User Authentication with Ldap
There are two ways to configure the user authentication with LDAP.
Option 1: PAM + LDAP
This is the more versatile setup. It support user authentication via name and
password and also can assign POSIX groups to the users. This is necessary if
you want to use the include.group
, exclude.group
, group.<group name>.roles
options in your usersources.ini
.
Requirements
This setup requires the LDAP server to provide objects the objectClass: posixAccount
and objectClass: posixGroup
for the LDAP -> POSIX
mapping and all
relevant LDAP attributes for those object classes. See
ldapwiki.com
Otherwise the LDAP client inside the LinkAhead container cannot identify the LDAP objects as POSIX users or groups and subsequently PAM cannot include those users or groups.
OpenLDAP
The OpenLDAP server supports the POSIX attributes out of the box and POSIX users and groups can be managed easily with front-ends like phpLDAPadamin.
MS Active Directory
In MS Active Directory servers the POSIX attributes are handled by the Identity Management for UNIX extension. Unfortunately, this extension is deprecated since Windows Server 2008 R2 and has been removed after Windows Server 2012 R2 (– Maybe they want you to buy more MS software instead…)
When the Identity Management for UNIX extension cannot be used you have to revert to Option 2: ldap_authentication.sh.
Configuration
To activate the PAM + LDAP setup, set the conf.ldap
option to true
in your
profile.yml
.
The configuration for the LDAP client is to be located in your profiles custom directory at
custom/other/nslcd.conf
. This file must not be readable by anyone but the owner, so the permission
should be set with chmod go-r nslcd.conf
. LinkAhead uses nslcd as LDAP client and the
configuration must contain at least:
# The location at which the LDAP server(s) should be reachable.
uri <ldap://ldap-service/>
# The search base that will be used for all queries.
base <dc=example,dc=org>
See man nslcd.conf for more information and have a look at the Configure LinkAhead for LDAP.
Example with OpenLDAP
OpenLDAP server
We use a dockerized OpenLDAP server. A minimal setup with an example user database is available in the example-ldap-server.zip.
Just unzip and start the server via
$ ./start_ldap.sh
The LDAP server contains a user anton
with password anton
who is member of
the group group1
and a user berta
with password berta
who is member of
the group group2
.
The admin
user with password admin
is available as well. It can be used
with tools like
phpLDAPadamin
or ldap-utils for administration.
Please use the Distinguished Name (DN) cn=admin,dc=example,dc=org
with these
tools.
Configure LinkAhead for LDAP
Add or set
ldap: true
in yourprofile.yml
# minimal profile.yml default: conf: ldap: true
Add the
nslcd.conf
to your profile’s custom directory atcustom/other/nslcd.conf
:uri ldap://ldap-service base dc=example,dc=org binddn cn=admin,dc=example,dc=org bindpw admin
Note: The
binddn
must be a user who has sufficient read permissions for the LDAP server in order to fetch the (hashed) passwords into the docker PAM. If the LDAP server allows anonymous lookups this can be omitted.Note: This setup doesn’t use TLS. See man nslcd.conf for more information about TLS.
Copy this
usersources.ini
to your profile’s custom dir atcustom/caosdb-server/conf/ext/usersources.ini
:# usersources.ini realms = PAM defaultRealm = PAM [PAM] class = org.caosdb.server.accessControl.Pam pam_script = ./misc/pam_authentication/pam_authentication.sh default_status = ACTIVE include.group = group1 group.group1.roles = administration
This configures LinkAhead to include
anton
(because he’s a member ofgroup1
) but excludeberta
(because she is not).anton
is being assigned theadministration
role.
Start LinkAhead
Start your LinkAhead via
$ linkahead -p <path to your profile.yml> start
Connect LinkAhead with the LDAP Server via
$ docker network connect default_caosnet ldap-service
Go to the webinterface or use another client and login successfully as
anton
with passwordanton
.berta
with passwordberta
should fail, because she is not a member ofgroup1
.
Option 2: ldap_authentication.sh
This option does not require any of the POSIX attributes. On the downside,
groups cannot be be identified by this method and thus none of the
include.group
, exclude.group
, group.<group name>.roles
options in your
usersources.ini
will work.
Additionally, the local users of the docker container (e.g. the admin
user) can not be used anymore.
This setup has been tested with an MS Active Directory Service without the Identity Management for UNIX extension.
The authentication uses plain text passwords, SASL is not supported at this moment, so it is highly recommended to use TLS.
Configuration
The conf.ldap
option in your profile.yml
is not relevant here. Instead we
sneak the ldap_authentication.sh
script into the PAM-Setup of the server:
Just replace the PAM.pam_script
option of your usersources.ini
like this:
[PAM]
pam_script = ./misc/pam_authentication/ldap_authentication.sh
And put the configuration to your profiles custom directory at
custom/caosdb-server/misc/pam_authentication/ldap.env
. See the Example with
ldap_authentication.sh and
OpenLDAP.
The full documentation of the ldap.env
can be found in the caosdb-server
repository at
misc/pam_authentication/ldap.env
.
Example with ldap_authentication.sh
and OpenLDAP
Please setup the OpenLDAP Server as described above.
Configure LinkAhead
Copy this
usersources.ini
to your profile’s custom dir atcustom/caosdb-server/conf/ext/usersources.ini
:# usersources.ini realms = PAM defaultRealm = PAM [PAM] class = org.caosdb.server.accessControl.Pam pam_script = ./misc/pam_authentication/ldap_authentication.sh default_status = ACTIVE include.user = anton user.anton.roles = administration
Copy this
ldap.env
to your profile’s custom dir atcustom/caosdb-server/misc/pam_authentication/ldap.env
:# ldap.env export LDAPURI="ldaps://ldap-service" export USER_BASE="dc=example,dc=org"
Start LinkAhead
Start your LinkAhead via
$ linkahead -p <path to your profile.yml> start
Connect LinkAhead with the LDAP Server via
$ docker network connect default_caosnet ldap-service
Go to the webinterface or use another client and login successfully as
anton
with passwordanton
.berta
with passwordberta
should fail, because she is not included in theusersources.ini
.