LDAP

Prev Next

Introduction

LDAP is one of the most popular authentication processes for linux systems, this document describes how to configure FMADIO system to authenticate against an Open LDAP server.


Configuration

Configuration of LDAP is verbose but fairly straight forward. Following are steps which require customization based on the environments authentication configuration.

Step 1) enable pam-ldap

This will disable the current authentication method (likely Basic HTTP), instead enable the PAM-Linux functionality

fmadiocli "config security auth pam-ldap"

Example output below:

Tue Dec 17 21:37:58 2024] > config security auth PAM-LDAP
[Tue Dec 17 21:37:59 2024] Authentication [BASIC] -> [PAM-LDAP]
wait for respawn 0/120
wait for respawn 1/120
wait for respawn 2/120
wait for respawn 3/120
wait for respawn 4/120
wait for respawn 5/120
process respawned
[Tue Dec 17 21:38:05 2024] rebooting the system may be required
[Tue Dec 17 21:38:05 2024] >

Step 2) Disable HTTP Access (optional)

We also strongly recommend to disable HTTP access as all username / passwords are sent over un-encrypted HTTP

fmadiocli "config security http false"

Example output below:

fmadio@fmadio100v2-228U:/mnt/store0/etc$ fmadiocli "config security http false"
fmad fmadlua Dec 11 2024 (/opt/fmadio/bin/fmadiolua --nocal /opt/fmadio/bin/fmadiocli config security http false )
Disable cycle calibration
[Tue Dec 17 21:41:44 2024] CmdLine [config security http false]
[Tue Dec 17 21:41:44 2024] Cmd [config security http false ]
[Tue Dec 17 21:41:44 2024] HTTP Access [disable] -> [false]
[Tue Dec 17 21:41:44 2024] please wait 60sec for web access to restart
done 0.173884Sec 0.002898Min
fmadio@fmadio100v2-228U:/mnt/store0/etc$

Step 3) Configure LDAP client nslcd

Start by using the default configuration located in

/opt/fmadio/etc_ro/nslcd.conf

Copy the file as follows

cp /opt/fmadio/etc_ro/nslcd.conf /opt/fmadio/etc/nslcd.conf

The default config looks like the following

fmadio@fmadio100v2-228U:~$ cat /opt/fmadio/etc_ro/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
#log none debug

# The user and group nslcd should run as.
uid root
gid root

# The location at which the LDAP server(s) should be reachable.
uri ldap://192.168.1.100

# The search base that will be used for all queries.
base dc=fmad,dc=io

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
#binddn userid=annonymous,dc=example,dc=net
#bindpw secret

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
#tls_reqcert never
#tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# The search scope.
#scope sub

#ssl start_tls
#tls_reqcert allow

fmadio@fmadio100v2-228U:~$

NOTE: ensure the permissions of

/opt/fmadio/etc/nslcd.conf

Are set as root.root and user only read/write

-rw-------    1 root     root           716 Mar  8 09:01 /mnt/store0/etc/nslcd.conf

Otherwise nslcd will fail to start due to in-secure permissions. This can be set as

sudo chown root.root /opt/fmadio/etc/nslcd.conf
sudo chmod 700 /opt/fmadio/etc/nslcd.conf

Step 4) Customize nslcd.conf

Edit the nslcd.conf file, modify the uri base and any other LDAP specific configs to match your environment and save it. Usually there is a template of how a client LDAP is configured that can be replicated here.

Step 5) Reboot the system

Reboot the system using the following command

sudo reboot

Step 6) Check LDAP Connectivity

Change the username/domain/ip address etc to match your environment. The following command will confirm the LDAP Server can be reached and authenticated against.

ldapwhoami -x  -D cn=fmadio1,ou=users,dc=fmad,dc=io  -H ldap://192.168.1.100/ -w "password"

Successful authentication looks like the following

fmadio@fmadio100v2-228U:~$ ldapwhoami -x  -D cn=fmadio-user,ou=users,dc=fmad,dc=io  -H ldap://192.168.1.100/ -w "password"
dn:cn=fmadio-user,dc=fmad,dc=io

Once this is working, both SSH, WWW-Admin and WWW-User LDAP posix group members can login to the system.

posixGroups

The LDAP default posixGroups are

posixGroups

Access Level

fmadio-ssh-admin

for SSH access

fmadio-www-admin

for WWW admin access (can change anything)

fmadio-www-user

for WWW user access (monitoring and pcap downloading)


Optional

Some environments require a notice when logging in, such as the following

This can be customized as follows

Step 1) copy the default template

cp /opt/fmadio/www/login/authorized_access.html.default /opt/fmadio/etc/authorized_access.html

Step 2) Edit the content

The template HTML can be edited as required by modifying the file

/opt/fmadio/etc/authorized_access.html

Step 3) restart nginx

nginx requires a restart for the customized template to be active

Run the following to stop nginx

sudo killall nginx

Then wait 60sec for the process to restart


Custom posix Groups

LDAP allows using a role based access control mechanism. This means any access can be granted to any user in an ldap posix group, making user management / access management significantly more simple.

On the FMADIO device there are 3 files for different access levels

SSH Shell Access

This is effectively admin access to the system, as all users have sudo privledges. the configuration file for this is

/opt/fmadio/etc/pam_access.fmadio-ssh-admin

Example output is shown below

# ACL only for fmadio-ssh-admin group
#
# customized version
#
-:ALL EXCEPT fmadio (fmadio-ssh-admin):ALL

This allows the fmadio user password based login, but allows any user in the LDAP group fmadio-ssh-admin to login to the system. To allow multiple LDAP groups SSH access, add additional groups per below

# ACL only for fmadio-ssh-admin group
#
# customized version
#
-:ALL EXCEPT fmadio (ldap-group1) (ldap-group2) (fmadio-ssh-admin):ALL

NOTE: copying the file per below allows for quick testing / iterating of the config settings

sudo cp /opt/fmadio/etc/pam_access.fmadio-ssh-admin  /etc/

WWW Admin Access

Admin WWW access allows users to start/stop capture, edit configuration and general system management. It is controled by the PAM config file below

/opt/fmadio/etc/pam_access.fmadio-www-admin

Example is shown below

# ACL only for fmadio-www-admin group
# custom
-:ALL EXCEPT fmadio (fmadio-www-admin):ALL

This allows the fmadio user via password and any user in the fmadio-www-admin group to be granted admin www privileges

NOTE: copying the file per below allows for quick testing / iterating of the config settings

sudo cp /opt/fmadio/etc/pam_access.fmadio-www-admin /etc/pam_access.fmadio-www-admin

WWW User Access

The default WWW user access level allows downloading of PCAP, running analysis but can not start/stop captures or change any configuration files. The PAM config file for this is located

/opt/fmadio/etc/pam_access.fmadio-www-user

Example configuration is shown below

# ACL only for fmadio-www-user group
-:ALL EXCEPT fmadio (fmadio-www-user):ALL

Allowing the fmadio user with password and any user in the LDAP group fmadio-www-user access.


PAM Process Customization

While process (e.g. SSHD or NGINX) PAM customization is rarely required, it may be useful to know where the configuration files are

The current run-time settings are in

/etc/pam.d/

Example is shown below

fmadio@fmadio100v2-228U:/etc/pam.d$ ls -altr
total 36
-rw-r--r--    1 root     root           148 Jul  8  2023 sudo
-rw-r--r--    1 root     root           148 Jul  8  2023 su
-rw-r--r--    1 root     root           687 Jul  8  2023 sshd_unix
-rw-r--r--    1 root     root          1052 Jul  8  2023 sshd_ldap
-rw-r--r--    1 root     root           154 Jul  8  2023 passwd
-rw-r--r--    1 root     root           234 Jul  8  2023 other
-rw-r--r--    1 root     root           687 Jul  8  2023 nginx_unix
-rw-r--r--    1 root     root          1050 Jul  8  2023 nginx_ldap_user
-rw-r--r--    1 root     root          1051 Jul  8  2023 nginx_ldap_admin
lrwxrwxrwx    1 root     root             9 Aug 28 15:35 sshd -> sshd_ldap
fmadio@fmadio100v2-228U:/etc/pam.d$

The system will configure these based on the security setting.

These PAM config files point to the /etc/pam_access.fmadio-* ACL files. Customized version of these can be placed in persistant storage at

/opt/fmadio/etc/pam.d/

Which will be copied at system reboot time.


Troubleshooting

Configuration usually does not go as planned, as such heres some tips to try

Option 1) run nslcd in the foreground

sudo killall nslcd
sudo /usr/local/sbin/nslcd -n

This will check the /etc/nslcd.conf configuration file is working correctly, either config typeo or LDAP server problems.

Once its running ensure local lookups work correctly as follows

ldapwhoami -x  -D cn=fmadio-user,dc=fmad,dc=io  -H ldap://192.168.1.100/ -w "password"

Option 2) check nginx config files

The nginx logfiles are located in

tail -F -n 100 /mnt/store0/log/nginx_error.log

Any errors there might help understand the issues

Option 3) check syslog for PAM logs

This will print out logs of all PAM messages and may help debugging

tail -F -n 100 /mnt/store0/log/messages |grep -i pam