementation choice server
Realmd
offers direct integration to AD by configuring SSSD
replaces Winbind
detects the domain using DNS
identity lookup using AD
Kerberos or LDAP authentication
you need a Domain Admin
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 8 / 28
10. Implementation choice server
389 Directory Server
used for a subproject of my internship (mmr)
based on the Netscape code
why? we already have our (Sun) Oracle 11g... which can’t replicate
with 389!
support from Red Hat
no benefit
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 9 / 28
11. The history of (some) directory servers
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 10 / 28
12. Implementation choice server
(Free)IPA
Complete IdM with DS, NTP, PKI, KDC, HTTPD and DNS
it’s free on RHEL
especially made for the need of Linux AuthN/AuthZ
choices for integrating with AD
synchronization service - on each domain controller (also possible
with 388, which is part of FreeIPA)
a subdomain (or a new domain) + AD trust relationship
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 11 / 28
13. Implementation choice server
(Free)IPA
Complete IdM with DS, NTP, PKI, KDC, HTTPD and DNS
it’s free on RHEL
especially made for the need of Linux AuthN/AuthZ
choices for integrating with AD
synchronization service - on each domain controller (also possible
with 388, which is part of FreeIPA)
a subdomain (or a new domain) + AD trust relationship
bugs (when I tested it)
after release: not supported when you added custom schema’s :-(
nowadays: if it can help you, why not?
The first product specifically for this use case (!)
real Role-Based Access Control
Automember
Integrated webinterface
SELinux integration (confined users / mapping)
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 11 / 28
14. Implementation choice server
OpenDJ
rather easy (IMO)
has a very complete administrative menu (dsconfig)
setting up replication is only 1 command
cn=config / LDIF configuration when you need it
has a REST interface
possibility to integrate with OpenAM (WebSSO is possible)
can be monitored in various ways
JMX
logs
SNMP
cn=monitor
never let us down so far (lost 1 replica once because of a
configuration error)
fast for dev
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 12 / 28
15. OpenDJ
the future of OpenDJ
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 13 / 28
16. OpenDJ
components
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 14 / 28
17. architecture / design
physical
each datacenter its own pair of directory servers
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 15 / 28
18. architecture / design
DIT
as flat as possible
keep organisation structure out of the tree
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 16 / 28
19. client
replace legacy tools
System Security Services Daemon
A project from Red Hat
before: nss ldap, nscd
supports a lot of different integrations
direct integration with AD
IPA
using only an LDAP server such as OpenLDAP
or something custom ...
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 17 / 28
20. msktutil
Active Directory Keytab Management
creates user or computer accounts in Active Directory,
creates Kerberos keytabs on Unix/Linux sytems
adds and removes principals to and from keytabs
changes the user or computer account’s password.
AD Kerberos =! MIT Kerberos ...
ex. each keytab for apache made by Windows also needs a specific
user
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 18 / 28
21. the configuration
pt 1: OpenDJ
SASL enabled
set-sasl-mechanism-handler-prop --handler-name GSSAPI
--set enabled:true
PTA: AD domain certificate added to keystore
protocols, replication
Referential Integrity
Memberof enabled
UID Unique enabled
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 19 / 28
22. the configuration
pt 2: data
add host entries, the UID is used as a SASL principal match
(HOSTNAME$)
a user is added by our tools, data is used from AD and from the Unix
directory server if present
most real users have PTA enabled, whih is as simple as setting a
password policy
ds-pwp-password-policy-dn: cn=PTA Policy,cn=Password
Policies,cn=config
no password is set for users, application users are not able to login
directly
users need to be memberof a group that allows access AND we use
netgroups
we use SUDO directly, to have no impact from SSSD caching
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 20 / 28
23. the configuration
pt 3: client (using cfgmgmt)
installation of packages
configuration of a (minimal) krb5.conf
call to msktutil to create computer account in AD
call to authconfig (EL specific)
enabling sssd
enabling mkhomedir (oddjobd)
enabling PAM access
setting the NISDOMAIN (RHEL 7: rhel-domainname service
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 21 / 28
24. tooling
Perl
Perl-LDAP is perfect
first script: with a curses frontend ;-(
functionality: added a user to the correct organisation, enabled PTA
for other tasks: Apache Directory Studio
code not very maintainable for my colleagues...
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 22 / 28
25. tooling
Python
OpenDJ REST using python-requests
some limitations
Python LDAP turned out to be the most flexible way
today frequent operations are supported: netgroups; sudo;
rootaccess...
and we have a functional frontend written in Flask :-)
Management tools are as important as the underlying technologies used.
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 23 / 28
26. monitoring
primary monitoring of service / daemon
log files: parsing with Logstash, especially access (audit) log
correlation
SNMP: using your beloved monitoring platform
JMX: Java Management Extensions, perfect for some internals about
the JRE
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 24 / 28
27. monitoring
primary monitoring of service / daemon
log files: parsing with Logstash, especially access (audit) log
correlation
SNMP: using your beloved monitoring platform
JMX: Java Management Extensions, perfect for some internals about
the JRE
don’t forget... cn=monitor
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 24 / 28
28. monitoring
cn=monitor
LDAP metrics: number of operations (bind, search, modrdn ...) and
response times
almost no-one uses it (?)
protect the tree with ACL
there is a nice but older cn=monitor frontend on sourceforge (RPM,
DEB...)
still thinking about a new cn=monitor frontend
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 25 / 28
29. some observations and remarks
only a very small dataset, but a lot of accesses
separate functional users in AD:
One that only can create computer account objects (msktutil)
One that with (search) access to user OU’s, used for PTA
DNS is crucial
NTP critical for Kerberos (and log files)
local users only possible with recent Puppet versions if present in
LDAP (luseradd and alike)
SSHD first tries GSSAPI authentication, host-based, public key,
passwords
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 26 / 28
30. What are we still missing?
home directories mounted by autofs
performance details (from client)
a platform to manage public keys
OpenSSH LPK project
PrivacyIDEA
indexes
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 27 / 28
31. References
LDAP Toolbox project to get started quickly with OpenLDAP:
http://ltb-project.org/wiki/
FreeIPA: Dmitri Pal, AD Integration options for Linux Systems,
Developer Conference. Brno. 2013
Windows Integration Guide, Red Hat official docs
Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 28 / 28