JumpCloud

Sometimes I’m surprised at why I’ve never come across things before. This is a big one for me. For the longest time I was pondering how to resolve some SSO requirements whilst maintaining a corporate managed directory and not spending a fortune. Traditionally this would be the infrastructure to get the likes of Azure Active Directory, ADFS, RADIUS and multi-factor authentication – and then BOOM! JumpCloud.

What I really liked about this is that I got my own directory setup in under 15 minutes and had a Linux client logging on using my SSH key. I haven’t had to do anything laborious just install the JumpCloud agent onto the machine. Once I created my user account on the cloud interface and (optionally) gave it my SSH key I was set.

The JumpCloud agent handles replicating my account to the “systems” I install the agent on. It also delivers my SSH key for me so I can connect securely to the systems I’m allocated immediately.

Auth and Management for SSO, LDAP, RADIUS, Mac, Windows, Linux, and More

As a new user I get 10 FREE accounts which is plenty to setup my own directory for home and testing. I didn’t even need a credit card.

 https://jumpcloud.com/

Proftpd and LDAP / Active Directory

We’ve had a vsftpd server for a while and it’s performed very well for us. But it would appear that it’s not actively maintained. This may not be a problem as it still currently works just fine and we don’t have any obvious vulnerabilities with it, but as the OS it’s running on is Wheezy we need to move on at least up to Stretch. So I figured I’d try deploying a new server but configured with proftpd.

Continue reading →

Using LDAP with Active Directory

Getting your Linux box to talk with Active Directory is pretty straight forward. But doing it securely will need you to have installed your CA certificate into your trusted certificates.

Mostly I’ll only setup anything to do with LDAP/Active Directory is a specific application requires it, otherwise I’ll leave out the Windows authentication bit. I generally don’t use LDAP/AD for the SSH PAM type logons and will configure LDAP when a web server or the like uses it, eg. php5-ldap is required.

Continue reading →

Adldap2\Adldap2-Laravel

https://github.com/Adldap2/Adldap2-Laravel

Essential for using Active Directory (LDAP) from Laravel. With a nice friendly developer too.

Also available as a class outside of Laravel.

Dovecot, Postfix, Virtual Mailboxes and Active Directory

Well turns out that setting this up isn’t really as straight forward as simply treating Active Directory like LDAP. The main reason seems to be the way you need to authenticate and the limitations of doing any kind of user lookup whilst using auth_bind = yes, just doesn’t seem possible.

In order to resolve this is you have to live with having Dovecot use a static userdb table that returns the gid, uid and home – but then when you try to sort Postfix so that it delivers using Dovecot it fails because it cant use a static userdb to work out if the user account/mailbox exists or not.

So a little acceptance of that fact initially seem upsetting, but then when you get down to it anything that uses the smtpd for delivery is going to be checked for a valid mailbox anyhow.

Continue reading →

VSFTPD, LDAP (Active Directory) and Virtual Users

PAM and LDAP

Getting this going is a challenge. It needs some tweaks with PAM to get the authentication going. In order to get it to work we needed libpam-ldapd NOT to be confused with libpam-ldap.

libpam-ldapd brings with is changes to nsswitch.conf so that certain pam capable services are capable of using ldap. The ones we need are passwd, group and shadow

Continue reading →