Linux AD integration with OpenDJ

2,089 views

Published on

FlossUK 2015 presentation

Most authentication implementations either use 'plain old' LDAP, sometimes in combination with Kerberos and/or Samba. Lately there is also an interest in FreeIPA, especially on RHEL based platforms.

We created a setup using the LDAP server OpenDJ, AD Kerberos, the SSSD client system daemon and additional tools & scripts.

Published in: Software
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,089
On SlideShare
0
From Embeds
0
Number of Embeds
446
Actions
Shares
0
Downloads
36
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Linux AD integration with OpenDJ

  1. 1. Linux centralized identity and authentication interoperability with AD Pieter Baele – pieter.baele@gmail.com FlossUK DevOps Spring 2015 @ York 25 March, 2015 Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 1 / 28
  2. 2. Presentation overview The history of our implementation Concepts and principles Choices: server and cient-side Tooling The design Monitoring References Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 2 / 28
  3. 3. history of our LDAP implementation Situation in 2009: a growing Linux environment (less then 100 servers), no LDAP. A bigger Unix environment exists with it’s own Sun Directory Server. central management of (some) users: let’s use Puppet manually - with scripts - create users on the Sun Directory Server add them - manually - to Puppet good for application users, not funny when you have 100 real users to add So let’s develop a nice directory architecture! Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 3 / 28
  4. 4. Concepts and requirements HA using replication and load-balancing traceability and auditing secure practical ACL support (only on groups) transport security - TLS, SSF factor some SSO functionality + fallback (PTA) accounts not maintained by us, automatic decommissioning ensuring UID and GID’s are unique across the enterprise applications: local users central store for sudo rules support KISS (complexity introduces risks) no need to duplicate things if they exist already Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 4 / 28
  5. 5. Implementation choice server-side the ’classic’ LDAP approach Samba + Winbind other LDAP servers in general Unix attributes and Active Directory the Red Hat way - IPA realmd the hybrid approach: OpenDJ as Directory Server, AD Kerberos and some duct tape. Tried most of the above... Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 5 / 28
  6. 6. Implementation choice server the classic approach everybody knows the classic approach, right? Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 6 / 28
  7. 7. Implementation choice server the classic approach everybody knows the classic approach, right? OpenLDAP sometimes with MIT or Heimdal Kerberos and maybe with some bits of Cyrus-SASL - SASLauthd welcome to the world of LDIF almost heaven for LDAP gurus perfect when there is the need for speed (MDB...amazing) perfect for custom implementations (backends - overlays) no special benefit for our case Support: so who is the expert? Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 6 / 28
  8. 8. Implementation choice server Winbind / Active Directory Winbind join the system to AD AD SID to Posix Attribute mapping trusted domains do you want those components on your server? Active Directory ID mapping uses SFU/IMU extensions in AD maintained by another team do we really want windows to manage our entries? Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 7 / 28
  9. 9. Implementation choice server Realmd offers direct integration to AD by configuring SSSD replaces Winbind detects the domain using DNS identity lookup using AD Kerberos or LDAP authentication you need a Domain Admin Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 8 / 28
  10. 10. Implementation choice server 389 Directory Server used for a subproject of my internship (mmr) based on the Netscape code why? we already have our (Sun) Oracle 11g... which can’t replicate with 389! support from Red Hat no benefit Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 9 / 28
  11. 11. The history of (some) directory servers Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 10 / 28
  12. 12. Implementation choice server (Free)IPA Complete IdM with DS, NTP, PKI, KDC, HTTPD and DNS it’s free on RHEL especially made for the need of Linux AuthN/AuthZ choices for integrating with AD synchronization service - on each domain controller (also possible with 388, which is part of FreeIPA) a subdomain (or a new domain) + AD trust relationship Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 11 / 28
  13. 13. Implementation choice server (Free)IPA Complete IdM with DS, NTP, PKI, KDC, HTTPD and DNS it’s free on RHEL especially made for the need of Linux AuthN/AuthZ choices for integrating with AD synchronization service - on each domain controller (also possible with 388, which is part of FreeIPA) a subdomain (or a new domain) + AD trust relationship bugs (when I tested it) after release: not supported when you added custom schema’s :-( nowadays: if it can help you, why not? The first product specifically for this use case (!) real Role-Based Access Control Automember Integrated webinterface SELinux integration (confined users / mapping) Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 11 / 28
  14. 14. Implementation choice server OpenDJ rather easy (IMO) has a very complete administrative menu (dsconfig) setting up replication is only 1 command cn=config / LDIF configuration when you need it has a REST interface possibility to integrate with OpenAM (WebSSO is possible) can be monitored in various ways JMX logs SNMP cn=monitor never let us down so far (lost 1 replica once because of a configuration error) fast for dev Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 12 / 28
  15. 15. OpenDJ the future of OpenDJ Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 13 / 28
  16. 16. OpenDJ components Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 14 / 28
  17. 17. architecture / design physical each datacenter its own pair of directory servers Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 15 / 28
  18. 18. architecture / design DIT as flat as possible keep organisation structure out of the tree Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 16 / 28
  19. 19. client replace legacy tools System Security Services Daemon A project from Red Hat before: nss ldap, nscd supports a lot of different integrations direct integration with AD IPA using only an LDAP server such as OpenLDAP or something custom ... Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 17 / 28
  20. 20. msktutil Active Directory Keytab Management creates user or computer accounts in Active Directory, creates Kerberos keytabs on Unix/Linux sytems adds and removes principals to and from keytabs changes the user or computer account’s password. AD Kerberos =! MIT Kerberos ... ex. each keytab for apache made by Windows also needs a specific user Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 18 / 28
  21. 21. the configuration pt 1: OpenDJ SASL enabled set-sasl-mechanism-handler-prop --handler-name GSSAPI --set enabled:true PTA: AD domain certificate added to keystore protocols, replication Referential Integrity Memberof enabled UID Unique enabled Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 19 / 28
  22. 22. the configuration pt 2: data add host entries, the UID is used as a SASL principal match (HOSTNAME$) a user is added by our tools, data is used from AD and from the Unix directory server if present most real users have PTA enabled, whih is as simple as setting a password policy ds-pwp-password-policy-dn: cn=PTA Policy,cn=Password Policies,cn=config no password is set for users, application users are not able to login directly users need to be memberof a group that allows access AND we use netgroups we use SUDO directly, to have no impact from SSSD caching Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 20 / 28
  23. 23. the configuration pt 3: client (using cfgmgmt) installation of packages configuration of a (minimal) krb5.conf call to msktutil to create computer account in AD call to authconfig (EL specific) enabling sssd enabling mkhomedir (oddjobd) enabling PAM access setting the NISDOMAIN (RHEL 7: rhel-domainname service Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 21 / 28
  24. 24. tooling Perl Perl-LDAP is perfect first script: with a curses frontend ;-( functionality: added a user to the correct organisation, enabled PTA for other tasks: Apache Directory Studio code not very maintainable for my colleagues... Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 22 / 28
  25. 25. tooling Python OpenDJ REST using python-requests some limitations Python LDAP turned out to be the most flexible way today frequent operations are supported: netgroups; sudo; rootaccess... and we have a functional frontend written in Flask :-) Management tools are as important as the underlying technologies used. Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 23 / 28
  26. 26. monitoring primary monitoring of service / daemon log files: parsing with Logstash, especially access (audit) log correlation SNMP: using your beloved monitoring platform JMX: Java Management Extensions, perfect for some internals about the JRE Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 24 / 28
  27. 27. monitoring primary monitoring of service / daemon log files: parsing with Logstash, especially access (audit) log correlation SNMP: using your beloved monitoring platform JMX: Java Management Extensions, perfect for some internals about the JRE don’t forget... cn=monitor Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 24 / 28
  28. 28. monitoring cn=monitor LDAP metrics: number of operations (bind, search, modrdn ...) and response times almost no-one uses it (?) protect the tree with ACL there is a nice but older cn=monitor frontend on sourceforge (RPM, DEB...) still thinking about a new cn=monitor frontend Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 25 / 28
  29. 29. some observations and remarks only a very small dataset, but a lot of accesses separate functional users in AD: One that only can create computer account objects (msktutil) One that with (search) access to user OU’s, used for PTA DNS is crucial NTP critical for Kerberos (and log files) local users only possible with recent Puppet versions if present in LDAP (luseradd and alike) SSHD first tries GSSAPI authentication, host-based, public key, passwords Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 26 / 28
  30. 30. What are we still missing? home directories mounted by autofs performance details (from client) a platform to manage public keys OpenSSH LPK project PrivacyIDEA indexes Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 27 / 28
  31. 31. References LDAP Toolbox project to get started quickly with OpenLDAP: http://ltb-project.org/wiki/ FreeIPA: Dmitri Pal, AD Integration options for Linux Systems, Developer Conference. Brno. 2013 Windows Integration Guide, Red Hat official docs Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 28 / 28

×