Introduction
LDAP is one of the most popular authentication processes for linux systems, this document describes how to configure FMADIO system to authenticate against an Open LDAP server.
Configuration
Configuration of LDAP is verbose but fairly straight forward. Following are steps which require customization based on the environments authentication configuration.
Step 1) enable pam-ldap
This will disable the current authentication method (likely Basic HTTP), instead enable the PAM-Linux functionality
fmadiocli "config security auth pam-ldap"
Example output below:
Tue Dec 17 21:37:58 2024] > config security auth PAM-LDAP
[Tue Dec 17 21:37:59 2024] Authentication [BASIC] -> [PAM-LDAP]
wait for respawn 0/120
wait for respawn 1/120
wait for respawn 2/120
wait for respawn 3/120
wait for respawn 4/120
wait for respawn 5/120
process respawned
[Tue Dec 17 21:38:05 2024] rebooting the system may be required
[Tue Dec 17 21:38:05 2024] >
Step 2) Disable HTTP Access (optional)
We also strongly recommend to disable HTTP access as all username / passwords are sent over un-encrypted HTTP
fmadiocli "config security http false"
Example output below:
fmadio@fmadio100v2-228U:/mnt/store0/etc$ fmadiocli "config security http false"
fmad fmadlua Dec 11 2024 (/opt/fmadio/bin/fmadiolua --nocal /opt/fmadio/bin/fmadiocli config security http false )
Disable cycle calibration
[Tue Dec 17 21:41:44 2024] CmdLine [config security http false]
[Tue Dec 17 21:41:44 2024] Cmd [config security http false ]
[Tue Dec 17 21:41:44 2024] HTTP Access [disable] -> [false]
[Tue Dec 17 21:41:44 2024] please wait 60sec for web access to restart
done 0.173884Sec 0.002898Min
fmadio@fmadio100v2-228U:/mnt/store0/etc$
Step 3) Configure LDAP client nslcd
Start by using the default configuration located in
/opt/fmadio/etc_ro/nslcd.conf
Copy the file as follows
cp /opt/fmadio/etc_ro/nslcd.conf /opt/fmadio/etc/nslcd.conf
The default config looks like the following
fmadio@fmadio100v2-228U:~$ cat /opt/fmadio/etc_ro/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
#log none debug
# The user and group nslcd should run as.
uid root
gid root
# The location at which the LDAP server(s) should be reachable.
uri ldap://192.168.1.100
# The search base that will be used for all queries.
base dc=fmad,dc=io
# The LDAP protocol version to use.
#ldap_version 3
# The DN to bind with for normal lookups.
#binddn userid=annonymous,dc=example,dc=net
#bindpw secret
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# SSL options
#ssl off
#tls_reqcert never
#tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# The search scope.
#scope sub
#ssl start_tls
#tls_reqcert allow
fmadio@fmadio100v2-228U:~$
NOTE: ensure the permissions of
/opt/fmadio/etc/nslcd.conf
Are set as root.root and user only read/write
-rw------- 1 root root 716 Mar 8 09:01 /mnt/store0/etc/nslcd.conf
Otherwise nslcd will fail to start due to in-secure permissions. This can be set as
sudo chown root.root /opt/fmadio/etc/nslcd.conf
sudo chmod 700 /opt/fmadio/etc/nslcd.conf
Step 4) Customize nslcd.conf
Edit the nslcd.conf
file, modify the uri base and any other LDAP specific configs to match your environment and save it. Usually there is a template of how a client LDAP is configured that can be replicated here.
Step 5) Reboot the system
Reboot the system using the following command
sudo reboot
Step 6) Check LDAP Connectivity
Change the username/domain/ip address etc to match your environment. The following command will confirm the LDAP Server can be reached and authenticated against.
ldapwhoami -x -D cn=fmadio1,ou=users,dc=fmad,dc=io -H ldap://192.168.1.100/ -w "password"
Successful authentication looks like the following
fmadio@fmadio100v2-228U:~$ ldapwhoami -x -D cn=fmadio-user,ou=users,dc=fmad,dc=io -H ldap://192.168.1.100/ -w "password"
dn:cn=fmadio-user,dc=fmad,dc=io
Once this is working, both SSH, WWW-Admin and WWW-User LDAP posix group members can login to the system.
posixGroups
The LDAP default posixGroups are
posixGroups | Access Level |
---|---|
fmadio-ssh-admin | for SSH access |
fmadio-www-admin | for WWW admin access (can change anything) |
fmadio-www-user | for WWW user access (monitoring and pcap downloading) |
Optional
Some environments require a notice when logging in, such as the following
This can be customized as follows
Step 1) copy the default template
cp /opt/fmadio/www/login/authorized_access.html.default /opt/fmadio/etc/authorized_access.html
Step 2) Edit the content
The template HTML can be edited as required by modifying the file
/opt/fmadio/etc/authorized_access.html
Step 3) restart nginx
nginx requires a restart for the customized template to be active
Run the following to stop nginx
sudo killall nginx
Then wait 60sec for the process to restart
Custom posix Groups
LDAP allows using a role based access control mechanism. This means any access can be granted to any user in an ldap posix group, making user management / access management significantly more simple.
On the FMADIO device there are 3 files for different access levels
SSH Shell Access
This is effectively admin access to the system, as all users have sudo privledges. the configuration file for this is
/opt/fmadio/etc/pam_access.fmadio-ssh-admin
Example output is shown below
# ACL only for fmadio-ssh-admin group
#
# customized version
#
-:ALL EXCEPT fmadio (fmadio-ssh-admin):ALL
This allows the fmadio user password based login, but allows any user in the LDAP group fmadio-ssh-admin
to login to the system. To allow multiple LDAP groups SSH access, add additional groups per below
# ACL only for fmadio-ssh-admin group
#
# customized version
#
-:ALL EXCEPT fmadio (ldap-group1) (ldap-group2) (fmadio-ssh-admin):ALL
NOTE: copying the file per below allows for quick testing / iterating of the config settings
sudo cp /opt/fmadio/etc/pam_access.fmadio-ssh-admin /etc/
WWW Admin Access
Admin WWW access allows users to start/stop capture, edit configuration and general system management. It is controled by the PAM config file below
/opt/fmadio/etc/pam_access.fmadio-www-admin
Example is shown below
# ACL only for fmadio-www-admin group
# custom
-:ALL EXCEPT fmadio (fmadio-www-admin):ALL
This allows the fmadio user via password and any user in the fmadio-www-admin
group to be granted admin www privileges
NOTE: copying the file per below allows for quick testing / iterating of the config settings
sudo cp /opt/fmadio/etc/pam_access.fmadio-www-admin /etc/pam_access.fmadio-www-admin
WWW User Access
The default WWW user access level allows downloading of PCAP, running analysis but can not start/stop captures or change any configuration files. The PAM config file for this is located
/opt/fmadio/etc/pam_access.fmadio-www-user
Example configuration is shown below
# ACL only for fmadio-www-user group
-:ALL EXCEPT fmadio (fmadio-www-user):ALL
Allowing the fmadio user with password and any user in the LDAP group fmadio-www-user
access.
PAM Process Customization
While process (e.g. SSHD or NGINX) PAM customization is rarely required, it may be useful to know where the configuration files are
The current run-time settings are in
/etc/pam.d/
Example is shown below
fmadio@fmadio100v2-228U:/etc/pam.d$ ls -altr
total 36
-rw-r--r-- 1 root root 148 Jul 8 2023 sudo
-rw-r--r-- 1 root root 148 Jul 8 2023 su
-rw-r--r-- 1 root root 687 Jul 8 2023 sshd_unix
-rw-r--r-- 1 root root 1052 Jul 8 2023 sshd_ldap
-rw-r--r-- 1 root root 154 Jul 8 2023 passwd
-rw-r--r-- 1 root root 234 Jul 8 2023 other
-rw-r--r-- 1 root root 687 Jul 8 2023 nginx_unix
-rw-r--r-- 1 root root 1050 Jul 8 2023 nginx_ldap_user
-rw-r--r-- 1 root root 1051 Jul 8 2023 nginx_ldap_admin
lrwxrwxrwx 1 root root 9 Aug 28 15:35 sshd -> sshd_ldap
fmadio@fmadio100v2-228U:/etc/pam.d$
The system will configure these based on the security setting.
These PAM config files point to the /etc/pam_access.fmadio-* ACL files. Customized version of these can be placed in persistant storage at
/opt/fmadio/etc/pam.d/
Which will be copied at system reboot time.
Troubleshooting
Configuration usually does not go as planned, as such heres some tips to try
Option 1) run nslcd in the foreground
sudo killall nslcd
sudo /usr/local/sbin/nslcd -n
This will check the /etc/nslcd.conf configuration file is working correctly, either config typeo or LDAP server problems.
Once its running ensure local lookups work correctly as follows
ldapwhoami -x -D cn=fmadio-user,dc=fmad,dc=io -H ldap://192.168.1.100/ -w "password"
Option 2) check nginx config files
The nginx logfiles are located in
tail -F -n 100 /mnt/store0/log/nginx_error.log
Any errors there might help understand the issues
Option 3) check syslog for PAM logs
This will print out logs of all PAM messages and may help debugging
tail -F -n 100 /mnt/store0/log/messages |grep -i pam