Preventive Service Planning
Abstract
This article describes enabling Unix authentication by using OpenLDAP and SSSD on CentOS 6.6.
A major area of IBM Infosphere BigInsights is authentication, which may include the requirement to integrate with an LDAP server along with the more recent System Security Services Daemon.
This article provides a detailed implementation of an open source solution to facilitate the provision of these services for subsequent integration with BI and other products.
What is OpenLDAP?
OpenLDAP is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. In essence, OpenLDAP is a directory service, responding to queries (on port 389 - non-secure, or port 636 - secure) against Organisations (e.g. jj.com) and Organisation Units (e.g. Groups, Persons) returning requested attributes which are dictated by schemas.
What is sssd - System Security Services Daemon?
The System Security Services Daemon (SSSD) is a service which provides access to different identity and authentication providers. You can configure SSSD to use a native LDAP domain (that is, an LDAP identity provider with LDAP authentication), or an LDAP identity provider with Kerberos authentication. It provides an NSS and PAM interface to the system, and a pluggable back-end system to connect to multiple different account sources.
Content
Setting up a Virtual Machine OpenLDAP Server on CentOS 6.6
Base O/S installation and installation of Required Packages for OpenLDAP and SSSD
1. Set up a base CentOS 6.6 machine, in this example a Virtual Machine, and ensure fully up to date:
a. Create a 2 GB RAM, 32 GB Disk, 2 CPU (Dual Core) VM with CentOS 6.6
b. Fix the IP Address allocation from DNS (192.168.0.220)
c. Set the hostname jj_openldap and the domainname jj.com (hostname jj_openldap; domainname jj.com)
d. Update /etc/hosts, adding "192.168.0.220 jj_openldap.jj.com jj_openldap"
e. Set the Date and Time to use the default NTP servers, the Timezone to be London and Keyboard Layout to be Lenovo T61 with UK as the Default
f. Run yum update -y to ensure all latest updates of Base O/S installed
g. Shutdown and Restart the Virtual Machine and confirm all settings
2. Installation of required packages for OpenLDAP and SSSD
a. yum install openldap openldap-clients openldap-servers sssd
Note that this specific package may already be installed - "Package openldap-2.4.39-8.el6.x86_64 already installed and latest version"
b. yum install pam_ldap
c. yum install authconfig
Note that this specific package may already be installed - "Package authconfig-6.1.12-19.el6.x86_64 already installed and latest version"
Configuring OpenLDAP
1. Create a password hash for you admin account in OpenLDAP using slappasswd, in this example using P4ssw0rd
# slappasswd
New password:
Re-enter new password:
{SSHA}wgUObN60Gru2M2wFSd96CO36GhRfYM5Z
2. Update /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif, using vi, with the administration secret password:
Edit olcRootPW, or add it if it does not already exist, and append the SSHA password hash you created earlier:
# vi /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
olcRootPW: {SSHA}wgUObN60Gru2M2wFSd96CO36GhRfYM5Z
3. Update /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif, using vi, to reflect the name of your ldap server:
Edit olcSuffix and olcRootDN to reflect the name of your ldap server.
# vi /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
olcSuffix: dc=jj,dc=com
olcRootDN: cn=jritson,dc=jj,dc=com
4. Update /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif, using vi, to restrict users from seeing each others password hashes:
Add the following lines to allow users to read and write their own passwords, while blocking other users that are not admin from viewing them. It will also allow non-password attributes to be viewed by everybody.
# vi /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=jritson,dc=jj,dc=com" write by anonymous auth by * none
olcAccess: {1}to * by dn.base="cn=jritson,dc=jj,dc=com" write by self write by * read
5. Update /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif, using vi, and modify olcAccess so it matches the dn.base we set the olcRootDN to in olcDatabase={2}bdb.ldif:
Edit olcRootDB to reflect the dn.base set in olcDatabase=[2]bdb.ldif
# vi /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=auth" read by dn.base="cn=jritson,dc=jj,dc=com" read by * none
6. Start openldap and also have it start up at boot time:
Start the slapd service - note the warning, which is a result of direct editing of the file, warning that the checksum is not valid for the two modified files (this can easily be addressed)
# service slapd start
Checking configuration files for slapd: [WARNING]
55a4c340 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
55a4c340 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif"
config file testing succeeded
Starting slapd: [ OK ]
Enable the slapd service to be started at boot time:
# chkconfig slapd on
An OpenLDAP service is now running on jj_connections.com:
# ps -ef | grep ldap
ldap 1900 1 0 09:32 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -u ldap
However, there are no details on the Organisation or Organisation units yet!
# ldapsearch -x -LLL -D cn=jritson,dc=jj,dc=com -w P4ssw0rd
No such object (32)
7. Adding Organisation, Organisation Units, a Group entry, a People entry and placement of a People entry in a Groups entry:
The following describes a utility script, jj_ldap_additions.sh, to create the relevant ldif files and then add these contents to the directory server.
a. What is being added and modified?
Organisation (O) jj.com (Distinguished Name dc=jj,dc=com)
Organisation Unit (OU) of Groups (DN ou=Groups,dc=jj,dc=com)
OU of People (DN ou=People,dc=jj,dc=com)
Create a Groups entry of "biadmin" (DN cn=biadmin,ou=Groups,dc=jj,dc=com) - note the "objectClass"es for a Posix group etc.
Create a People entry of "biuser1" (DN cn=biuser1,ou=People,dc=jj,dc=com) - note the "objectClass"es for a Posix account etc.
Modify the "biuser" People entry to be a group of the "biadmin" Group entry
b. The jj_ldap_additions.sh (ensure executable):
# Create Organisation ldif file
echo "dn: dc=jj,dc=com
objectClass: dcObject
objectClass: organization
dc: jj
o : jj" > /root/OpenLDAP/Organisation.ldif
# Add the Organistion to ldif
ldapadd -f /root/OpenLDAP/Organisation.ldif -D cn=jritson,dc=jj,dc=com -w P4ssw0rd
# Create an Oragnisational Unit of Groups
echo "dn: ou=Groups,dc=jj,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Groups" > /root/OpenLDAP/Groups.ldif
ldapadd -f /root/OpenLDAP/Groups.ldif -D cn=jritson,dc=jj,dc=com -w P4ssw0rd
# Create an Organisational Unit of People
echo "dn: ou=People,dc=jj,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People" > /root/OpenLDAP/People.ldif
ldapadd -f /root/OpenLDAP/People.ldif -D cn=jritson,dc=jj,dc=com -w P4ssw0rd
# Create Organisation Unit biadmin posixGroup ldif file
echo "dn: cn=biadmin,ou=Groups,dc=jj,dc=com
objectClass: top
objectClass: posixGroup
cn: biadmin
userPassword: {crypt}x
gidNumber: 3001" > /root/OpenLDAP/biadmin.ldif
# Add the Organistion Unit to ldif
ldapadd -f /root/OpenLDAP/biadmin.ldif -D cn=jritson,dc=jj,dc=com -w P4ssw0rd
# Create Organisation Unit biuser1 posixAccount ldif file
echo "dn: uid=biuser1,ou=People,dc=jj,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: BI user1
uid: biuser1
uidNumber: 3001
gidNumber: 3001
homeDirectory: /home/biuser1
loginShell: /bin/bash
gecos: BI User 1, BI User, Data Analyst 1, 888
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0" > /root/OpenLDAP/biuser1.ldif
# Add the Organistion Unit to ldif
ldapadd -f /root/OpenLDAP/biuser1.ldif -D cn=jritson,dc=jj,dc=com -w P4ssw0rd
# Create modification ldif adding biuser1 to biadmin
echo "dn: cn=biadmin,ou=Groups,dc=jj,dc=com
changetype: modify
add: memberuid
memberuid: biuser1" > /root/OpenLDAP/modify.ldif
# Modify the biadmin group to add biuser1
ldapmodify -f modify.ldif -x -D cn=jritson,dc=jj,dc=com -w P4ssw0rd
c. Running jj_ldap_additions.sh
# ./jj_ldap_additions.sh
adding new entry "dc=jj,dc=com"
adding new entry "ou=Groups,dc=jj,dc=com"
adding new entry "ou=People,dc=jj,dc=com"
adding new entry "cn=biadmin,ou=Groups,dc=jj,dc=com"
adding new entry "uid=biuser1,ou=People,dc=jj,dc=com"
modifying entry "cn=biadmin,ou=Groups,dc=jj,dc=com"
d. Supporting ldap commands
List all entries for the Organisation (-D is the admin and the Organisation)
# ldapsearch -x -LLL -D "cn=jritson,dc=jj,dc=com" -w P4ssw0rd -b "dc=jj,dc=com"
List details for a specific entry (-b provides the search argument to the search on)
# ldapsearch -x -LLL -D "cn=jritson,dc=jj,dc=com" -b "uid=biuser1,ou=People,dc=jj,dc=com" -w P4ssw0rd
Delete a specific entry (use the specific DN)
# ldapdelete -D "cn=jritson,dc=jj,dc=com" "uid=biuser1,ou=People,dc=jj,dc=com" -w P4ssw0rd
8. Open up the firewall to allow the relevant port access to OpenLDAP:
By default, the CentOS 6 firewall will block external requests to OpenLDAP; modify iptables to allow access:
# vi /etc/sysconfig/iptables
# ... lines with ACCEPT should be above
-A INPUT -p tcp --dport 389 -j ACCEPT
# .. lines with REJECT should be below
# iptables --flush
Configuring the System Security Services Daemon client (sssd) and setting the O/S to perform authentication through LDAP as well.
At this point, the O/S will still not call on OpenLDAP to perform authentication - sssd needs to be configured and started.
Here we are performing on the OpenLDAP server itself; if performing on a client, then install the following packages using yum:
yum install pam_ldap openldap-clients sssd
1. Create the required sssd configuration file, /etc/sssd/sssd.conf, which must have owner:group as root:root and permissions of 0600 - note that this is a basic starting point.
a. Note that the following are site specific entries:
"ldap_search_base = dc=jj,dc=com"
"ldap_uri = ldap://jj_connections.jj.com:389/"
"ldap_default_bind_dn = cn=jritson,dc=jj,dc=com"
"ldap_default_authtok_type = password"
"ldap_default_authtok = P4ssw0rd"
Note that the following is required if running as in-secure
"ldap_tls_reqcert = never"
Note that the following prevents the default behaviour of sssd, which continues to request details from OpenLDAP even after a local entry has been found:
[domain/default]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,biadmin,bigsql,catalog,hdfs,hive,mapred,monitoring
b. The sssd.conf contents:
[sssd]
config_file_version = 2
services = nss, pam
domains = default
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
[domain/default]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,biadmin,bigsql,catalog,hdfs,hive,mapred,monitoring
auth_provider = ldap
id_provider = ldap
ldap_schema = rfc2307
ldap_search_base = dc=jj,dc=com
ldap_group_member = memberuid
ldap_tls_reqcert = never
ldap_id_use_start_tls = False
chpass_provider = ldap
ldap_uri = ldap://jj_openldap.jj.com:389/
ldap_tls_cacertdir = /etc/openldap/cacerts
entry_cache_timeout = 600
ldap_network_timeout = 3
#ldap_access_filter = (&(object)(object))
ldap_default_bind_dn = cn=jritson,dc=jj,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = P4ssw0rd
cache_credentials = True
enumerate=true
c. If on a client, ensure the OpenLDAP server hostname can be resolved either by /etc/hosts or DNS.
2. Using authconfig, enable the O/S configurations:
/usr/sbin/authconfig --enableldapauth --enablemkhomedir --enablesysnetauth --enablesssd --enablesssdauth --enablelocauthorize --ldapserver=ldap://jj_openldap.jj.com --ldapbasedn="dc=jj,dc=com" --update
It is the above command, authconfig, which should resolve the requirements at the O/S level; to confirm what this will do, change --update to --test.
(Files that are changed should be validated, including nsswitch.conf)
3. Start sssd and also have it start up at boot time:
Start the sssd service:
# service sssd start
Starting sssd: [ OK ]
Enable the sssd service to be started at boot time:
# chkconfig slapd on
4. Now validate the user from OpenLDAP - NOTE THAT THE GROUPID FOR BIADMIN SHOULD BE CONSISTENT across all nodes, both from /etc/group and OpenLDAP
# id biuser1
uid=3001(biuser1) gid=3001(biadmin) groups=3001(biadmin)
# su - biuser1
The first time biuser1 logs on (or an su - to the user is performed, as above), the users home directory will be created (note the --enablemkhomedir argument to authconfig)
Enabling debugging for OpenLDAP and SSSD
1. Enabling debugging for OpenLDAP (i.e. the slapd daemon) the following changes are required:
Add the following line to /etc/rsyslog.conf, after the last local entry, to specify local4 logging (local4 is used by slapd and this is directing where to log the messages)
# slapd logging
local4.* /var/log/slapd/slapd.log
Restart the rsyslog service
# service rsyslog restart
Change olcLogLevel in /etc/openldap/slapd.d/cn=config.ldif - note that this produces a huge amount of logging and should implemented sporadically:
olcLogLevel -1
Restart the slapd service
# service slapd restart
Verify entries are being placed in /var/log/slapd/slapd.log.
2. Enabling debugging for SSSD the following changes are required:
Edit the sssd configuration file, /etc/sssd/sssd.conf, using vi, and add the following in the [sssd] section
debug_level = 5
Restart the sssd daemon
# service sssd restart
Verify entries are being placed in the files under the /var/log/sssd directory
Enabling DB2 and BI BigSQL to use sssd for authentication
For DB2 (and bigsql) the only requirement is to enable sssd lookup using:
db2 connect to <database>
db2set DB2AUTH=OSAUTHDB
Was this topic helpful?
Document Information
Modified date:
18 July 2020
UID
swg21962541