User:Sfiggins/RH-DS-PAM-PTA

From Labrats.us
< User:Sfiggins
Revision as of 15:28, 13 December 2018 by Sfiggins (talk | contribs) (Created page with "=PAM Pass-through= ==Setup initial control files== <pre> # cat > /tmp/ldap-pam-on.ldif << 'EOF' dn: cn=PAM Pass Through Auth,cn=plugins,cn=config changetype: modify replace:...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

PAM Pass-through

Setup initial control files

# cat > /tmp/ldap-pam-on.ldif << 'EOF'
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
-
replace: pamSecure
pamSecure: FALSE
-
replace: pamFallback
pamFallback: TRUE
EOF

# cat > /tmp/ldap-pam-off.ldif << 'EOF'
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: off
EOF

# ldapsearch -cx -D "cn=Directory Manager" -W -b "cn=plugins,cn=config" -h localhost > /tmp/config.ldif.orig

# ldapsearch -cx -D "cn=Directory Manager" -W -b "cn=PAM Pass Through Auth,cn=plugins,cn=config" -h localhost > /tmp/ldap-pam.ldif.orig

/etc/pam.d/ldapserver Configuration for PAM-PTA

The /etc/pam.d/ldapserver file needs to look like this:

auth       include      password-auth

account    required     pam_access.so accessfile=/etc/security/access.cron.conf

password   include      system-auth

session    include      system-auth

Activate PAM-PTA

Apply the configuration with the following commands:

# ldapsearch -cx -D "cn=Directory Manager" -W -b "cn=plugins,cn=config" -h localhost > /tmp/config.ldif
# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/ldap-pam-on.ldif

It is required to restart the Directory Server to apply the configuration.

# /etc/init.d/dirsrv restart

Get a dump of the current configuration settings:

# ldapsearch -cx -D "cn=Directory Manager" -W -b "cn=plugins,cn=config" -h localhost > /tmp/config.ldif

# ldapsearch -cx -D "cn=Directory Manager" -W -b "cn=PAM Pass Through Auth,cn=plugins,cn=config" -h localhost > /tmp/ldap-pam.ldif

Testing

Test binding with a simple LDAP search.

ldapsearch -cx -D "uid=tuser2,ou=user,dc=twtelecom,dc=net" -W -b "uid=tuser2,ou=user,dc=twtelecom,dc=net" -h localhost

Or using this script:

#!/usr/bin/perl

use Net::LDAPS;

$ldap_server="localhost";
$user = "tuser2";
$password = "JbUWP3TbwdHwNou";

$ldap_user = "uid=$user,ou=user,dc=twtelecom,dc=net";
$ldap = Net::LDAPS->new($ldap_server) || die "Unable to connect to $ldap_server: $!\n";
$mesg = $ldap->bind($ldap_user, password => $password);
if ($mesg->code) {
     print "Denied: ",$mesg->error,"\n";
} else {
    print "Granted\n";
}
$mesg = $ldap->unbind;

This script needs to have perl-IO-Socket-SSL from yum and Net::LDAPS from CPAN.

# ./ldap-test.pl 
Granted

PAM_RADIUS Module

ftp://ftp.is.co.za/mirror/fedora.redhat.com/epel/6/x86_64/pam_radius-1.3.17-2.el6.x86_64.rpm

Install PAM_RADIUS (via yum)

This is in the EPEL channel.

# yum install pam_radius
Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package pam_radius.x86_64 0:1.3.17-2.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================================
 Package                        Arch                       Version                           Repository                                  Size
==============================================================================================================================================
Installing:
 pam_radius                     x86_64                     1.3.17-2.el6                      twtc_epel_rhel6_x86_64                      26 k

Transaction Summary
==============================================================================================================================================
Install       1 Package(s)

Total download size: 26 k
Installed size: 0  
Is this ok [y/N]: y
Downloading Packages:
pam_radius-1.3.17-2.el6.x86_64.rpm                                                                                     |  26 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : pam_radius-1.3.17-2.el6.x86_64                                                                                             1/1 

Installed:
  pam_radius.x86_64 0:1.3.17-2.el6                                                                                                            

Complete!

/etc/pam_radius.conf

The /etc/pam_radius.conf file needs to look like this:

#  pam_radius_auth configuration file.  Copy to: /etc/pam_radius.conf
#
#  For proper security, this file SHOULD have permissions 0600,
#  that is readable by root, and NO ONE else.  If anyone other than
#  root can read this file, then they can spoof responses from the server!
#
#  There are 3 fields per line in this file.  There may be multiple
#  lines.  Blank lines or lines beginning with '#' are treated as
#  comments, and are ignored.  The fields are:
#
#  server[:port] secret [timeout]
#
#  the port name or number is optional.  The default port name is
#  "radius", and is looked up from /etc/services The timeout field is
#  optional.  The default timeout is 3 seconds.
#
#  If multiple RADIUS server lines exist, they are tried in order.  The
#  first server to return success or failure causes the module to return
#  success or failure.  Only if a server fails to response is it skipped,
#  and the next server in turn is used.
#
#  The timeout field controls how many seconds the module waits before
#  deciding that the server has failed to respond.
#
# server[:port] shared_secret      timeout (s)

66.162.108.21:1812    <secret_key>     3
50.58.29.21:1812      <secret_key>     3


#
# having localhost in your radius configuration is a Good Thing.
#
# See the INSTALL file for pam.conf hints.

/etc/pam.d/ldapserver Configuration for PAM_RADIUS

The /etc/pam.d/ldapserver configuration needs to look like this:

auth       required     pam_env.so
auth       sufficient   pam_radius_auth.so conf=/etc/pam_radius_auth.conf debug
auth       required     pam_deny.so

account    required     pam_access.so accessfile=/etc/security/access.cron.conf

password   include      system-auth

session    include      system-auth

Testing

Testing is the same as above.