Project

General

Profile

Enhancement #593

PAM LDAP Rework

Added by Marc Dequènes over 1 year ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Urgent
Category:
Service :: IS / AAA / PKI
Start date:
2017-09-19
Due date:
% Done:

100%

Patch Available:
Confirmed:
No
Branch:
pam_ldap_rework2
Entity:
DuckCorp
Security:
Yes
Help Needed:

Description

Most hosts are using nslcd to handle LDAP cache and authentication/authorization filters. It proved to be a better system and I wanted to use it everywhere but Elwing and Orfeo had services in need of special authorization filters and still use nss-ldap+pam-ldap+unscd.

Example of the minbif PAM config with pam_ldap_minbif.conf containing specific LDAP filters:

auth            requisite       pam_ldap.so config=/etc/pam_ldap_minbif.conf
account         requisite       pam_ldap.so config=/etc/pam_ldap_minbif.conf
session         optional        pam_ldap.so config=/etc/pam_ldap_minbif.conf
password        requisite       pam_ldap.so config=/etc/pam_ldap_minbif.conf use_authtok

With nslcd's pam_authz_search it is now possible to mix various variables and couple host+service names like this:

pam_authz_search (&(objectClass=shellUser)(uid=$username)(|(allowedServices=$fqdn--$service)(allowedServices=$service)))

The goal is to improve the LDAP config to use these new values into allowedServices instead and switch to nslcd. Then we can cleanup the whole config and distribute it via Ansible.

Also changes in the PAM common files introduced problems (see #349), which may open unwanted accesses, so this would also fix these problem as we would get back to pam-auth-update management, as intended by the Debian package maintainers.


Related issues

Related to DuckCorp Infrastructure - Bug #349: pam-auth-update activated LDAP in common non-ldap configurations Rejected 2014-09-10

History

#1 Updated by Marc Dequènes over 1 year ago

  • Priority changed from Normal to Urgent

#2 Updated by Marc Dequènes over 1 year ago

  • Related to Bug #349: pam-auth-update activated LDAP in common non-ldap configurations added

#3 Updated by Marc Dequènes over 1 year ago

  • Branch set to pam_ldap_rework

#4 Updated by Marc Dequènes over 1 year ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 60

The changes in the `dc-ldap` role are done. Orfeo and Elwing are now using nslcd. The PAM config is cleaned up on all hosts.

Now I need to polish the config and deploy the shell servers tools and configs with Ansible.

#5 Updated by Marc Dequènes over 1 year ago

  • % Done changed from 60 to 70
  • Branch changed from pam_ldap_rework to pam_ldap_rework2

Properly separated login and SSH aspects.

Filtering on objectClass=shellUser was fine on machine with only shell in mind, but now it is blocking non-shell users from accessing other services. Working on fixing this.

#6 Updated by Marc Dequènes over 1 year ago

  • Status changed from In Progress to Resolved
  • % Done changed from 70 to 100

This is now automated and the authz config is fixed.

The old `host` field is now unused.

Also available in: Atom PDF