User Authentication with Ldap

There are two ways to configure the user authentication with LDAP.

Option 1: PAM + LDAP

This is the more versatile setup. It support user authentication via name and password and also can assign POSIX groups to the users. This is necessary if you want to use the include.group, exclude.group, group.<group name>.roles options in your usersources.ini.

Requirements

This setup requires the LDAP server to provide objects the objectClass: posixAccount and objectClass: posixGroup for the LDAP -> POSIX mapping and all relevant LDAP attributes for those object classes. See ldapwiki.com

Otherwise the LDAP client inside the LinkAhead container cannot identify the LDAP objects as POSIX users or groups and subsequently PAM cannot include those users or groups.

OpenLDAP

The OpenLDAP server supports the POSIX attributes out of the box and POSIX users and groups can be managed easily with front-ends like phpLDAPadamin.

MS Active Directory

In MS Active Directory servers the POSIX attributes are handled by the Identity Management for UNIX extension. Unfortunately, this extension is deprecated since Windows Server 2008 R2 and has been removed after Windows Server 2012 R2 (– Maybe they want you to buy more MS software instead…)

When the Identity Management for UNIX extension cannot be used you have to revert to Option 2: ldap_authentication.sh.

Configuration

To activate the PAM + LDAP setup, set the conf.ldap option to true in your profile.yml.

The configuration for the LDAP client is to be located in your profiles custom directory at custom/other/nslcd.conf. This file must not be readable by anyone but the owner, so the permission should be set with chmod go-r nslcd.conf. LinkAhead uses nslcd as LDAP client and the configuration must contain at least:

# The location at which the LDAP server(s) should be reachable.
uri <ldap://ldap-service/>

# The search base that will be used for all queries.
base <dc=example,dc=org>

See man nslcd.conf for more information and have a look at the Configure LinkAhead for LDAP.

Example with OpenLDAP

OpenLDAP server

We use a dockerized OpenLDAP server. A minimal setup with an example user database is available in the example-ldap-server.zip.

Just unzip and start the server via

$ ./start_ldap.sh

The LDAP server contains a user anton with password anton who is member of the group group1 and a user berta with password berta who is member of the group group2.

The admin user with password admin is available as well. It can be used with tools like phpLDAPadamin or ldap-utils for administration. Please use the Distinguished Name (DN) cn=admin,dc=example,dc=org with these tools.

Configure LinkAhead for LDAP

1. Add or set ldap: true in your profile.yml

   # minimal profile.yml
   default:
     conf:
       ldap: true
   

2. Add the nslcd.conf to your profile’s custom directory at custom/other/nslcd.conf:

   uri ldap://ldap-service
   base dc=example,dc=org
   
   binddn cn=admin,dc=example,dc=org
   bindpw admin
   

   Note: The binddn must be a user who has sufficient read permissions for the LDAP server in order to fetch the (hashed) passwords into the docker PAM. If the LDAP server allows anonymous lookups this can be omitted.

   Note: This setup doesn’t use TLS. See man nslcd.conf for more information about TLS.

3. Copy this usersources.ini to your profile’s custom dir at custom/caosdb-server/conf/ext/usersources.ini:

   # usersources.ini
   realms = PAM
   defaultRealm = PAM
   
   [PAM]
   class = org.caosdb.server.accessControl.Pam
   pam_script = ./misc/pam_authentication/pam_authentication.sh
   default_status = ACTIVE
   
   include.group = group1
   group.group1.roles = administration
   

   This configures LinkAhead to include anton (because he’s a member of group1) but exclude berta (because she is not). anton is being assigned the administration role.

Start LinkAhead

1. Start your LinkAhead via

   $ linkahead -p <path to your profile.yml> start
   

2. Connect LinkAhead with the LDAP Server via

   $ docker network connect default_caosnet ldap-service
   

3. Go to the webinterface or use another client and login successfully as anton with password anton. berta with password berta should fail, because she is not a member of group1.

Option 2: ldap_authentication.sh

This option does not require any of the POSIX attributes. On the downside, groups cannot be be identified by this method and thus none of the include.group, exclude.group, group.<group name>.roles options in your usersources.ini will work.

Additionally, the local users of the docker container (e.g. the admin user) can not be used anymore.

This setup has been tested with an MS Active Directory Service without the Identity Management for UNIX extension.

The authentication uses plain text passwords, SASL is not supported at this moment, so it is highly recommended to use TLS.

Configuration

The conf.ldap option in your profile.yml is not relevant here. Instead we sneak the ldap_authentication.sh script into the PAM-Setup of the server:

Just replace the PAM.pam_script option of your usersources.ini like this:

[PAM]
pam_script = ./misc/pam_authentication/ldap_authentication.sh

And put the configuration to your profiles custom directory at custom/caosdb-server/misc/pam_authentication/ldap.env. See the Example with ldap_authentication.sh and OpenLDAP.

The full documentation of the ldap.env can be found in the caosdb-server repository at misc/pam_authentication/ldap.env.

Example with ldap_authentication.sh and OpenLDAP

Please setup the OpenLDAP Server as described above.

Configure LinkAhead

1. Copy this usersources.ini to your profile’s custom dir at custom/caosdb-server/conf/ext/usersources.ini:

   # usersources.ini
   realms = PAM
   defaultRealm = PAM
   
   [PAM]
   class = org.caosdb.server.accessControl.Pam
   pam_script = ./misc/pam_authentication/ldap_authentication.sh
   default_status = ACTIVE
   
   include.user = anton
   user.anton.roles = administration
   

2. Copy this ldap.env to your profile’s custom dir at custom/caosdb-server/misc/pam_authentication/ldap.env:

   # ldap.env
   export LDAPURI="ldaps://ldap-service"
   export USER_BASE="dc=example,dc=org"
   

Start LinkAhead

1. Start your LinkAhead via

   $ linkahead -p <path to your profile.yml> start
   

2. Connect LinkAhead with the LDAP Server via

   $ docker network connect default_caosnet ldap-service
   

3. Go to the webinterface or use another client and login successfully as anton with password anton. berta with password berta should fail, because she is not included in the usersources.ini.