Step 6 Configure Your Clients

inadmissibleFull blown authentication system

  1. Installation and basic configuration of OpenLDAP and MITv5 Kerberos
  2. Linking OpenLDAP with MITv5 Kerberos
  3. Linking FreeRADIUS
  4. Replication
  5. Hardening your setup
  6. Configure your clients
  7. Varia

Here I’ll describe the configuration of two types of clients:

  • a regular Ubuntu server
  • a cisco device (running IOS)

**Ubuntu server


LDAP client configuration
**

sudo apt-get install libnss-ldap
sudo dpkg-reconfigure ldap-auth-config
sudo auth-client-config -t nss -p lac_ldap
sudo pam-auth-update

Modify timeouts to 5 seconds in /etc/ldap.conf and add:

binddn uid=system,ou=ITaccounts,dc=example,dc=com
bindpw 
ssl start_tls

Modify the client TLS configuration in /etc/ldap/ldap.conf:

BASE dc=example,dc=com
URI ldap://provider.example.com ldap://consumer.example.com
TLS_REQCERT demand
TLS_CACERT /etc/ssl/certs/ca-certificates.crt

You will not be able to log in yet, you’ll get probably these kind of errors in your /var/log/auth.log:

nss-ldap: do_open: do_start_tls failed:stat=-1

To be able to log in, using STARTTLS, you need the certificate (the certificate is ‘demanded’) of the LDAP servers. If you followed this how-to, the certificates are probably located at /etc/ssl/certs/cacert.pem.
Copy them to the client and attach the certificate to /etc/ssl/certs/ca-certificates.crt:

cacert.pem >> /etc/ssl/certs/ca-certificates.crt

Kerberos client configuration

Install the necessary packages:

sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config

Ask for a ticket:

kinit john@EXAMPLE.COM

Verify if the ticket has been issued:

klist

If a homedir for every user needs to be created automatically, you may want to add /etc/pam.d/common-session:

session required pam_mkhomedir.so skel=/etc/skel/ umask=0027

You should be able to login now.

Cisco IOS configuration

configure terminal
aaa new-model
aaa authentication login default group radius local
aaa authentication login localauth local
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius

radius-server host  auth-port 1812 acct-port 1813 key testing123
ip radius source-interface Loopback0
aaa group server radius AuthSystems

server  auth-port 1812 acct-port 1813
enable secret exit
aaa authentication login default group AuthSystems local

This was step 6. To proceed, go to step 7.
inadmissible