The nethserver-directory implements user authentication and authorization. All accounts are saved inside OpenLDAP.
- RFC2307 schema, user and group account management
- PAM LDAP password storage
- Password strength control
- Service accounts
Schema and base DN¶
Following schema are always loaded by OpenLDAP: core, cosine, nis, inetorgperson.
The LDAP tree is always accessible with the following base DN: dc=directory,dc=nh. But there is also an overlay which maps the domain name to the base DN. For example, given the domain mydomain.com, the corresponding DN will be dc=mydomain,dc=com.
Accounts are saved inside following branches:
- Users: ou=People,dc=directory,dc=nh
- Groups: ou=Groups,dc=directory,dc=nh
All users are in the primary group named locals.
List all entries, with root access and automatic bind (unix domain socket):
ldapsearch -Y EXTERNAL
List all entries with libuser bind:
ldapsearch -D cn=libuser,dc=directory,dc=nh -w `cat /var/lib/nethserver/secrets/libuser` -h 127.0.0.1
User account states¶
Account management is done via libuser which exports some tools (luseradd, luserdel, etc) to create/modify/delete users, groups and set passwords.
The process of user/group creations is:
- invoke the create event which uses libuser to add the record inside LDAP
- invoke the group even if the user must be members of additional groups
- invoke the password policy event to change user password expiration
- invoke the password change event to set a password
OpenLDAP doesn’t output any log with standard configuration.
When logging is enabled, all logs are saved inside
But its verbosity can be changed at run time by issuing this command:
# ldapmodify -Y EXTERNAL <<EOF dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: 256 EOF
The command above changes the OpenLDAP config DB and set the log verbosity to trace “connections/operations/results” (256). Check the debugging levels table from OpenLDAP site for more details: http://www.openldap.org/doc/admin24/slapdconf2.html#olcLogLevel%3A%20%3Clevel%3E.
The following service accounts are configured by the
cn=libuser,dc=directory,dc=nh. Granted read and write access from 127.0.0.1.
cn=ldapservice,dc=directory,dc=nh. Granted read only access to non-sensitive attributes, from localhost, or from any other IP address with TLS.
The developer can use the
NethServe::Directory Perl module to handle
additional service accounts with ad-hoc permissions, if the existing
libuser accounts and anonymous binds do not fit his requirements.
A service account is composed by three parts:
- a LDAP user
- a password
- an ACL to access LDAP fields
Perl code snippet to create a service account with read access:
use NethServer::Directory; ... NethServer::Directory->new()->configServiceAccount('myservice', NethServer::Directory::FIELDS_READ) || die("Failed to register myservice account")
Perl code snippet to use created password:
use NethServer::Password; my $pwd = NethServer::Password::store('myservice');
Authenticated binds are granted to TLS protected connections, or connections from 127.0.0.1. User DN are in the form:
Some LDAP clients and/or legacy environments may require anonymous bind to the LDAP accounts database. Currently anonymous access is granted to non-sensitive fields.
Configuration for client:
- Host: ip address of the server
- Port: 389
- Base DN:
An existing DN (i.e.
administrator) can be granted full administrative
privileges on the whole
dc=directory,dc=nh tree. By default, the designated
user is defined in config DB, under the
ldapmodify -Y EXTERNAL <<EOF
Inspect OpenLDAP ACLs¶
Service accounts require OpenLDAP ACLs tuning. To inspect the current ACLs type:
ldapsearch -LLL -Y EXTERNAL -b cn=config -s one 'objectClass=olcDatabaseConfig' olcAccess 2>/dev/null
If output appears to be base64-encoded type:
ldapsearch -LLL -Y EXTERNAL -b cn=config -s one 'objectClass=olcDatabaseConfig' olcAccess 2>/dev/null | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print'
Upgrade to Active Directory¶
If the LDAP database has been restored from a ns6 backup set, it is possible to upgrade it to a local Active Directory accounts provider.
A ns7 LDAP database cannot be upgraded to Active Directory. It lacks the Samba LDAP schema extensions required by the Samba classic upgrade procedure.
- removes the
- installs and configures
Before running the event, assign a free IP address to the
container, installed by
nethserver-dc RPM. Ensure it is a free IP
address of a green network.
config set nsdc service IpAddress A.B.C.D signal-event nethserver-directory-ns6upgrade