Network/Ldap
From Hackerspace Brussels
< Network
|
PEN/OID
We have the following PEN from IANA: 1.3.6.1.4.1.43666.
This is based on previous work by User:TQ_Hirsh
1.3.6.1.4.1.43666.1 (EXPERIMENTAL)
1.3.6.1.4.1.43666.2 (LDAP)
1.3.6.1.4.1.43666.2.1 (LDAP Attribute type)
- x-hsbxl-pgpKey - PGP public key used for encrypted communications
- x-hsbxl-sponsorID - Sponsoring member
- x-hsbxl-membershipReason - Why you're becoming a member
- x-hsbxl-sshPubKey - SSH public key
The following entries might be included in the definitive user schema
- x-hsbxl-membershipStructuredComm - Structured communication for membership payments
- x-hsbxl-membershipAccountId - Internal identifier for membership account
- x-hsbxl-drinksStructuredcomm - Structured communication for drink account
- x-hsbxl-drinksAccountId - Internal identifier for fridge account
- x-hsbxl-RFID-id - Access control token ID
1.3.6.1.4.1.43666.2.2 (LDAP Object class)
1.3.6.1.4.1.43666.3 (SNMP)
(todo)
1.3.6.1.4.1.43666.4 (Member-defined objects)
This arc is reserved for HSBXL member-defined attributes. To use it, get your uidNumber from our LDAP database, and append it to this OID. Anything defined below the resulting OID is up to you.
Example: Your LDAP uidNumber is 4242. Your personal arc will then be 1.3.6.1.4.1.43666.4.4242. Your 1.3.6.1.4.1.43666.4.4242 arc can then be subdivided as you like: 1.3.6.1.4.1.43666.4.4242.1 (arc foo) 1.3.6.1.4.1.43666.4.4242.2 (arc bar) 1.3.6.1.4.1.43666.4.4242.3 (arc baz)
Getting started
root@xm1:~# apt-get install slapd ldap-utils migrationtools ldapscripts
Replication
Adding hosts
When you want to give shell access to a Linux desktop/server you install to HSBXL userbase, there are a few needed steps:
- Request a machine account in the ou=machines,dc=hsbxl,dc=be organizational unit
- apt-get install libpam-ldapd
- Give the IP address of the LDAP server (currently 192.168.255.1)
- Give the base DN (dc=hsbxl,dc=be)
- Say yes to all options
- Edit /etc/pam.d/common-account and add the following line at the end:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
- Edit the /etc/nslcd.conf file:
- Verify that the server URI is correct:
uri ldap://192.168.255.1
- Add the machine account details
binddn uid=<machinename>,ou=machines,dc=hsbxl,dc=be bindpw <your machine account password> ignorecase yes
- Stop the nscd cache daemon (this is the cache daemon, and can get in the way during the testing phase)
/etc/init.d/nscd stop
- Restart the nslcd daemon
/etc/init.d/nslcd restart
- Use this command to see if you get more users than what's defined in /etc/passwd:
getent passwd
- If you get the user list from the LDAP server, your setup is working and you can restart the nscd daemon:
/etc/init.d/nscd start
SUDO
Yes, sudo rights can be managed straight from the LDAP !
- install sudo-ldap
apt-get install sudo-ldap
- Edit the file /etc/sudo-ldap.conf:
URI ldap://192.168.255.1 BASE dc=hsbxl,dc=be binddn <machine account> bindpw <password> sudoers_base ou=sudoers,dc=hsbxl,dc=be
- Add the following to /etc/nsswitch.conf:
sudoers: ldap
- Import my custom ldap-sudo schema
- Create the ou=sudoers,dc=hsbxl,dc=be organizational unit
- Add entries into that subtree
RADIUS
On the router:
root@gate:~# apt-get install freeradius freeradius-utils
TODO
- Local Replication
- RADIUS server setup (spacefed)
This is work in progress