linux ad integration with opendj

Linux centralized identity and authenticationinteroperability with AD

Pieter Baele – [email protected]

FlossUK DevOps Spring 2015 @ York

25 March, 2015

Pieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 1 / 28

Presentation overview

The history of our implementation

Concepts and principles

Choices: server and cient-side

Tooling

The design

Monitoring

References


historyof our LDAP implementation

Situation in 2009: a growing Linux environment (less then 100 servers),no LDAP. A bigger Unix environment exists with it’s own Sun DirectoryServer.

central management of (some) users: let’s use Puppet

manually - with scripts - create users on the Sun Directory Server

add them - manually - to Puppet

good for application users, not funny when you have 100 real users toadd

So let’s develop a nice directory architecture!


Concepts and requirements

HA using replication and load-balancing

traceability and auditing

secure

practical ACL support (only on groups)transport security - TLS, SSF factor

some SSO functionality + fallback (PTA)

accounts not maintained by us, automatic decommissioning

ensuring UID and GID’s are unique across the enterprise

applications: local users

central store for sudo rules

support

KISS (complexity introduces risks)

no need to duplicate things if they exist already


Implementation choiceserver-side

the ’classic’ LDAP approach

Samba + Winbind

other LDAP servers in general

Unix attributes and Active Directory

the Red Hat way - IPA

realmd

the hybrid approach: OpenDJ as Directory Server, AD Kerberos andsome duct tape.

Tried most of the above...


Implementation choice serverthe classic approach

everybody knows the classic approach, right?

OpenLDAP

sometimes with MIT or Heimdal Kerberos

and maybe with some bits of Cyrus-SASL - SASLauthd

welcome to the world of LDIF

almost heaven for LDAP gurus

perfect when there is the need for speed (MDB...amazing)

perfect for custom implementations (backends - overlays)

no special benefit for our case

Support: so who is the expert?


Implementation choice serverWinbind / Active Directory

Winbind

join the system to ADAD SID to Posix Attribute mappingtrusted domainsdo you want those components on your server?

Active DirectoryID mapping uses SFU/IMU extensions in ADmaintained by another teamdo we really want windows to manage our entries?


Implementation choice serverRealmd

offers direct integration to AD by configuring SSSD

replaces Winbind

detects the domain using DNS

identity lookup using AD

Kerberos or LDAP authentication

you need a Domain Admin


Implementation choice server389 Directory Server

used for a subproject of my internship (mmr)

based on the Netscape code

why? we already have our (Sun) Oracle 11g... which can’t replicatewith 389!

support from Red Hat

no benefit


The history of (some) directory servers


Implementation choice server(Free)IPA

Complete IdM with DS, NTP, PKI, KDC, HTTPD and DNS

it’s free on RHEL

especially made for the need of Linux AuthN/AuthZchoices for integrating with AD

synchronization service - on each domain controller (also possiblewith 388, which is part of FreeIPA)a subdomain (or a new domain) + AD trust relationship

bugs (when I tested it)

after release: not supported when you added custom schema’s :-(nowadays: if it can help you, why not?

The first product specifically for this use case (!)real Role-Based Access ControlAutomemberIntegrated webinterfaceSELinux integration (confined users / mapping)


Implementation choice serverOpenDJ

rather easy (IMO)

has a very complete administrative menu (dsconfig)

setting up replication is only 1 command

cn=config / LDIF configuration when you need it

has a REST interface

possibility to integrate with OpenAM (WebSSO is possible)can be monitored in various ways

JMXlogsSNMPcn=monitor

never let us down so far (lost 1 replica once because of aconfiguration error)

fast for devPieter Baele – [email protected] (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 12 / 28

OpenDJthe future of OpenDJ


OpenDJcomponents


architecture / designphysical

each datacenter its own pair of directory servers


architecture / designDIT

as flat as possible

keep organisation structure out of the tree


clientreplace legacy tools

System Security Services Daemon

A project from Red Hat

before: nss ldap, nscd

supports a lot of different integrations

direct integration with ADIPAusing only an LDAP server such as OpenLDAPor something custom ...


msktutilActive Directory Keytab Management

creates user or computer accounts in Active Directory,

creates Kerberos keytabs on Unix/Linux sytems

adds and removes principals to and from keytabs

changes the user or computer account’s password.

AD Kerberos =! MIT Kerberos ...ex. each keytab for apache made by Windows also needs a specificuser


the configurationpt 1: OpenDJ

SASL enabledset-sasl-mechanism-handler-prop --handler-name GSSAPI

--set enabled:true

PTA: AD domain certificate added to keystore

protocols, replication

Referential Integrity

Memberof enabled

UID Unique enabled


the configurationpt 2: data

add host entries, the UID is used as a SASL principal match(HOSTNAME$)

a user is added by our tools, data is used from AD and from the Unixdirectory server if present

most real users have PTA enabled, whih is as simple as setting apassword policyds-pwp-password-policy-dn: cn=PTA Policy,cn=PasswordPolicies,cn=config

no password is set for users, application users are not able to logindirectly

users need to be memberof a group that allows access AND we usenetgroups

we use SUDO directly, to have no impact from SSSD caching


the configurationpt 3: client (using cfgmgmt)

installation of packages

configuration of a (minimal) krb5.conf

call to msktutil to create computer account in AD

call to authconfig (EL specific)

enabling sssdenabling mkhomedir (oddjobd)enabling PAM access

setting the NISDOMAIN (RHEL 7: rhel-domainname service


toolingPerl

Perl-LDAP is perfect

first script: with a curses frontend ;-(

functionality: added a user to the correct organisation, enabled PTA

for other tasks: Apache Directory Studio

code not very maintainable for my colleagues...


toolingPython

OpenDJ REST using python-requests

some limitations

Python LDAP turned out to be the most flexible way

today frequent operations are supported: netgroups; sudo;rootaccess...

and we have a functional frontend written in Flask :-)

Management tools are as important as the underlying technologies used.


monitoring

primary monitoring of service / daemon

log files: parsing with Logstash, especially access (audit) logcorrelation

SNMP: using your beloved monitoring platform

JMX: Java Management Extensions, perfect for some internals aboutthe JRE

don’t forget... cn=monitor


monitoringcn=monitor

LDAP metrics: number of operations (bind, search, modrdn ...) andresponse times

almost no-one uses it (?)

protect the tree with ACL

there is a nice but older cn=monitor frontend on sourceforge (RPM,DEB...)

still thinking about a new cn=monitor frontend


some observations and remarks

only a very small dataset, but a lot of accesses

separate functional users in AD:

One that only can create computer account objects (msktutil)One that with (search) access to user OU’s, used for PTA

DNS is crucial

NTP critical for Kerberos (and log files)

local users only possible with recent Puppet versions if present inLDAP (luseradd and alike)

SSHD first tries GSSAPI authentication, host-based, public key,passwords


What are we still missing?

home directories mounted by autofs

performance details (from client)

a platform to manage public keys

OpenSSH LPK projectPrivacyIDEA

indexes


References

LDAP Toolbox project to get started quickly with OpenLDAP:http://ltb-project.org/wiki/

FreeIPA: Dmitri Pal, AD Integration options for Linux Systems,Developer Conference. Brno. 2013

Windows Integration Guide, Red Hat official docs


linux ad integration with opendj

Software

flossuk devops spring

directory serveradd

adpieter baele

alreadypieter baele

nice directory architecture

ldap implementationsituation

application users

ad kerberos andsome