----- "Per Kristiansen" perk@funcom.com wrote:
Hello, I've been working on implementing a LDAP solution for the last 8 months (in-between task, you know how it is :D )
Time flies!
I now have a working LDAP directory, have all my users imported, things actually work! :D..(jinx!)
Excellent work, well done!
But now I wanna get fancy..
I've been googeling for some sort of clear description on how I can set up a system using groups of hosts and user groups to create a selective ACL for ssh'ing to a set of servers based on group membership.
It sounds to me like you are almost here and just need help creating the LDAP groups, ACLs and LDAP search/filters for use with nss_ldap on RHEL 4/5 and Centos?
Gavin.
Gavin Henry wrote:
----- "Per Kristiansen"perk@funcom.com wrote:
Hello, I've been working on implementing a LDAP solution for the last 8 months (in-between task, you know how it is :D )
Time flies!
I now have a working LDAP directory, have all my users imported, things actually work! :D..(jinx!)
Excellent work, well done!
But now I wanna get fancy..
I've been googeling for some sort of clear description on how I can set up a system using groups of hosts and user groups to create a selective ACL for ssh'ing to a set of servers based on group membership.
It sounds to me like you are almost here and just need help creating the LDAP groups, ACLs and LDAP search/filters for use with nss_ldap on RHEL 4/5 and Centos?
ACLs for nss_ldap is not the way to handle this. It needs to be done in the PAM account management handlers, and pam_ldap's support for that is pretty weak. In particular, it doesn't support centrally configuring access to services on groups of hosts. The PAM support in nssov is a lot better in this area and can do what the original poster wants; I just haven't written an example ACL for this feature in the docs yet.
Sorry to jump in the middle of this thread, but the nssov overlay sounds very useful, something I would like to take advantage of, but I cannot seem to find any documentation on it. How long has this been available (what release), and where might I find more info?
Thanks, John
-----Original Message----- From: openldap-technical- bounces+john.kane=prodeasystems.com@OpenLDAP.org [mailto:openldap- technical-bounces+john.kane=prodeasystems.com@OpenLDAP.org] On Behalf Of Howard Chu Sent: Tuesday, May 19, 2009 8:19 PM To: Gavin Henry Cc: Per Kristiansen; openldap-technical@openldap.org Subject: Re: Host based authentication using OpenLDAP
Gavin Henry wrote:
----- "Per Kristiansen"perk@funcom.com wrote:
Hello, I've been working on implementing a LDAP solution for the
last
8 months (in-between task, you know how it is :D )
Time flies!
I now have a working LDAP directory, have all my users imported, things actually work! :D..(jinx!)
Excellent work, well done!
But now I wanna get fancy..
I've been googeling for some sort of clear description on how I can set up a system using groups of hosts and user groups to create a selective ACL for ssh'ing to a set of servers based on group membership.
It sounds to me like you are almost here and just need help creating
the LDAP groups, ACLs
and LDAP search/filters for use with nss_ldap on RHEL 4/5 and Centos?
ACLs for nss_ldap is not the way to handle this. It needs to be done in the PAM account management handlers, and pam_ldap's support for that is pretty weak. In particular, it doesn't support centrally configuring access to services on groups of hosts. The PAM support in nssov is a lot better in this area and can do what the original poster wants; I just haven't written an example ACL for this feature in the docs yet.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
This message is confidential to Prodea Systems, Inc unless otherwise indicated or apparent from its nature. This message is directed to the intended recipient only, who may be readily determined by the sender of this message and its contents. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient:(a)any dissemination or copying of this message is strictly prohibited; and(b)immediately notify the sender by return message and destroy any copies of this message in any form(electronic, paper or otherwise) that you have.The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. The authority of the individual sending this message to legally bind Prodea Systems is neither apparent nor implied,and must be independently verified.
John Kane wrote:
Sorry to jump in the middle of this thread, but the nssov overlay sounds
very useful, something I would like to take advantage of, but I cannot seem to find any documentation on it. How long has this been available (what release), and where might I find more info?
It has not been released yet. You can check out the current code from CVS in contrib/slapd-modules/nssov. You can browse it online here:
http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/nssov/
The README and slapo-nssov.5 manpage will give you a better idea of what it does.
Thanks, John
-----Original Message----- From: openldap-technical- bounces+john.kane=prodeasystems.com@OpenLDAP.org [mailto:openldap- technical-bounces+john.kane=prodeasystems.com@OpenLDAP.org] On Behalf Of Howard Chu Sent: Tuesday, May 19, 2009 8:19 PM To: Gavin Henry Cc: Per Kristiansen; openldap-technical@openldap.org Subject: Re: Host based authentication using OpenLDAP
Gavin Henry wrote:
----- "Per Kristiansen"perk@funcom.com wrote:
Hello, I've been working on implementing a LDAP solution for the
last
8 months (in-between task, you know how it is :D )
Time flies!
I now have a working LDAP directory, have all my users imported, things actually work! :D..(jinx!)
Excellent work, well done!
But now I wanna get fancy..
I've been googeling for some sort of clear description on how I can set up a system using groups of hosts and user groups to create a selective ACL for ssh'ing to a set of servers based on group membership.
It sounds to me like you are almost here and just need help creating
the LDAP groups, ACLs
and LDAP search/filters for use with nss_ldap on RHEL 4/5 and Centos?
ACLs for nss_ldap is not the way to handle this. It needs to be done in the PAM account management handlers, and pam_ldap's support for that is pretty weak. In particular, it doesn't support centrally configuring access to services on groups of hosts. The PAM support in nssov is a lot better in this area and can do what the original poster wants; I just haven't written an example ACL for this feature in the docs yet.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
This message is confidential to Prodea Systems, Inc unless otherwise indicated or apparent from its nature. This message is directed to the intended recipient only, who may be readily determined by the sender of this message and its contents. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient:(a)any dissemination or copying of this message is strictly prohibited; and(b)immediately notify the sender by return message and destroy any copies of this message in any form(electronic, paper or otherwise) that you have.The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. The authority of the individual sending this message to legally bind Prodea Systems is neither apparent nor implied,and must be independently verified.
Howard Chu wrote:
John Kane wrote:
Sorry to jump in the middle of this thread, but the nssov overlay sounds
very useful, something I would like to take advantage of, but I cannot seem to find any documentation on it. How long has this been available (what release), and where might I find more info?
It has not been released yet.
Just to clarify: the nssov overlay was first released in OpenLDAP 2.4.11, but it only had NSS support. The PAM support is currently only in CVS.
You can check out the current code from CVS in contrib/slapd-modules/nssov. You can browse it online here:
http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/nssov/
The README and slapo-nssov.5 manpage will give you a better idea of what it does.
Howard Chu wrote:
Howard Chu wrote:
John Kane wrote:
Sorry to jump in the middle of this thread, but the nssov overlay sounds
very useful, something I would like to take advantage of, but I cannot seem to find any documentation on it. How long has this been available (what release), and where might I find more info?
It has not been released yet.
Just to clarify: the nssov overlay was first released in OpenLDAP 2.4.11, but it only had NSS support. The PAM support is currently only in CVS.
You can check out the current code from CVS in contrib/slapd-modules/nssov. You can browse it online here:
http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/nssov/
The README and slapo-nssov.5 manpage will give you a better idea of what it does.
And fyi, here's an example... For a given host:
dn: cn=hostX,ou=hosts,dc=example,dc=com objectClass: ipHost objectClass: authorizedServiceObject cn: hostX ipHostNumber: 192.168.1.127 authorizedService: sshd authorizedService: ftp
you use the authorizedService attribute to list the PAM services that are available. Then you set ACLs to control who can access each service, like so:
access to dn.subtree=ou=hosts,dc=example,dc=com attrs=authorizedService val.exact=sshd by group.exact="cn=admins,ou=groups,dc=example,dc=com" write by peername.ip=192.168.2.0%255.255.255.0 read by * search
The overlay performs a Compare operation to check for the required service, so if you deny Compare access to a particular service, then users aren't allowed to use that service.
Hi
I follow your conversation because I have to do the same thing, so I would like to add hosts in my openldap but I don't succeed
My add.ldif
dn: cn=hostlab,ou=hosts,dc=netplus,dc=fr objectClass: top objectClass: authorizedServiceObject objectClass: ipHost cn: hostlab ipHostNumber: 192.168.45.69 authorizedService: sshd authorizedService: ftp
my command
# ldapadd -x -D "cn=manager,dc=netplus,dc=fr" -w **** -f add.ldif adding new entry "cn=hostlab,ou=hosts,dc=netplus,dc=fr" ldapadd: Object class violation (65) additional info: no structural object class provided
What is the problem ? in my phpldapadmin I have this message:
Importation au format LDIF Impossible d'ajouter un objet : cn=hostlab,ou=hosts,dc=netplus,dc=fr LDAP dit :: LDAP_OBJECT_CLASS_VIOLATION You tried to perform an operation that would cause an undefined attribute to exist or that would remove a required attribute, given the current list of ObjectClasses. This can also occur if you do not specify a structural objectClass when creating an entry, or if you specify more than one structural objectClass.
Maybe I had to post in a new message, sorry if I'm wrong.
Regards,
François
-----Message d'origine----- De : openldap-technical-bounces+francois.mehault=netplus.fr@OpenLDAP.org [mailto:openldap-technical-bounces+francois.mehault=netplus.fr@OpenLDAP.org] De la part de Howard Chu Envoyé : vendredi 22 mai 2009 15:49 À : John Kane Cc : openldap-technical@openldap.org Objet : Re: Host based authentication using OpenLDAP
Howard Chu wrote:
Howard Chu wrote:
John Kane wrote:
Sorry to jump in the middle of this thread, but the nssov overlay sounds
very useful, something I would like to take advantage of, but I cannot seem to find any documentation on it. How long has this been available (what release), and where might I find more info?
It has not been released yet.
Just to clarify: the nssov overlay was first released in OpenLDAP 2.4.11, but it only had NSS support. The PAM support is currently only in CVS.
You can check out the current code from CVS in contrib/slapd-modules/nssov. You can browse it online here:
http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/nssov/
The README and slapo-nssov.5 manpage will give you a better idea of what it does.
And fyi, here's an example... For a given host:
dn: cn=hostX,ou=hosts,dc=example,dc=com objectClass: ipHost objectClass: authorizedServiceObject cn: hostX ipHostNumber: 192.168.1.127 authorizedService: sshd authorizedService: ftp
you use the authorizedService attribute to list the PAM services that are available. Then you set ACLs to control who can access each service, like so:
access to dn.subtree=ou=hosts,dc=example,dc=com attrs=authorizedService val.exact=sshd by group.exact="cn=admins,ou=groups,dc=example,dc=com" write by peername.ip=192.168.2.0%255.255.255.0 read by * search
The overlay performs a Compare operation to check for the required service, so if you deny Compare access to a particular service, then users aren't allowed to use that service.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
François Mehault wrote:
Hi
I follow your conversation because I have to do the same thing, so I would like to add hosts in my openldap but I don't succeed
My add.ldif
dn: cn=hostlab,ou=hosts,dc=netplus,dc=fr objectClass: top objectClass: authorizedServiceObject objectClass: ipHost cn: hostlab ipHostNumber: 192.168.45.69 authorizedService: sshd authorizedService: ftp
my command
# ldapadd -x -D "cn=manager,dc=netplus,dc=fr" -w **** -f add.ldif adding new entry "cn=hostlab,ou=hosts,dc=netplus,dc=fr" ldapadd: Object class violation (65) additional info: no structural object class provided
What is the problem ? in my phpldapadmin I have this message:
Importation au format LDIF Impossible d'ajouter un objet : cn=hostlab,ou=hosts,dc=netplus,dc=fr LDAP dit :: LDAP_OBJECT_CLASS_VIOLATION You tried to perform an operation that would cause an undefined attribute to exist or that would remove a required attribute, given the current list of ObjectClasses. This can also occur if you do not specify a structural objectClass when creating an entry, or if you specify more than one structural objectClass.
Maybe I had to post in a new message, sorry if I'm wrong.
Regards,
François
did you add the ldapns.schema ?
I seem to remember getting something similar when I started out testing this and had a typo in my include.
Yes I added ldapns.schema
Cat slapd.conf
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema
# Schemas requis pour les comptes Posix include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema
#Radius include /usr/local/etc/openldap/schema/RADIUS-LDAPv3.schema
[...]
attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' DESC 'IANA GSS-API authorized service name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' DESC 'Auxiliary object class for adding authorizedService attribute' SUP top AUXILIARY MAY authorizedService )
objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject' DESC 'Auxiliary object class for adding host attribute' SUP top AUXILIARY MAY host )
-----Message d'origine----- De : openldap-technical-bounces+francois.mehault=netplus.fr@OpenLDAP.org [mailto:openldap-technical-bounces+francois.mehault=netplus.fr@OpenLDAP.org] De la part de Per Kristiansen Envoyé : lundi 25 mai 2009 10:26 À : openldap-technical@openldap.org Objet : Re: Host based authentication using OpenLDAP
François Mehault wrote:
Hi
I follow your conversation because I have to do the same thing, so I would like to add hosts in my openldap but I don't succeed
My add.ldif
dn: cn=hostlab,ou=hosts,dc=netplus,dc=fr objectClass: top objectClass: authorizedServiceObject objectClass: ipHost cn: hostlab ipHostNumber: 192.168.45.69 authorizedService: sshd authorizedService: ftp
my command
# ldapadd -x -D "cn=manager,dc=netplus,dc=fr" -w **** -f add.ldif adding new entry "cn=hostlab,ou=hosts,dc=netplus,dc=fr" ldapadd: Object class violation (65) additional info: no structural object class provided
What is the problem ? in my phpldapadmin I have this message:
Importation au format LDIF Impossible d'ajouter un objet : cn=hostlab,ou=hosts,dc=netplus,dc=fr LDAP dit :: LDAP_OBJECT_CLASS_VIOLATION You tried to perform an operation that would cause an undefined attribute to exist or that would remove a required attribute, given the current list of ObjectClasses. This can also occur if you do not specify a structural objectClass when creating an entry, or if you specify more than one structural objectClass.
Maybe I had to post in a new message, sorry if I'm wrong.
Regards,
François
did you add the ldapns.schema ?
I seem to remember getting something similar when I started out testing this and had a typo in my include.
François Mehault wrote:
Hi
I follow your conversation because I have to do the same thing, so I would like to add hosts in my openldap but I don't succeed
My add.ldif
dn: cn=hostlab,ou=hosts,dc=netplus,dc=fr objectClass: top objectClass: authorizedServiceObject objectClass: ipHost cn: hostlab ipHostNumber: 192.168.45.69 authorizedService: sshd authorizedService: ftp
my command
# ldapadd -x -D "cn=manager,dc=netplus,dc=fr" -w **** -f add.ldif adding new entry "cn=hostlab,ou=hosts,dc=netplus,dc=fr" ldapadd: Object class violation (65) additional info: no structural object class provided
What is the problem ? in my phpldapadmin I have this message:
Both ipHost and authorizedServiceObject are auxiliary classes, you still need to provide a structural class. "device" is good enough for this purpose...
Importation au format LDIF Impossible d'ajouter un objet : cn=hostlab,ou=hosts,dc=netplus,dc=fr LDAP dit :: LDAP_OBJECT_CLASS_VIOLATION You tried to perform an operation that would cause an undefined attribute to exist or that would remove a required attribute, given the current list of ObjectClasses. This can also occur if you do not specify a structural objectClass when creating an entry, or if you specify more than one structural objectClass.
Maybe I had to post in a new message, sorry if I'm wrong.
Regards,
François
-----Message d'origine----- De : openldap-technical-bounces+francois.mehault=netplus.fr@OpenLDAP.org [mailto:openldap-technical-bounces+francois.mehault=netplus.fr@OpenLDAP.org] De la part de Howard Chu Envoyé : vendredi 22 mai 2009 15:49 À : John Kane Cc : openldap-technical@openldap.org Objet : Re: Host based authentication using OpenLDAP
Howard Chu wrote:
Howard Chu wrote:
John Kane wrote:
Sorry to jump in the middle of this thread, but the nssov overlay sounds
very useful, something I would like to take advantage of, but I cannot seem to find any documentation on it. How long has this been available (what release), and where might I find more info?
It has not been released yet.
Just to clarify: the nssov overlay was first released in OpenLDAP 2.4.11, but it only had NSS support. The PAM support is currently only in CVS.
You can check out the current code from CVS in contrib/slapd-modules/nssov. You can browse it online here:
http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/nssov/
The README and slapo-nssov.5 manpage will give you a better idea of what it does.
And fyi, here's an example... For a given host:
dn: cn=hostX,ou=hosts,dc=example,dc=com objectClass: ipHost objectClass: authorizedServiceObject cn: hostX ipHostNumber: 192.168.1.127 authorizedService: sshd authorizedService: ftp
you use the authorizedService attribute to list the PAM services that are available. Then you set ACLs to control who can access each service, like so:
access to dn.subtree=ou=hosts,dc=example,dc=com attrs=authorizedService val.exact=sshd by group.exact="cn=admins,ou=groups,dc=example,dc=com" write by peername.ip=192.168.2.0%255.255.255.0 read by * search
The overlay performs a Compare operation to check for the required service, so if you deny Compare access to a particular service, then users aren't allowed to use that service.
----- "Howard Chu" hyc@symas.com wrote:
Gavin Henry wrote:
----- "Per Kristiansen"perk@funcom.com wrote:
Hello, I've been working on implementing a LDAP solution for the
last
8 months (in-between task, you know how it is :D )
Time flies!
I now have a working LDAP directory, have all my users imported, things actually work! :D..(jinx!)
Excellent work, well done!
But now I wanna get fancy..
I've been googeling for some sort of clear description on how I
can
set up a system using groups of hosts and user groups to create a selective ACL for ssh'ing to a set of servers based on group membership.
It sounds to me like you are almost here and just need help creating
the LDAP groups, ACLs
and LDAP search/filters for use with nss_ldap on RHEL 4/5 and
Centos?
ACLs for nss_ldap is not the way to handle this. It needs to be done in the PAM account management handlers, and pam_ldap's support for that is pretty weak. In particular, it doesn't support centrally configuring access to services on groups of hosts. The PAM support in nssov is a lot better in this area and can do what the original poster wants; I just haven't written an example ACL for this feature in the docs yet.
OK. My line of thinking was to create dynamic service and host groups and create simple group ACLs for that. These groups would go in the nss config on specific hosts using something like puppet to manage the 60-80 hosts.
I've not looked at nssov so couldn't comment, other than doing the start of man page for you Howard.
Thanks.
Gavin Henry wrote:
OK. My line of thinking was to create dynamic service and host groups and create simple group ACLs for that. These groups would go in the nss config on specific hosts using something like puppet to manage the 60-80 hosts.
I've not looked at nssov so couldn't comment, other than doing the start of man page for you Howard.
Thanks.
This is what I'm doing now, using cfengine thou and not puppet :)
Howard Chu wrote:
ACLs for nss_ldap is not the way to handle this. It needs to be done in the PAM account management handlers, and pam_ldap's support for that is pretty weak. In particular, it doesn't support centrally configuring access to services on groups of hosts. The PAM support in nssov is a lot better in this area and can do what the original poster wants; I just haven't written an example ACL for this feature in the docs yet.
Ahh..how far would you say this is from being mature enough to run in an production environment ?
I've just read the README and finished uncurling from my fetus like position afterwards (thanks for helping me keeping Alzheimer's at bay btw :) ) and yes this sounds very much like what I want.
right now I'm writing a few scripts to create the ACL's using the existing setup. Not NEARLY as smooth as want I want but at least it will allow me to roll out LDAP for authentication now.
The goal here is to have ONE place where we set these things, and of course to give me more time to think about stuff instead of actually doing stuff :).
I will be trying to set up nssov on my test farm over the weekend, so I might just possibly be whining here later for some help :)
openldap-technical@openldap.org
-
François Mehault -
Gavin Henry -
Howard Chu -
John Kane -
Per Kristiansen