Scalable authentication with LDAP
Our server cluster uses the Lightweight Directory Access Protocol (LDAP) to manage users simultaneously across machines. Setting up LDAP is non-trivial, but also quite useful, so here I will document our setup process.
OpenLDAP Server Setup
Our LDAP server is hosted on sullivan
, a FreeBSD host. Many guides exist
showing how to setup an OpenLDAP server on FreeBSD, so it would serve no one
for me to write another copy. However, I will detail a few of our specific
configuration choices.
Firstly, YOU SHOULD USE TLS! Without TLS/SSL, passwords will be transmitted
in the clear. TLS is recommended for OpenLDAP, so this is what we’ve decided to
use. Since we only have 4 servers acting as OpenLDAP clients, we found self-
signed certificates to be a relatively minor inconvience (each client must
manually trust the root CA), but you may consider setting up Lets Encrypt’s
certbot
if you’d prefer to not self-sign.
Next, slapd
configuration options. Remember to set these in slapd.ldif
,
as slapd.conf
is deprecated. Also, changing these options down the line is
doable, but much trickier than just getting them right the first time! We use
the dynamic mdb
config module to allow later editing, but it’s much more
annoying than changing the first-time setup options in slapd.ldif
. As for our
schema includes, we use core.ldif
, cosine.ldif
, inetorgperson.ldif
, and
nis.ldif
. Remember to create a rootdn with password!
Moving on to our LMDB database, we set some basic ACLs. Here’s one you definitely want, which allows users to authenticate, but also prevents others from viewing their passwords:
olcAccess: to dn.subtree="ou=Users,dc=ais-ucla,dc=org"
attrs=userPassword
by self write
by anonymous auth
by * none
We also set the objectClass
for ou=Users
to be posixAccount
(which
includes neccesary data like uid
and loginShell
) and inetOrgPerson
,
which allows us to store additional information about users, such as phone
numbers, short descriptions, etc. The full specification for inetOrgPerson is
available here.
Ldapscripts Setup
Now that the OpenLDAP server is setup, while we could manage users entirely
through the ldapsearch
and ldapmodify
tools, it’s easier to use scripts
that abstract away these clunky interfaces. Most operating systems include a
copy of martymac
’s ldapscripts
collection in their package manager, which
provides a collection of tools we find quite useful. In particular,
ldapadduser
, ldapaddgroup
, and the like, are all great for those used to
adduser
and usermod
.
ldapscripts
is quite customizable, and while obviously you must set it up to
be able to connect to your LDAP server (usually with rootdn access), there are
some specific configuration options that may be useful to explicitly note:
- Setting
CREATEHOMES
to"yes"
, surprisingly enough, creates home directories automatically upon user creation. - We use
PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
to create randomized passwords (users connecting over ssh are forced to use pubkey authentication anyway). - Enabling
UTEMPLATE
allows for additonal configuration of user accounts whenldapadduser
is run. Here is the template we use:dn: uid=<user>,<usuffix>,<suffix> objectClass: posixAccount objectClass: inetOrgPerson cn: <ask> sn: <ask> uid: <user> uidNumber: <uid> gidNumber: <gid> homeDirectory: <home> loginShell: /bin/bash gecos: <user> description: <ask> o: <ask> mobile: <ask>
OpenLDAP client setup
Finally, each machine on your network (that you want users to access), must have an OpenLDAP client installed properly. While you should look for a guide specific to your operating system, here are some brief notes on configuration options.
- Remember to enable TLS/SSL (eg.
ssl start_tls
)! - Make sure to reconfigure
nsswitch.conf
to ensure your ldap client is actually being used. - On Linux, setup PAM to use ldap too. For instance, on Ubuntu, it suffices
to edit
/etc/pam.d/common-session
, which is included by the other PAM config files. Also ensure that ssh is actually using PAM!
Final notes
Remember that writing your own LDAP scripts is also an option, if ldapscripts
isn’t flexible enough for you, or is missing features. For instance, we provide
a tool, pb
, which allows users to view information about others based on
their username (see here). Additionally,
ensuring you have physical access to these machines, with at least one account
that isn’t an LDAP account is paramount: in the event of a network failure or
misconfigured firewall you don’t want to be locked out of all your servers!