Stuff I'm Up To

Technical Ramblings

Nginx and LDAP Authentication — July 11, 2020

Nginx and LDAP Authentication

We want a little more control over some of our reverse proxies and wanted to place a little extra burden on the users as possible. To do this we chose to use the same passwords for authentication as we do everywhere else – hence LDAP.

Thankfully Nginx have decided to include the module gx_http_auth_request_module in both the Nginx Plus and Open Source.

The prerequisite http_auth_request module is included in both NGINX Plus packages and prebuilt NGINX binaries.

Nginx

The documentation on implementing this walks you through a reference implementation which can be long winded. I tried to make it simpler with this article.

Continue reading
FreeRADIUS and Docker — July 7, 2020

FreeRADIUS and Docker

Today I built a FreeRADIUS server within a Docker container set using docker-compose. As we only have a small number of users on the WiFi system it was setup only as a simple SSID with WPA-PSK that gradually gets spread to every man and his dog.

Fortunately it only acts as a Guest network and provides internet access – but the next step is to have a proper corporate SSID with secure LAN access. For this we want 802.1X and a RADIUS server to provide integration between wireless and LDAP.

Continue reading
Apache Directory Studio and memberOf — June 4, 2020
PAM_LDAP and uniqueMember — May 24, 2020
SSH, OATH OTP and LDAP — May 17, 2020

SSH, OATH OTP and LDAP

I got myself into a bit of a knot with this one. We wanted multi-factor authentication setup on the main SSH gateway and that meant private key, password AND OTP. Yes, a real belt and braces security approach.

What I found was that if I added in OATH to PAM that as soon as I entered the OTP I got logged in. Running ssh with -vv to get some verbosity I could see it was getting my private key – so technically I had achieved MFA or more precisely 2FA.

What I needed was to dig a bit deeper into the workings of PAM. Usually it’s just a case of adding in the required PAM entries for LDAP and job done, now I had to figure out required, requisite, sufficient and the options like [success=1...].

Continue reading
SSH Authorized_Keys and LDAP — May 16, 2020
Nextcloud, LDAP and Password Changes — May 14, 2020

Nextcloud, LDAP and Password Changes

Using Nextcloud with LDAP is straight forward enough, you just add in the “LDAP user and group backend”. We wanted to use Nextcloud to enable our LDAP users to change their own password, and this is where things go sticky.

Our Nextcloud was configured just how we like our other LDAP auth systems – with a readonly user that’s able to bind and query only. Try as I might I could not get Nextcloud to change a users password, even though the user was granted write access to their own password in the LDAP ACL on the server.

There were a number of wider things to change before users could change their password, it wasn’t just this use of a readonly binding.

Continue reading
Docker OpenLDAP — February 15, 2020

Docker OpenLDAP

The LDAP instance in our environment is pretty ancient and has served well for many, many years. But there’s one key feature we’d like to see added to our schema – memberOf.

The current group membership is based on memberUID and is a bit clunky by modern standards. Time to upgrade.

This time we’re going to run it in a container. Making it more mobile and resilient. The image we chose osixia/openldap has a lot of pulls and looks a good candidate to use.

Continue reading
Linux LDAP Auth — January 16, 2020

Linux LDAP Auth

Up until now all of my Linux authentication has been local file based auth. I’ve added LDAP to services and applications, but logging into a Linux box has always had local users.

Following a process to install LDAP as the pam authenticator for Debian Buster included the following steps.

$ sudo apt install libnss-ldapd libpam-ldap ldap-utils

Then provide the details meeting your LDAP needs. Such as:

LDAP URI: ldap://ldap.domain.tld/
Search Base: dc=domain,dc=tld
DN and password of the Admin account if required: cn=admin,ou=People,dc=domain,dc=tld

Now you need to modify some configuration files.

Edit /etc/nsswitch.conf to add in references to ldap, we’re also going to use it for sudo and have added that into the config.

/etc/nsswitch.conf

passwd: compat ldap
group: compat ldap
shadow: compat ldap
...
sudoers: files ldap

/etc/pam.d/common-password

Remove use_authok from any line in the file common-password.

/etc/pam.d/common-session

Add the following line:

session optional pam_mkhomedir.so skel=/etc/skel umask077

For good measure restart nscd after making any changes to the above files.

$ sudo systemctl restart nscd

References: https://www.server-world.info/en/note?os=Debian_10&p=openldap&f=3

JumpCloud — October 23, 2019

JumpCloud

Sometimes I’m surprised at why I’ve never come across things before. This is a big one for me. For the longest time I was pondering how to resolve some SSO requirements whilst maintaining a corporate managed directory and not spending a fortune. Traditionally this would be the infrastructure to get the likes of Azure Active Directory, ADFS, RADIUS and multi-factor authentication – and then BOOM! JumpCloud.

What I really liked about this is that I got my own directory setup in under 15 minutes and had a Linux client logging on using my SSH key. I haven’t had to do anything laborious just install the JumpCloud agent onto the machine. Once I created my user account on the cloud interface and (optionally) gave it my SSH key I was set.

The JumpCloud agent handles replicating my account to the “systems” I install the agent on. It also delivers my SSH key for me so I can connect securely to the systems I’m allocated immediately.

Auth and Management for SSO, LDAP, RADIUS, Mac, Windows, Linux, and More

As a new user I get 10 FREE accounts which is plenty to setup my own directory for home and testing. I didn’t even need a credit card.

 https://jumpcloud.com/
Proftpd and LDAP / Active Directory — May 10, 2018

Proftpd and LDAP / Active Directory

We’ve had a vsftpd server for a while and it’s performed very well for us. But it would appear that it’s not actively maintained. This may not be a problem as it still currently works just fine and we don’t have any obvious vulnerabilities with it, but as the OS it’s running on is Wheezy we need to move on at least up to Stretch. So I figured I’d try deploying a new server but configured with proftpd.

Continue reading

Apache Directory Studio — April 19, 2018

Apache Directory Studio

After upgrading Directory Studio – which is a simple case of extracting the tar.gz file into the location you want the executable eg.

$ cd /usr/bin
$ sudo tar xvzf ~/Downloads/ApacheDirectoryStudio-2.0.0.v20170904-M13-linux.gtk.x86_64.tar.gz

I got this error in the log file when running the new version.

org.osgi.framework.BundleException: Unable to acquire the state change lock for the module: osgi.identity;

Continue reading