The nethserver-directory implements user authentication and authorization. All accounts are saved inside OpenLDAP.
- User and group account management
- PAM LDAP password storage
- Password strength control
- Service accounts
Schema and base DN¶
Following schema are used inside OpenLDAP:
- always loaded: core, inetorgperson, cosine, corba
The LDAP tree is always accessible with the following DN: dc=directory,dc=nh. But there is also an overlay which maps the domain name to the base DN. For example, given the domain mydomain.com, the corresponding DN will be dc=mydomain,dc=com.
Accounts are saved inside following branches:
- Users: ou=People,dc=directory,dc=nh
- Groups: ou=Groups,dc=directory,dc=nh
All users are in the primary group named locals.
List all entries, with root access and automatic bind:
ldapsearch -Y EXTERNAL
List all entries with libuser bind:
ldapsearch -D cn=libuser,dc=directory,dc=nh -w `cat /var/lib/nethserver/secrets/libuser`
User account states¶
Account management is done via libuser which exports some tools (luseradd, luserdel, etc) to create/modify/delete users and groups.
The process of user/group creations is:
- invoke the create event which uses libuser to add the record inside LDAP
- invoke the group even if the user must be members of additional groups
- invoke the password policy event to change user password expiration
- invoke the password change event to set a password
OpenLDAP doesn’t output any log with standard configuration.
When logging is enabled, all logs are saved inside
But its verbosity can be changed at run time by issuing this command:
# ldapmodify -Y EXTERNAL <<EOF dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: 256 EOF
The command above changes the OpenLDAP config DB and set the log verbosity to trace “connections/operations/results” (256). Check the debugging levels table from OpenLDAP site for more details: http://www.openldap.org/doc/admin24/slapdconf2.html#olcLogLevel%3A%20%3Clevel%3E.
slapd log file can grow quickly. Remember to set olcLogLevel to 0 if you do not need it any longer.
To permanently change LDAP log level:
config setprop slapd LogLevel 256 signal-event nethserver-directory-update
If a program need to access the LDAP, it should create a special account called service account. A service account is composed by three parts:
- a LDAP user
- a password
- an ACL to access LDAP fields
The developer can use the
NethServe::Directory perl module to handle a service account.
Perl code snippet to create a service account with read access:
use NethServer::Directory; ... NethServer::Directory->new()->configServiceAccount('myservice', NethServer::Directory::FIELDS_READ) || die("Failed to register myservice account")
Perl code snippet to use created password:
use NethServer::Password; my $pwd = NethServer::Password::store('myservice');
Some LDAP clients and/or legacy environments may require anonymous bind to the LDAP accounts database. Currently anonymous access is granted to non-sensitive fields.
Configuration for client (eg. Mozilla Thunderbird):
- Host: ip address of the server
- Port: 389
- Base DN: ou=People,dc=example,dc=org
- On Advanced tab, make sure “Login method” is set to “Simple”
Inspect OpenLDAP ACLs¶
Service accounts require OpenLDAP ACLs tuning. To inspect the current ACLs type:
ldapsearch -LLL -Y EXTERNAL -b cn=config -s one 'objectClass=olcDatabaseConfig' olcAccess 2>/dev/null
If output appears to be base64-encoded type:
ldapsearch -LLL -Y EXTERNAL -b cn=config -s one 'objectClass=olcDatabaseConfig' olcAccess 2>/dev/null | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print'