linux ad integration with opendj
TRANSCRIPT
Linux centralized identity and authenticationinteroperability with AD
Pieter Baele – [email protected]
FlossUK DevOps Spring 2015 @ York
25 March, 2015
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 1 / 28
Presentation overview
The history of our implementation
Concepts and principles
Choices: server and cient-side
Tooling
The design
Monitoring
References
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 2 / 28
historyof our LDAP implementation
Situation in 2009: a growing Linux environment (less then 100 servers),no LDAP. A bigger Unix environment exists with it’s own Sun DirectoryServer.
central management of (some) users: let’s use Puppet
manually - with scripts - create users on the Sun Directory Server
add them - manually - to Puppet
good for application users, not funny when you have 100 real users toadd
So let’s develop a nice directory architecture!
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 3 / 28
Concepts and requirements
HA using replication and load-balancing
traceability and auditing
secure
practical ACL support (only on groups)transport security - TLS, SSF factor
some SSO functionality + fallback (PTA)
accounts not maintained by us, automatic decommissioning
ensuring UID and GID’s are unique across the enterprise
applications: local users
central store for sudo rules
support
KISS (complexity introduces risks)
no need to duplicate things if they exist already
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 4 / 28
Implementation choiceserver-side
the ’classic’ LDAP approach
Samba + Winbind
other LDAP servers in general
Unix attributes and Active Directory
the Red Hat way - IPA
realmd
the hybrid approach: OpenDJ as Directory Server, AD Kerberos andsome duct tape.
Tried most of the above...
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 5 / 28
Implementation choice serverthe classic approach
everybody knows the classic approach, right?
OpenLDAP
sometimes with MIT or Heimdal Kerberos
and maybe with some bits of Cyrus-SASL - SASLauthd
welcome to the world of LDIF
almost heaven for LDAP gurus
perfect when there is the need for speed (MDB...amazing)
perfect for custom implementations (backends - overlays)
no special benefit for our case
Support: so who is the expert?
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 6 / 28
Implementation choice serverthe classic approach
everybody knows the classic approach, right?
OpenLDAP
sometimes with MIT or Heimdal Kerberos
and maybe with some bits of Cyrus-SASL - SASLauthd
welcome to the world of LDIF
almost heaven for LDAP gurus
perfect when there is the need for speed (MDB...amazing)
perfect for custom implementations (backends - overlays)
no special benefit for our case
Support: so who is the expert?
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 6 / 28
Implementation choice serverWinbind / Active Directory
Winbind
join the system to ADAD SID to Posix Attribute mappingtrusted domainsdo you want those components on your server?
Active DirectoryID mapping uses SFU/IMU extensions in ADmaintained by another teamdo we really want windows to manage our entries?
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 7 / 28
Implementation choice serverRealmd
offers direct integration to AD by configuring SSSD
replaces Winbind
detects the domain using DNS
identity lookup using AD
Kerberos or LDAP authentication
you need a Domain Admin
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 8 / 28
Implementation choice server389 Directory Server
used for a subproject of my internship (mmr)
based on the Netscape code
why? we already have our (Sun) Oracle 11g... which can’t replicatewith 389!
support from Red Hat
no benefit
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 9 / 28
The history of (some) directory servers
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 10 / 28
Implementation choice server(Free)IPA
Complete IdM with DS, NTP, PKI, KDC, HTTPD and DNS
it’s free on RHEL
especially made for the need of Linux AuthN/AuthZchoices for integrating with AD
synchronization service - on each domain controller (also possiblewith 388, which is part of FreeIPA)a subdomain (or a new domain) + AD trust relationship
bugs (when I tested it)
after release: not supported when you added custom schema’s :-(nowadays: if it can help you, why not?
The first product specifically for this use case (!)real Role-Based Access ControlAutomemberIntegrated webinterfaceSELinux integration (confined users / mapping)
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 11 / 28
Implementation choice server(Free)IPA
Complete IdM with DS, NTP, PKI, KDC, HTTPD and DNS
it’s free on RHEL
especially made for the need of Linux AuthN/AuthZchoices for integrating with AD
synchronization service - on each domain controller (also possiblewith 388, which is part of FreeIPA)a subdomain (or a new domain) + AD trust relationship
bugs (when I tested it)
after release: not supported when you added custom schema’s :-(nowadays: if it can help you, why not?
The first product specifically for this use case (!)real Role-Based Access ControlAutomemberIntegrated webinterfaceSELinux integration (confined users / mapping)
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 11 / 28
Implementation choice serverOpenDJ
rather easy (IMO)
has a very complete administrative menu (dsconfig)
setting up replication is only 1 command
cn=config / LDIF configuration when you need it
has a REST interface
possibility to integrate with OpenAM (WebSSO is possible)can be monitored in various ways
JMXlogsSNMPcn=monitor
never let us down so far (lost 1 replica once because of aconfiguration error)
fast for devPieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 12 / 28
OpenDJthe future of OpenDJ
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 13 / 28
OpenDJcomponents
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 14 / 28
architecture / designphysical
each datacenter its own pair of directory servers
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 15 / 28
architecture / designDIT
as flat as possible
keep organisation structure out of the tree
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 16 / 28
clientreplace legacy tools
System Security Services Daemon
A project from Red Hat
before: nss ldap, nscd
supports a lot of different integrations
direct integration with ADIPAusing only an LDAP server such as OpenLDAPor something custom ...
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 17 / 28
msktutilActive Directory Keytab Management
creates user or computer accounts in Active Directory,
creates Kerberos keytabs on Unix/Linux sytems
adds and removes principals to and from keytabs
changes the user or computer account’s password.
AD Kerberos =! MIT Kerberos ...ex. each keytab for apache made by Windows also needs a specificuser
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 18 / 28
the configurationpt 1: OpenDJ
SASL enabledset-sasl-mechanism-handler-prop --handler-name GSSAPI
--set enabled:true
PTA: AD domain certificate added to keystore
protocols, replication
Referential Integrity
Memberof enabled
UID Unique enabled
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 19 / 28
the configurationpt 2: data
add host entries, the UID is used as a SASL principal match(HOSTNAME$)
a user is added by our tools, data is used from AD and from the Unixdirectory server if present
most real users have PTA enabled, whih is as simple as setting apassword policyds-pwp-password-policy-dn: cn=PTA Policy,cn=PasswordPolicies,cn=config
no password is set for users, application users are not able to logindirectly
users need to be memberof a group that allows access AND we usenetgroups
we use SUDO directly, to have no impact from SSSD caching
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 20 / 28
the configurationpt 3: client (using cfgmgmt)
installation of packages
configuration of a (minimal) krb5.conf
call to msktutil to create computer account in AD
call to authconfig (EL specific)
enabling sssdenabling mkhomedir (oddjobd)enabling PAM access
setting the NISDOMAIN (RHEL 7: rhel-domainname service
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 21 / 28
toolingPerl
Perl-LDAP is perfect
first script: with a curses frontend ;-(
functionality: added a user to the correct organisation, enabled PTA
for other tasks: Apache Directory Studio
code not very maintainable for my colleagues...
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 22 / 28
toolingPython
OpenDJ REST using python-requests
some limitations
Python LDAP turned out to be the most flexible way
today frequent operations are supported: netgroups; sudo;rootaccess...
and we have a functional frontend written in Flask :-)
Management tools are as important as the underlying technologies used.
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 23 / 28
monitoring
primary monitoring of service / daemon
log files: parsing with Logstash, especially access (audit) logcorrelation
SNMP: using your beloved monitoring platform
JMX: Java Management Extensions, perfect for some internals aboutthe JRE
don’t forget... cn=monitor
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 24 / 28
monitoring
primary monitoring of service / daemon
log files: parsing with Logstash, especially access (audit) logcorrelation
SNMP: using your beloved monitoring platform
JMX: Java Management Extensions, perfect for some internals aboutthe JRE
don’t forget... cn=monitor
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 24 / 28
monitoringcn=monitor
LDAP metrics: number of operations (bind, search, modrdn ...) andresponse times
almost no-one uses it (?)
protect the tree with ACL
there is a nice but older cn=monitor frontend on sourceforge (RPM,DEB...)
still thinking about a new cn=monitor frontend
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 25 / 28
some observations and remarks
only a very small dataset, but a lot of accesses
separate functional users in AD:
One that only can create computer account objects (msktutil)One that with (search) access to user OU’s, used for PTA
DNS is crucial
NTP critical for Kerberos (and log files)
local users only possible with recent Puppet versions if present inLDAP (luseradd and alike)
SSHD first tries GSSAPI authentication, host-based, public key,passwords
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 26 / 28
What are we still missing?
home directories mounted by autofs
performance details (from client)
a platform to manage public keys
OpenSSH LPK projectPrivacyIDEA
indexes
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 27 / 28
References
LDAP Toolbox project to get started quickly with OpenLDAP:http://ltb-project.org/wiki/
FreeIPA: Dmitri Pal, AD Integration options for Linux Systems,Developer Conference. Brno. 2013
Windows Integration Guide, Red Hat official docs
Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 28 / 28