nethserver-directory

The nethserver-directory implements user authentication and authorization. All accounts are saved inside OpenLDAP.

Features:

  • RFC2307 schema, user and group account management
  • PAM LDAP password storage
  • Password strength control
  • Service accounts

Schema and base DN

Following schema are always loaded by OpenLDAP: core, cosine, nis, inetorgperson.

The LDAP tree is always accessible with the following base DN: dc=directory,dc=nh. But there is also an overlay which maps the domain name to the base DN. For example, given the domain mydomain.com, the corresponding DN will be dc=mydomain,dc=com.

Accounts are saved inside following branches:

  • Users: ou=People,dc=directory,dc=nh
  • Groups: ou=Groups,dc=directory,dc=nh

All users are in the primary group named locals.

Examples

List all entries, with root access and automatic bind (unix domain socket):

ldapsearch -Y EXTERNAL

List all entries with libuser bind:

ldapsearch  -D cn=libuser,dc=directory,dc=nh -w `cat /var/lib/nethserver/secrets/libuser` -h 127.0.0.1

User account states

Account management is done via libuser which exports some tools (luseradd, luserdel, etc) to create/modify/delete users, groups and set passwords.

The process of user/group creations is:

  • invoke the create event which uses libuser to add the record inside LDAP
  • invoke the group event if the user must be member of additional groups
  • invoke the password policy event to change user password expiration
  • invoke the password change event to set a password

Logging

OpenLDAP doesn’t output any log with standard configuration. When logging is enabled, all logs are saved inside /var/log/slapd. But its verbosity can be changed at run time by issuing this command:

# ldapmodify -Y EXTERNAL <<EOF
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: 256
EOF

The command above changes the OpenLDAP config DB and sets the log verbosity to trace “connections/operations/results” (256). Check the debugging levels table from OpenLDAP site for more details: http://www.openldap.org/doc/admin24/slapdconf2.html#olcLogLevel%3A%20%3Clevel%3E.

Service accounts

The following service accounts are configured by the nethserver-directory-dit-setup action:

  • cn=libuser,dc=directory,dc=nh. Granted read and write access from 127.0.0.1.
  • cn=ldapservice,dc=directory,dc=nh. Granted read only access to non-sensitive attributes, from localhost, or from any other IP address with TLS.

The developer can use the NethServe::Directory Perl module to handle additional service accounts with ad-hoc permissions, if the existing ldapservice, libuser accounts and anonymous binds do not fit his requirements.

A service account is composed by three parts:

  • a LDAP user
  • a password
  • an ACL to access LDAP fields

Perl code snippet to create a service account with read access:

use NethServer::Directory;
...
NethServer::Directory->new()->configServiceAccount('myservice', NethServer::Directory::FIELDS_READ) || die("Failed to register myservice account")

Perl code snippet to use created password:

use NethServer::Password;
my $pwd = NethServer::Password::store('myservice');

User accounts

Authenticated binds are granted to TLS protected connections, or connections from 127.0.0.1. User DN are in the form:

uid=<username>,ou=People,dc=directory,dc=nh

Anonymous access

Some LDAP clients and/or legacy environments may require anonymous bind to the LDAP accounts database. Currently anonymous access is granted to non-sensitive fields.

Configuration for client:

  • Host: ip address of the server
  • Port: 389
  • Base DN: dc=directory,dc=nh

Administrative access

An existing DN (i.e. administrator) can be granted full administrative privileges on the whole dc=directory,dc=nh tree. By default, the designated user is defined in config DB, under the admins key.

` ldapmodify -Y EXTERNAL <<EOF dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: uid=administrator,ou=People,dc=directory,dc=nh EOF `

Inspect OpenLDAP ACLs

Service accounts require OpenLDAP ACLs tuning. To inspect the current ACLs type:

ldapsearch -LLL -Y EXTERNAL -b cn=config -s one 'objectClass=olcDatabaseConfig' olcAccess 2>/dev/null

If output appears to be base64-encoded type:

ldapsearch -LLL -Y EXTERNAL -b cn=config -s one 'objectClass=olcDatabaseConfig' olcAccess 2>/dev/null | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print'

Upgrade to Active Directory

If the LDAP database has been restored from a ns6 backup set, it is possible to upgrade it to a local Active Directory accounts provider.

A ns7 LDAP database cannot be upgraded to Active Directory. It lacks the Samba LDAP schema extensions required by the Samba classic upgrade procedure.

The nethserver-directory-ns6upgrade event

  • removes the nethserver-directory RPM
  • installs and configures nethserver-dc

Before running the event, assign a free IP address to the nsdc Linux container, installed by nethserver-dc RPM. Ensure it is a free IP address of a green network.

config set nsdc service IpAddress A.B.C.D
signal-event nethserver-directory-ns6upgrade