RHEL 5.xx/6.xx LDAP

1. LDAP domain: example1.com

2. ldap users will have homedir: /home/homeldap/ldapusr{1,2,3,….}

3. we’ll have 2 groups: sudogrp and admins

4. members of sudo group will be allowed to execute sudo su

5. members of admin will be able to sudo w/o asking for password

— slapd.conf

include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/sudo.schema
moduleload      ppolicy.la
moduleload      unique.la
moduleload      memberof
pidfile                /var/run/openldap/slapd.pid
argsfile               /var/run/openldap/slapd.args

TLSCipherSuite         TLSv1+RSA:!NULL
TLSCertificateFile     /etc/openldap/cacerts/slapd_1.pem
TLSCertificateKeyFile  /etc/openldap/cacerts/slapd_1.pem

access to attrs=userPassword,shadowLastChange
          by anonymous auth
          by self write
          by dn.base="cn=admin,dc=example1,dc=com" write
          by dn.regex="uid=[^,]+,ou=People,dc=example1,dc=com" write
          by * none

access to *
          by self write
          by dn.base="cn=admin,dc=example1,dc=com" write
          by * read

database monitor
access to *
          by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
          by dn.exact="cn=admin,dc=example1,dc=com" read
          by * none

database bdb
suffix "dc=example1,dc=com"
checkpoint 1024 15
rootdn "cn=admin,dc=example1,dc=com"
rootpw _ENCRYPTED PASSWD_

overlay           unique
unique_base       ou=People,dc=example1,dc=com
unique_attributes uid

overlay         memberof

overlay         ppolicy
ppolicy_default "cn=default,ou=policies,dc=example1,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext


directory /var/lib/ldap 
index objectClass                        eq,pres
index ou,cn,mail,surname,givenname       eq,pres,sub
index uidNumber,gidNumber,loginShell     eq,pres
index uid,memberUid                      eq,pres,sub
index nisMapName,nisMapEntry             eq,pres,sub
index sudoUser                           eq
-- generate ldap DB password 
slappasswd -h {SSHA} -s _PASSWORD_  <= we'll get the encrypted password

— LDIF FILES

–base.ldif

dn: dc=example1,dc=com
objectClass: top
objectClass: domain
dc: example1

dn: ou=Users,dc=example1,dc=com
objectClass: top
objectClass: OrganizationalUnit
ou: Users

dn: ou=Groups,dc=example1,dc=com
objectClass: top
objectClass: OrganizationalUnit
ou: Groups

dn: ou=addressbook,dc=example1,dc=com
objectClass: top
objectClass: OrganizationalUnit
ou: addressbook

dn: cn=admin,dc=example1,dc=com
objectClass: top
objectclass: organizationalRole
cn: admin

–users.ldif

dn: uid=usrldap1,ou=Users,dc=example1,dc=com
uid: usrldap1
cn: usrldap1
sn: usrldap1
mail: usrldap1@example1.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 50001
gidNumber: 50001
homeDirectory: /home/homeldap/usrldap1

dn: uid=usrldap2,ou=Users,dc=example1,dc=com
uid: usrldap2
cn: usrldap2
sn: usrldap2
mail: usrldap2@example1.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 50002
gidNumber: 50002
homeDirectory: /home/homeldap/usrldap2

–groups.ldif

dn: cn=sudogrp,ou=Groups,dc=example1,dc=com
objectClass: posixGroup
objectClass: top
cn: sudogrp
userPassword: {crypt}x
gidNumber: 50001

dn: cn=admins,ou=Groups,dc=example1,dc=com
objectClass: posixGroup
objectClass: top
cn: admins
userPassword: {crypt}x
gidNumber: 50002

–sudoers.ldif

dn: ou=SUDOers,dc=example1,dc=com
objectClass: top
objectClass: OrganizationalUnit
ou: SUDOers

–sudo_defaults.ldif

dn: cn=defaults,ou=SUDOers,dc=example1,dc=com
cn: defaults
objectClass: top
objectClass: sudoRole
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoOption: env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
sudoOption: env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
sudoOption: env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
sudoOption: env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
sudoOption: env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
sudoOption: secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
sudoOption: passprompt="Your password [ %p ] : "
sudoOption: logfile=/var/log/sudo.log
sudoOption: timestamp_timeout=5
sudoOption: syslog_badpri=alert
sudoOption: syslog=local2
sudoOption: syslog_goodpri=alert
sudoOption: ignore_local_sudoers
sudoOption: !env_reset
sudoOption: log_year
sudoOption: log_host
sudoOption: insults

–sodogrp_sudo.ldif (allow users on “sudogrp” group to execute sudo su – )

dn: cn=sudogrp,ou=SUDOers,dc=example1,dc=com
objectClass: top
objectClass: sudoRole
cn: sudogrp
sudoUser: %sudogrp
sudoHost: ALL
sudoCommand: /usr/bin/sudo
sudoCommand: /usr/bin/su

–adminsgrp_sudo.ldif (allow users on “admins” group to execute sudo  w/o requesting password )

dn: cn=admins,ou=SUDOers,dc=example1,dc=com
objectClass: top
objectClass: sudoRole
cn: admins
sudoUser: %admins
sudoHost: ALL
sudoOption: !authenticate
sudoOption: !requiretty
sudoCommand: /usr/bin/sudo
sudoCommand: /usr/bin/su

DEFAULT POLICY:

 
- password age: 30 days
- warning password expire: 1 day before
- max attempts: 5
- account locked for 10 minutes
- pasword history: 3
- permit user to change passwd when expired

-ppolicy.ldif (enforce password policy)

dn: ou=policies,dc=example1,dc=com
objectClass: organizationalUnit
objectClass: top
ou: policies

dn: cn=default,ou=policies,dc=example1,dc=com
objectClass: top
objectClass: pwdPolicy
objectClass: person
cn: default
sn: dummy
pwdAttribute: userPassword
pwdMaxAge: 2592000
pwdExpireWarning: 86400
pwdMinLength: 5
pwdMaxFailure: 5
pwdInHistory: 3
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdMustChange: FALSE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE

dn: cn=strong,ou=policies,dc=example1,dc=com
objectClass: top
objectClass: pwdPolicy
objectClass: person
cn: strong
sn: dummy
pwdAttribute: userPassword
pwdMaxAge: 0
pwdMinLength: 8
pwdMaxFailure: 3
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdMustChange: FALSE
pwdAllowUserChange: TRUE
pwdCheckQuality: 2
pwdSafeModify: FALSE

–ADDING all above to LDAP DB

ldapadd -x -D 'cn=admin,dc=example1,dc=com' -f *.ldif -W

Now, what if we want to assign a user/group to a specific password policy ?

— assign userldap2( member of admins) to password policy = strong

— mod_policy.ldif

dn: uid=usrldap2,ou=Users,dc=example1,dc=com
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=strong,ou=policies,dc=example1,dc=com

— assign   admins group to password policy = strong

— mod_policy.ldif

dn: cn=admins,ou=Groups,dc=example1,dc=com
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=strong,ou=policies,dc=example1,dc=com

ldapmodify -x -D “cn=admin,dc=example1,dc=com” -f mod_policy.ldif -W

BY default linux does not  warn user when password expired or is about to expire when using ldap auth, so here is the necessary modifications:

— RHEL&& CENTOS 5.xx

/etc/ldap.conf
……
……
pam_password          ssha
pam_lookup_policy  yes
log_dir                           /var/log
#debug                         1

— RHEL&& CENTOS 6.xx

(check if folowing packages are installed: pam_ldap && nss-pam-ldapd )

/etc/pam_ldap.conf.conf

……
……
pam_password          ssha
pam_lookup_policy  yes
log_dir                           /var/log
#debug                         1

–ENABLIND LDAP_SUDO

–RHEL && CENTOS 5.xx

/etc/ldap.conf

uri             ldap://192.100.100.10 ldaps://192.100.100.10
sudoers_base    ou=SUDOers,dc=example1,dc=com
sudoers_debug   0
tls_cacertdir   /etc/openldap/cacerts
tls_reqcert     allow

–RHEL && CENTOS 6.xx

/etc/sudo-ldap.conf

uri            ldap://192.100.100.10 ldaps://192.100.100.10
sudoers_base   ou=SUDOers,dc=example1,dc=com
sudoers_debug  0
tls_cacertdir  /etc/openldap/cacerts
tls_reqcert    allow

One response to “RHEL 5.xx/6.xx LDAP

  1. Is there anyway to make a “netgroup” of sudo commands so instead of listing the commands for each sudo role, we can use the “netgroup” instead? Create a Netgroup (or something else) called “view” with members /bin/ls, /usr/bin/less, /usr/bin/tail and in the SudoCommand field just enter +view.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s