LDAP

  • Published on Dec 20, 2024
  • 3 minute(s) read
  • aA
 Prev Next

Introduction

LDAP is one of the most popular authentication processes for linux systems, this document describes how to configure FMADIO system to authenticate against an Open LDAP server.

Configuration

Configuration of LDAP is verbose but fairly straight forward. Following are steps which require customization based on the environments authentication configuration.

Step 1) enable pam-ldap

This will disable the current authentication method (likely Basic HTTP), instead enable the PAM-Linux functionality

fmadiocli "config security auth pam-ldap"

Example output below:

Tue Dec 17 21:37:58 2024] > config security auth PAM-LDAP
[Tue Dec 17 21:37:59 2024] Authentication [BASIC] -> [PAM-LDAP]
wait for respawn 0/120
wait for respawn 1/120
wait for respawn 2/120
wait for respawn 3/120
wait for respawn 4/120
wait for respawn 5/120
process respawned
[Tue Dec 17 21:38:05 2024] rebooting the system may be required
[Tue Dec 17 21:38:05 2024] >

Step 2) Disable HTTP Access (optional)

We also strongly recommend to disable HTTP access as all username / passwords are sent over un-encrypted HTTP

fmadiocli "config security http false"

Example output below:

fmadio@fmadio100v2-228U:/mnt/store0/etc$ fmadiocli "config security http false"
fmad fmadlua Dec 11 2024 (/opt/fmadio/bin/fmadiolua --nocal /opt/fmadio/bin/fmadiocli config security http false )
Disable cycle calibration
[Tue Dec 17 21:41:44 2024] CmdLine [config security http false]
[Tue Dec 17 21:41:44 2024] Cmd [config security http false ]
[Tue Dec 17 21:41:44 2024] HTTP Access [disable] -> [false]
[Tue Dec 17 21:41:44 2024] please wait 60sec for web access to restart
done 0.173884Sec 0.002898Min
fmadio@fmadio100v2-228U:/mnt/store0/etc$

Step 3) Configure LDAP client nslcd

Start by using the default configuration located in

/opt/fmadio/etc_ro/nslcd.conf

Copy the file as follows

cp /opt/fmadio/etc_ro/nslcd.conf /opt/fmadio/etc/nslcd.conf

The default config looks like the following

fmadio@fmadio100v2-228U:~$ cat /opt/fmadio/etc_ro/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
#log none debug

# The user and group nslcd should run as.
uid root
gid root

# The location at which the LDAP server(s) should be reachable.
uri ldap://192.168.1.100

# The search base that will be used for all queries.
base dc=fmad,dc=io

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
#tls_reqcert never
#tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# The search scope.
#scope sub

#ssl start_tls
#tls_reqcert allow

fmadio@fmadio100v2-228U:~$

NOTE: ensure the permissions of 

/opt/fmadio/etc/nslcd.conf

Are set as root.root and user only read/write

-rw-------    1 root     root           716 Mar  8 09:01 /mnt/store0/etc/nslcd.conf

Otherwise nslcd will fail to start due to in-secure permissions. This can be set as

sudo chown root.root /opt/fmadio/etc/nslcd.conf
sudo chmod 700 /opt/fmadio/etc/nslcd.conf

Step 4) Customize nslcd.conf

Edit the nslcd.conf file, modify the uri base and any other LDAP specific configs to match your environment and save it. Usually there is a template of how a client LDAP is configured that can be replicated here.

Step 5) Reboot the system

Reboot the system using the following command

sudo reboot

Step 6) Check LDAP Connectivity

Change the username/domain/ip address etc to match your environment. The following command will confirm the LDAP Server can be reached and authenticated against.

ldapwhoami -x  -D cn=fmadio1,ou=users,dc=fmad,dc=io  -H ldap://192.168.1.100/ -w "password"

Successful authentication looks like the following

fmadio@fmadio100v2-228U:~$ ldapwhoami -x  -D cn=fmadio-user,ou=users,dc=fmad,dc=io  -H ldap://192.168.1.100/ -w "password"
dn:cn=fmadio-user,dc=fmad,dc=io

Once this is working, both SSH, WWW-Admin and WWW-User LDAP posix group members can login to the system.

posixGroups

The LDAP default posixGroups are

posixGroups

Access Level

fmadio-ssh-admin

for SSH access

fmadio-www-admin

for WWW admin access (can change anything)

fmadio-www-user

for WWW user access (monitoring and pcap downloading)

Optional

Some environments require a notice when logging in, such as the following

This can be customized as follows

Step 1) copy the default template

cp /opt/fmadio/www/login/authorized_access.html.default /opt/fmadio/etc/authorized_access.html

Step 2) Edit the content

The template HTML can be edited as required by modifying the file

/opt/fmadio/etc/authorized_access.html

Step 3) restart nginx

nginx requires a restart for the customized template to be active

Run the following to stop nginx

sudo killall nginx

Then wait 60sec for the process to restart

Troubleshooting

Configuration usually does not go as planned, as such heres some tips to try

Option 1) run nslcd in the foreground

sudo killall nslcd
sudo /usr/local/sbin/nslcd -f

This will check the /etc/nslcd.conf configuration file is working correctly, either config typeo or LDAP server problems.

Once its running ensure local lookups work correctly as follows

ldapwhoami -x  -D cn=fmadio-user,dc=fmad,dc=io  -H ldap://192.168.1.100/ -w "password"

Option 2) check nginx config files

The nginx logfiles are located in

tail -F -n 100 /mnt/store0/log/nginx_error.log

Any errors there might help understand the issues

Option 3) check syslog for PAM logs

This will print out logs of all PAM messages and may help debugging

tail -F -n 100 /mnt/store0/log/messages |grep -i pam