OpenLDAP-SSL-HOWTO
==========================
untar rsaref20.tar.Z
download: google search for rsaref20.tar.Z
compile rsaref:
____SNIP____
# mkdir rsaref-2.0
# cd rsaref-2.0
# tar zxvf ../rsaref20.tar.Z
# cp -rp install/unix local
# cd local
# make
# mv rsaref.a librsaref.a
# cd ../..
____SNIP____
==========================
untar/compile openssl
download: http://www.openssl.org/source/openssl-0.9.6g.tar.gz
# wget http://www.openssl.org/source/openssl-0.9.6g.tar.gz
____SNIP____
# tar zxvf openssl-0.9.6g.tar.gz
# cd openssl-0.9.6g
# ./config --prefix=/usr/local/ssl \
-L ../rsaref-2.0/local/rsaref \
-fPIC shared rsaref
# make
# make test
# make install
# make do_gnu-shared # I had to do this to get shared libs (make linux-shared is supposed to work)
# cd ..
##
## copy libs to /usr/lib and link appropriately like this
##(do the same for libcrypto):
##
##lrwxrwxrwx 1 root root 15 Jun 20 13:02 /usr/lib/libssl.so -> libssl.so.0.9.6
##lrwxrwxrwx 1 root root 15 Jun 20 13:08 /usr/lib/libssl.so.0 -> libssl.so.0.9.6
##-rwxr-xr-x 1 root root 836109 Jun 20 13:01 /usr/lib/libssl.so.0.9.6
##
____SNIP____
==========================
mit krb5
download: http://web.mit.edu/network/kerberos-form.html
# lynx http://web.mit.edu/network/kerberos-form.htm
____SNIP____
# tar zxvf krb5-1.2.2.tar.gz
# cd krb5-1.2.2
# ./configure --enable-shared
# make
# make check
# make install
# cd ..
# ldconfig # make sure /usr/local/lib is in ld.so.conf
____SNIP____
==========================
cyrus sasl
download: ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-1.5.24.tar.gz
# wget ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-1.5.24.tar.gz
____SNIP____
# tar zxvf cyrus-sasl-1.5.24.tar.gz
# cd cyrus-sals-1.5.24
# ./configure --enable-plain --disable-krb4 --with-pam=/lib/security
# make
# make check
# make install
# cd ..
# ln -s /usr/local/lib/sasl /usr/lib/sasl
# ldconfig # make sure /usr/local/lib is in ld.so.conf
____SNIP____
==========================
openldap
download: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-2.0.11.tgz
# wget ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-2.0.11.tgz
____SNIP____
# CPPFLAGS="-I/usr/local/ssl/include"
# LDFLAGS="-L/usr/local/ssl/lib"
# export CPPFLAGS
# export LDFLAGS
# tar zxvf openldap-2.0.11.tar.gz
# cd openldap-2.0.11
# ./configure
# make depend
# make
# make test ## took a while on my compile box (K6/2-450)
# make install
# cd ..
____SNIP____
CREDITS:
http://www.enic.fr/people/landru/lobster/openldap/OpenLDAP-authenticating-with-PAM.txt
____SNIP____
OpenLDAP authenticating against Win NT domain PDC through PAM
We are trying to build a information system using OpenLDAP 2.0.7.
Due to structural and historical (some say hysterical) reasons
we want to do the user authentication against a Windows NT PDC.
After two or three days fighting with the different environments and
parameters to make it work, I wrote this summary as a memorenda pages.
We plan to use
OpenLDAP => SASL => PAM => pam_smb_auth(*) => NT PDC
to authenticate users
(*) I use pam_smb_auth module to authenticate against the NT domain.
There're other modules doing the same thing : pam_nt_domain and in
the future the Samba appliance WINBIND. I will soon test the latter,
if it work I 'll complete this summary.
I hope this paper will help people to save time in finding their own
correct configuration and parameters when trying to use OpenLDAP with PAM.
Part of these lines can maybe complement the OpenLDAP administrator's guide
or be used to write an "How to". I apologize for my poor english,
correction or a new writing will probably be needed...
Jacques Landru
-----oOo-----
Jacques Landru
mel: landru@enic.fr
web: http://www.enic.fr/people/landru
tel: (+33) 3 2033 5556
fax: (+33) 3 2033 5598
E.N.I.C.
Cite scientifique, rue G. Marconi
59658 VILLENEUVE D'ASCQ Cedex
web: http://www.enic.fr
Tel: (+33) 3 2033 5577
Fax: (+33) 3 2033 5599
-----oOo-----
===== oOo =====
Step 1 : Compile and install OpenSSL
====================================
SASL authenticate with PAM using the unsecure SASL PLAIN mode.
In PLAIN mode passwords are exchanged in clear text. OpenSSL,
giving secure connexions, is recommended if you use PLAIN
mode
- in the OpenSSL directory
$ ./config
$ make
$ make test
$ make install
This will build and install OpenSSL in the default location,
which is (for historical reasons) /usr/local/ssl.
Step 2 : Compile and install SASL
=================================
As we don't have a Kerberos environment we disable this authentication
we force argument --enable-plain and --with-pam
- in the cyrus-sasl directory
# ./configure --with-pam=/lib/security --enable-plain --disable-krb4
# make
# make install
As mentioned in the install script, you have to create a symbolic
link /usr/lib/sasl targeted to /usr/local/lib/sasl
Step 3 : create a SASLDB
========================
As mentioned in the SASL Administrative guide CRAM-MD5 and DIGEST-MD5
don't appear avalaible until you don't have as SASLDB. Use saslpaswd
commande to create a user.
- in cyrus-sasl/utils directory
# ./saslpasswd dummyuser
Password:
Again (for verification):
After that you must have the database in /etc/sasldb file
Step 4 : test SASL -> PAM authentication
========================================
SASL library includes a sample server and a sample client applications
for test and debug purpose.
Before integration of SASL -> PAM in OpenLDAP, testing SASL -> PAM
mechanisms is recommended.
In this step we consider that pam_smb_auth is OK:
-a) pam_smb_auth.so is present in /usr/lib/security,
-b) file /etc/pam_smb.conf is configured with the domain
and two servers (PDC and BDC) for authentication purposes,
-c) in the Win NT Domain we have a valid "test" user account.
SASL sample will be used with "sample" service name
- a) ceate a /usr/lib/sasl/sample.conf file indicating SASL to authenticate
the sample service using PAM. This file contains one line
pwcheck_method: pam
- b) in the /etc/pam.d directory create a conf PAM file named "sample"
#%PAM-1.0
# is used by SASL sample with SASL configured with pwcheck_method: PAM
#
auth sufficient /lib/security/pam_smb_auth.so debug nolocal
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_unix.so
account required /lib/security/pam_deny.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md
5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_unix.so
We are now ready to schedule the sample authenticating as the "test" NT user
.
In two separate X terminals run cyrus sasl sample-server and sample-client
Query/Response between sample client and sample server are made by copy/past
e
between the two terminals.
- a) run the server and the client
term-1(sample-server):
# ./sample-server -s sample
Generating client mechanism list...
Sending list of 4 mechanism(s)
S: UExBSU4gQU5PTllNT1VTIERJR0VTVC1NRDUgQ1JBTS1NRDU=
Waiting for client mechanism...
term-2(sample-client):
# ./sample-client -s sample -u test -a test
service=sample
Waiting for mechanism list from server...
- b) copy the mechanism list (line S: UEx....NRDU=)
from the server (term-1) and paste it to the client (term-2)
client will then display the mechanism list PLAIN ANONYMOUS DIGEST-MD5
CRAM-MD5
and prompt for the password of Win NT test user
term-2(sample-client):
...
Waiting for mechanism list from server...
S: UExBSU4gQU5PTllNT1VTIERJR0VTVC1NRDUgQ1JBTS1NRDU=
Choosing best mechanism from: PLAIN ANONYMOUS DIGEST-MD5 CRAM-MD5
Password:
enter the password, client will display
...
Using mechanism PLAIN
Preparing initial.
Sending initial response...
C: UExBSU4AdGVzdAB0ZXN0AGFjaHR1bmc=
Waiting for server reply...
- c) copy the response (line S: UEx....1bmc=)
from the client (term-2) and paste it to the server (term-1)
sample-server will then authenticate test user in the Win NT domain PDC
through pam_smb_auth
term-1(samle-server):
...
Waiting for client mechanism...
C: UExBSU4AdGVzdAB0ZXN0AGFjaHR1bmc=
got 'PLAIN'
Negotiation complete
Username: test
Realm: mycomputer.mydomain.fr
SSF: 0
We have now an operational SASL => PAM => PAM_SMB => NT domain PDC mechanism
Step 5 : compile and install OpenLDAP enabling cyrus SASL mechanism and SASL pa
ssword
===============================================================================
=======
--with_cyrus_sasl and --enable-spasswd
- in openldap directory
# ./configure --with-cyrus-sasl --enable-spasswd
# make depend
# make
# make test
# make install
... more details in OpenLDAP install file
Step 6 : configure SLAPD to use SASL PLAIN mechanism
====================================================
In OpenLDAP the parameter named sasl-secprops is by default "noanonymous,nopla
in".
So if you want PLAIN you should set it to "none".
On the LDAP client side SASL mechanisms are governed by the SASL_SECPROPS para
meter
in the /usr/local/etc/openldap/ldap.conf file
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.4.8.6 2000/09/05 17:5
4:38 kurt Exp $
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
SASL_SECPROPS none
On the server side; SASL mechanisms are governed by sasl-host,
sasl-realm and sasl-secprops parameters in the global
configuration option part of the slapd.conf file.
Set the sasl-secprops to "none" to clear the flag properties
default ("noanonimous,noplain").
...
#
# S A S L secprops
#
sasl-secprops none
...
Step 7 : configure SASL pwdcheck_methode for SLAPD service
==========================================================
create the /usr/lib/sasl/slapd.conf file with this single line
pwcheck_method: pam
Step 8 : configure pam parameters for slapd service using pam_smb_auth
======================================================================
In the /etc/pam.d directory create file named "ldap" and containing
#%PAM-1.0
# is used by openldap slpad with SASL configured with pwcheck_method: PAM
#
auth sufficient /lib/security/pam_smb_auth.so debug nolocal
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_unix.so
account required /lib/security/pam_deny.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5
shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_unix.so
Step 9 : Verify which SASL mechanisms are presented by slapd server
===================================================================
To see the SASL mechanisms supported by the server you can use ldapsearch comm
and in two ways
-a) use ldapserch with debug level set to 2
you will then see int the PDU trace which mecanisms are listed
# /usr/local/bin/ldapsearch -d 2
-d) do a ldapsearch on the supportedSASLMechanisms attribute of the DSE
# /usr/local/bin/ldapsearch -x -L -s "base" -b "" supportedSASLMechanisms
version: 1
#
# filter: (objectclass=*)
# requesting: supportedSASLMechanisms
#
#
dn:
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
# search result
# numResponses: 2
# numEntries: 1
Step 10 : Make a LDAP query with the Win NT test user
=====================================================
# /usr/local/bin/ldapsearch -L -b "dc=enic,dc=fr" -U test -X test "(obje
ctclass=*)"
SASL/PLAIN authentication started
Please enter your password:
SASL username: test
SASL realm: mycomputer.mydomain.fr
SASL SSF: 0
version: 1
#
# filter: (objectclass=*)
# requesting: ALL
#
...
(note : in the above example replace b "dc=enic,dc=fr" with the right base of y
our server).
Step 11 : Securing clear-text password exchange (Need to be completed...)
=========================================================================
*** W A R N I N G ****
clear text password exchange (SASL PLAIN mode) should be avoided.
Activation of SSL or TLS mechanisms (using openSSL) needs to be activated
this paper needs to be completed !!!
===== oOo =====
____SNIP____
|