From 87a6af5bb9a9d262a280f424b8e6a16f0bc45855 Mon Sep 17 00:00:00 2001 From: Andreas Kempe <kempe@lysator.liu.se> Date: Sat, 17 Oct 2020 15:03:53 +0200 Subject: [PATCH] ldap: add client configuration class Add class for LDAP client configuration. This should allow logins authenticated against Lysator's FreeIPA server. --- files/ldap/autofs/auto_master | 10 +++ files/ldap/autofs/include_ldap | 57 +++++++++++++ files/ldap/ipa/ca.crt | 27 ++++++ files/ldap/krb5.conf | 28 +++++++ files/ldap/nslcd.conf | 145 +++++++++++++++++++++++++++++++++ files/ldap/nsswitch.conf | 16 ++++ files/ldap/openldap/ldap.conf | 18 ++++ files/ldap/pam.d/sshd | 28 +++++++ files/ldap/pam.d/su | 17 ++++ files/ldap/pam.d/system | 26 ++++++ manifests/ldap.pp | 108 ++++++++++++++++++++++++ 11 files changed, 480 insertions(+) create mode 100644 files/ldap/autofs/auto_master create mode 100755 files/ldap/autofs/include_ldap create mode 100644 files/ldap/ipa/ca.crt create mode 100644 files/ldap/krb5.conf create mode 100644 files/ldap/nslcd.conf create mode 100644 files/ldap/nsswitch.conf create mode 100644 files/ldap/openldap/ldap.conf create mode 100644 files/ldap/pam.d/sshd create mode 100644 files/ldap/pam.d/su create mode 100644 files/ldap/pam.d/system create mode 100644 manifests/ldap.pp diff --git a/files/ldap/autofs/auto_master b/files/ldap/autofs/auto_master new file mode 100644 index 0000000..f77f33c --- /dev/null +++ b/files/ldap/autofs/auto_master @@ -0,0 +1,10 @@ +# $FreeBSD: releng/12.1/usr.sbin/autofs/auto_master 337749 2018-08-14 13:52:08Z trasz $ +# +# Automounter master map, see auto_master(5) for details. +# +#/net -hosts -nobrowse,nosuid,intr +# When using the -media special map, make sure to edit devd.conf(5) +# to move the call to "automount -c" out of the comments section. +#/media -media -nosuid,noatime,autoro +#/- -noauto ++auto.master diff --git a/files/ldap/autofs/include_ldap b/files/ldap/autofs/include_ldap new file mode 100755 index 0000000..3639b13 --- /dev/null +++ b/files/ldap/autofs/include_ldap @@ -0,0 +1,57 @@ +#!/bin/sh +# +# $FreeBSD: releng/12.1/usr.sbin/autofs/autofs/include_ldap 280321 2015-03-21 09:42:37Z trasz $ +# + +# Modify this to suit your needs. The "$1" is the map name, eg. "auto_master". +# To debug, simply run this script with map name as the only parameter. It's +# supposed to output map contents ("key location" pairs) to standard output. +SEARCHBASE="automountmapname=$1,cn=default,cn=automount,dc=ad,dc=lysator,dc=liu,dc=se" +ENTRY_ATTRIBUTE="description" +VALUE_ATTRIBUTE="automountInformation" + +# fstype=nfs4 fungerar inte på FreeBSD då det inte finns något +# NFS-filsystem. Använd sed för att byta det till något vettigare. +/usr/local/bin/ldapsearch -LLL -x -o ldif-wrap=no -b "$SEARCHBASE" "$ENTRY_ATTRIBUTE" "$VALUE_ATTRIBUTE" | sed 's/fstype=nfs4/nfsv4,minorversion=1/' | awk ' +$1 == "'$ENTRY_ATTRIBUTE':" { + key = $2 +} + +$1 == "'$VALUE_ATTRIBUTE':" { + for (i = 2; i <= NF; i++) { + value[i] = $(i) + } + nvalues = NF + b64 = 0 +} + +# Double colon after attribute name means the value is in Base64. +$1 == "'$VALUE_ATTRIBUTE'::" { + for (i = 2; i <= NF; i++) { + value[i] = $(i) + } + nvalues = NF + b64 = 1 +} + +# Empty line - end of record. +NF == 0 && key != "" && nvalues > 0 { + printf "%s%s", key, OFS + for (i = 2; i < nvalues; i++) { + printf "%s%s", value[i], OFS + } + if (b64 == 1) { + printf "%s", value[nvalues] | "b64decode -rp" + close("b64decode -rp") + printf "%s", ORS + } else { + printf "%s%s", value[nvalues], ORS + } +} + +NF == 0 { + key = "" + nvalues = 0 + delete value +} +' diff --git a/files/ldap/ipa/ca.crt b/files/ldap/ipa/ca.crt new file mode 100644 index 0000000..08d2fb3 --- /dev/null +++ b/files/ldap/ipa/ca.crt @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEnTCCAwWgAwIBAgIBATANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKDBFBRC5M +WVNBVE9SLkxJVS5TRTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X +DTIwMDMyMDE5MTgzNloXDTQwMDMyMDE5MTgzNlowPDEaMBgGA1UECgwRQUQuTFlT +QVRPUi5MSVUuU0UxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCAaIw +DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBANaYjKUVykk27iKciufzJ487fyBq +/0l+EC4PKYHHthV6o+n73wV0FVXHoxk5Wdy8kjiJsH1FSCs7dRjHhLu4Vq2fhTg+ +NSom0xV/Y5PiJrAJ1qasOrQo7hPTPRFChl9v+yMkBrA5ARFwE4H2T1Z6vr/Qvzyf +XZhO2gLz5Ff7UJ3EnVXhnSI2Z6Tt3PbGMzkFLZ6NG1R6W400oB3LcF53prmUREvb +oslacAURsRRVwERHsTWZRlTwdY9knnZbqY07s0f7GbCGgEjPW49DEEkCwg3i2O7M +PRNMmnkeT/tJi15B6paXTZyG8OEGv4atZuoPOS0ObsmLTRkAlAUvRADLLC+HeGKG +4i9voTn1gjMYaBKw50Yb7ZlCGlfRJ7Tv3TPtAwErjEXn+IoLBS7UikYdDUmFXeAa +I452366kWcBTNln7k8vJJGxTWEoJ7Y79wBBPVvLB/HwrMSx7wYnpZ00zKdt76tKE +4qn4kCUi+BuBVKAS8UggJHltKwum63yOXFQYNwIDAQABo4GpMIGmMB8GA1UdIwQY +MBaAFDACxsxc7j+qqmvXpMAtG42t28UtMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P +AQH/BAQDAgHGMB0GA1UdDgQWBBQwAsbMXO4/qqpr16TALRuNrdvFLTBDBggrBgEF +BQcBAQQ3MDUwMwYIKwYBBQUHMAGGJ2h0dHA6Ly9pcGEtY2EuYWQubHlzYXRvci5s +aXUuc2UvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEAfBMrVvWgsZEbLO291/Xt +lrjIpY8Fz8N5QgeBHckvgL/Uu21/svKPchEWLXcqlFkAXUMHKRomkM9nxeEg0p8X +yTHQnaOIi9z/Meb/zXRYCZeK4QWEDvwTlApkCSzN6gz3Pq2IPb04dshsL5eQYzBl +p50v0MHrJVYlxOkYFJKZ+SbTlKuwU8zfaVtXA5A//7c+3dBHMbomgMRp9qJzCV1w +ek+R8AX5ozdGxC1Oy70xT7IOqBTdD/VI5UrEc5SwnVXJD5CY8QwEsLvcs59GrZCK +cR+mQF7prRShbu57pHqJsnm56wjDnSVRVfjg6UNLcFDWWrj8LBQjpYB8HtjFSwIl +wf70W3zRBReuqyXEGc8J/bDdc1+QGeoVcQ0e1JyzxP+BwPdUAQFAkf/5vttK0Yc2 +485EmZuaigHXXBUYUYsIH0cOYkzql4fe2RpUVTbturRr1lT9EzQpTIF2E2ie0Fhe +CCSKN2wpR+HTytkPoo6dHPp9jslnEEu/Y36lDWx3tNbm +-----END CERTIFICATE----- diff --git a/files/ldap/krb5.conf b/files/ldap/krb5.conf new file mode 100644 index 0000000..553bfc5 --- /dev/null +++ b/files/ldap/krb5.conf @@ -0,0 +1,28 @@ +[libdefaults] + default_realm = AD.LYSATOR.LIU.SE + dns_lookup_realm = true + dns_lookup_kdc = true + rdns = false + dns_canonicalize_hostname = false + ticket_lifetime = 24h + forwardable = true + udp_preference_limit = 0 + default_ccache_name = KEYRING:persistent:%{uid} + +[realms] + AD.LYSATOR.LIU.SE = { + pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem + pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem + kdc = trocca.ad.lysator.liu.se + } + +[domain_realm] + ad.lysator.liu.se = AD.LYSATOR.LIU.SE + .ad.lysator.liu.se = AD.LYSATOR.LIU.SE + .lysator.liu.se = AD.LYSATOR.LIU.SE + lysator.liu.se = AD.LYSATOR.LIU.SE + +[logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmin.log diff --git a/files/ldap/nslcd.conf b/files/ldap/nslcd.conf new file mode 100644 index 0000000..7c3a14e --- /dev/null +++ b/files/ldap/nslcd.conf @@ -0,0 +1,145 @@ +# This is the configuration file for the LDAP nameservice +# switch library's nslcd daemon. It configures the mapping +# between NSS names (see /etc/nsswitch.conf) and LDAP +# information in the directory. +# See the manual page nslcd.conf(5) for more information. + +# The user and group nslcd should run as. +uid nslcd +gid nslcd + +# The uri pointing to the LDAP server to use for name lookups. +# Multiple entries may be specified. The address that is used +# here should be resolvable without using LDAP (obviously). +#uri ldap://127.0.0.1/ +#uri ldaps://127.0.0.1/ +#uri ldapi://%2fvar%2frun%2fldapi_sock/ +# Note: %2f encodes the '/' used as directory separator +uri ldap://trocca.ad.lysator.liu.se/ + +# The LDAP version to use (defaults to 3 +# if supported by client library) +#ldap_version 3 + +# The distinguished name of the search base. +base cn=compat,dc=ad,dc=lysator,dc=liu,dc=se +base group cn=groups,cn=compat,dc=ad,dc=lysator,dc=liu,dc=se +base passwd cn=users,cn=accounts,dc=ad,dc=lysator,dc=liu,dc=se +#base shadow cn=shadow,dc=ad,dc=lysator,dc=liu,dc=se + +# The distinguished name to bind to the server with. +# Optional: default is to bind anonymously. +#binddn cn=proxyuser,dc=example,dc=com + +# The credentials to bind with. +# Optional: default is no credentials. +# Note that if you set a bindpw you should check the permissions of this file. +#bindpw secret + +# The distinguished name to perform password modifications by root by. +#rootpwmoddn cn=admin,dc=example,dc=com + +# The default search scope. +scope sub +#scope one +#scope base + +# Customize certain database lookups. +#base group ou=Groups,dc=example,dc=com +#base passwd ou=People,dc=example,dc=com +#base shadow ou=People,dc=example,dc=com +#scope group onelevel +#scope hosts sub + +# Bind/connect timelimit. +#bind_timelimit 30 + +# Search timelimit. +#timelimit 30 + +# Idle timelimit. nslcd will close connections if the +# server has not been contacted for the number of seconds. +#idle_timelimit 3600 + +# Use StartTLS without verifying the server certificate. +ssl start_tls +#tls_reqcert never + +# CA certificates for server certificate verification +#tls_cacertdir /etc/ssl/certs +tls_cacertfile /usr/local/etc/ipa/ca.crt + +# Seed the PRNG if /dev/urandom is not provided +#tls_randfile /var/run/egd-pool + +# SSL cipher suite +# See man ciphers for syntax +#tls_ciphers TLSv1 + +# Client certificate and key +# Use these, if your server requires client authentication. +#tls_cert +#tls_key + +# Mappings for Services for UNIX 3.5 +#filter passwd (objectClass=User) +#map passwd uid msSFU30Name +#map passwd userPassword msSFU30Password +#map passwd homeDirectory msSFU30HomeDirectory +#map passwd homeDirectory msSFUHomeDirectory +#filter shadow (objectClass=User) +#map shadow uid msSFU30Name +#map shadow userPassword msSFU30Password +#filter group (objectClass=Group) +#map group member msSFU30PosixMember + +# Mappings for Services for UNIX 2.0 +#filter passwd (objectClass=User) +#map passwd uid msSFUName +#map passwd userPassword msSFUPassword +#map passwd homeDirectory msSFUHomeDirectory +#map passwd gecos msSFUName +#filter shadow (objectClass=User) +#map shadow uid msSFUName +#map shadow userPassword msSFUPassword +#map shadow shadowLastChange pwdLastSet +#filter group (objectClass=Group) +#map group member posixMember + +# Mappings for Active Directory +#pagesize 1000 +#referrals off +#idle_timelimit 800 +#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) +#map passwd uid sAMAccountName +#map passwd homeDirectory unixHomeDirectory +#map passwd gecos displayName +#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) +#map shadow uid sAMAccountName +#map shadow shadowLastChange pwdLastSet +#filter group (objectClass=group) + +# Alternative mappings for Active Directory +# (replace the SIDs in the objectSid mappings with the value for your domain) +#pagesize 1000 +#referrals off +#idle_timelimit 800 +#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer))) +#map passwd uid cn +#map passwd uidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 +#map passwd gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 +#map passwd homeDirectory "/home/$cn" +#map passwd gecos displayName +#map passwd loginShell "/bin/bash" +#filter group (|(objectClass=group)(objectClass=person)) +#map group gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 + +# Mappings for AIX SecureWay +#filter passwd (objectClass=aixAccount) +#map passwd uid userName +#map passwd userPassword passwordChar +#map passwd uidNumber uid +#map passwd gidNumber gid +#filter group (objectClass=aixAccessGroup) +#map group cn groupName +#map group gidNumber gid diff --git a/files/ldap/nsswitch.conf b/files/ldap/nsswitch.conf new file mode 100644 index 0000000..821b4f3 --- /dev/null +++ b/files/ldap/nsswitch.conf @@ -0,0 +1,16 @@ +# +# nsswitch.conf(5) - name service switch configuration file +# $FreeBSD: releng/12.1/lib/libc/net/nsswitch.conf 338729 2018-09-17 18:56:47Z brd $ +# +group: files ldap +group_compat: nis +hosts: files dns +netgroup: compat +networks: files +passwd: files ldap +passwd_compat: nis +shells: files +services: compat +services_compat: nis +protocols: files +rpc: files diff --git a/files/ldap/openldap/ldap.conf b/files/ldap/openldap/ldap.conf new file mode 100644 index 0000000..70e3649 --- /dev/null +++ b/files/ldap/openldap/ldap.conf @@ -0,0 +1,18 @@ +# +# LDAP Defaults +# + +# See ldap.conf(5) for details +# This file should be world readable but not world writable. + +#BASE dc=example,dc=com +#URI ldap://ldap.example.com ldap://ldap-provider.example.com:666 + +#SIZELIMIT 12 +#TIMELIMIT 15 +#DEREF never + +URI ldaps://trocca.ad.lysator.liu.se +BASE dc=ad,dc=lysator,dc=liu,dc=se +TLS_CACERT /usr/local/etc/ipa/ca.crt +SASL_MECH GSSAPI diff --git a/files/ldap/pam.d/sshd b/files/ldap/pam.d/sshd new file mode 100644 index 0000000..c5befa8 --- /dev/null +++ b/files/ldap/pam.d/sshd @@ -0,0 +1,28 @@ +# +# $FreeBSD: releng/12.1/lib/libpam/pam.d/sshd 197769 2009-10-05 09:28:54Z des $ +# +# PAM configuration for the "sshd" service +# + +# auth +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn allow_local +auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_ssh.so no_warn try_first_pass +auth required pam_unix.so no_warn try_first_pass + +# account +account required pam_nologin.so +account required pam_login_access.so +account sufficient /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user +#account required pam_krb5.so +account required pam_login_access.so +account required pam_unix.so + +# session +#session optional pam_ssh.so want_agent +session required pam_permit.so + +# password +password sufficient pam_krb5.so no_warn try_first_pass +password required pam_unix.so no_warn try_first_pass diff --git a/files/ldap/pam.d/su b/files/ldap/pam.d/su new file mode 100644 index 0000000..c298269 --- /dev/null +++ b/files/ldap/pam.d/su @@ -0,0 +1,17 @@ +# +# $FreeBSD: releng/12.1/lib/libpam/pam.d/su 219663 2011-03-15 10:13:35Z des $ +# +# PAM configuration for the "su" service +# + +# auth +auth sufficient pam_rootok.so no_warn +auth sufficient pam_self.so no_warn +auth requisite pam_group.so no_warn group=root root_only fail_safe ruser +auth include system + +# account +account include system + +# session +session required pam_permit.so diff --git a/files/ldap/pam.d/system b/files/ldap/pam.d/system new file mode 100644 index 0000000..7c734e9 --- /dev/null +++ b/files/ldap/pam.d/system @@ -0,0 +1,26 @@ +# +# $FreeBSD: releng/12.1/lib/libpam/pam.d/system 197769 2009-10-05 09:28:54Z des $ +# +# System-wide defaults +# + +# auth +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn allow_local +auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_ssh.so no_warn try_first_pass +auth required pam_unix.so no_warn try_first_pass nullok + +# account +#account required pam_krb5.so +account required pam_login_access.so +account sufficient /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user +account required pam_unix.so + +# session +#session optional pam_ssh.so want_agent +session required pam_lastlog.so no_fail + +# password +password sufficient pam_krb5.so no_warn try_first_pass +password required pam_unix.so no_warn try_first_pass diff --git a/manifests/ldap.pp b/manifests/ldap.pp new file mode 100644 index 0000000..b0daecb --- /dev/null +++ b/manifests/ldap.pp @@ -0,0 +1,108 @@ +class freebsd::ldap { + package { + [ + 'nss-pam-ldapd', + 'openldap-client', + ]: + ensure => installed, + } + + file { '/etc/nsswitch.conf': + ensure => file, + source => 'puppet:///modules/freebsd/ldap/nsswitch.conf', + owner => 'root', + group => 'wheel', + mode => '0644', + } + + file { '/etc/krb5.conf': + ensure => file, + source => 'puppet:///modules/freebsd/ldap/krb5.conf', + owner => 'root', + group => 'wheel', + mode => '0644', + } + + file { '/etc/pam.d/sshd': + ensure => file, + source => 'puppet:///modules/freebsd/ldap/pam.d/sshd', + owner => 'root', + group => 'wheel', + mode => '0644', + } + + file { '/etc/pam.d/system': + ensure => file, + source => 'puppet:///modules/freebsd/ldap/pam.d/system', + owner => 'root', + group => 'wheel', + mode => '0644', + } + + file { '/etc/pam.d/su': + ensure => file, + source => 'puppet:///modules/freebsd/ldap/pam.d/su', + owner => 'root', + group => 'wheel', + mode => '0644', + } + + file { '/etc/auto_master': + ensure => file, + source => 'puppet:///modules/freebsd/ldap/autofs/auto_master', + owner => 'root', + group => 'wheel', + mode => '0644', + } + + file { '/etc/autofs/include_ldap': + ensure => file, + source => 'puppet:///modules/freebsd/ldap/autofs/include_ldap', + owner => 'root', + group => 'wheel', + mode => '0755', + } + + file { '/etc/autofs/include': + ensure => 'link', + target => '/etc/autofs/include_ldap', + } + + file_line { 'Enable autofs': + path => '/etc/rc.conf', + line => 'autofs_enable="YES"', + } + + file { '/usr/local/etc/nslcd.conf': + ensure => file, + source => 'puppet:///modules/freebsd/ldap/nslcd.conf', + owner => 'root', + group => 'wheel', + mode => '0644', + } + + file_line { 'Enable nslcd': + path => '/etc/rc.conf', + line => 'nslcd_enable="YES"', + } + + file { '/usr/local/etc/openldap/ldap.conf': + ensure => file, + source => 'puppet:///modules/freebsd/ldap/openldap/ldap.conf', + owner => 'root', + group => 'wheel', + mode => '0644', + } + + file { '/usr/local/etc/ipa': + ensure => directory, + } + + file { '/usr/local/etc/ipa/ca.crt': + ensure => file, + source => 'puppet:///modules/freebsd/ldap/ipa/ca.crt', + owner => 'root', + group => 'wheel', + mode => '0644', + } +} -- GitLab