Step 7 Varia

[Full blown authentication system][1]

  1. [Installation and basic configuration of OpenLDAP and MITv5 Kerberos][2]
  2. [Linking OpenLDAP with MITv5 Kerberos][3]
  3. [Linking FreeRADIUS][4]
  4. [Replication][5]
  5. [Hardening your setup][6]
  6. [Configure your clients][7]
  7. [Varia][8]

In this Varia section I will describe the following:

  • Enable LDAP logging
  • User management
  • Reset/change password PHP script

LDAP logging

Extra logging could be useful when debugging:

vim logging.ldif
dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: stats
ldapmodify -x -D cn=admin,cn=config -f logging.ldif -W

User management

Add a user

Create a file with the new user data:

dn: uid=testuser,ou=employees,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: testuser
cn: testuser
sn: testuser
givenName: testuser
displayName: testuser
title: Analyst
telephoneNumber: 101
mobile: 0032 100 101 102
ou: example
uidNumber: 10001
gidNumber: 5000
gecos: testuser
loginShell: /bin/bash
homeDirectory: /home/testuser

Add it to LDAP:

ldapadd -x -D cn=admin,dc=example,dc=com -W -f /home/jeroen/extrauser.ldif 
Enter LDAP Password: 
adding new entry "uid=testuser,ou=employees,dc=example,dc=com"

Add a principal to kerberos:

Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: addprinc -x dn="uid=testuser,ou=employees,dc=example,dc=com" testuser
WARNING: no policy specified for testuser@EXAMPLE.COM; defaulting to no policy
Enter password for principal "testuser@EXAMPLE.COM": 
Re-enter password for principal "testuser@EXAMPLE.COM": 
Principal "testuser@EXAMPLE.COM" created.

It’s VERY important to modify the kerberos ACL accordingly (/etc/krb5kdc/kadm5.acl). If you get the error: “kadmin: Client not found in Kerberos database while initializing kadmin interface”, while you just add the principal to kerberos, then it’s very likely it’s because of this. After modifying the ACL, it’s necessary to restart the krb5-kdc service (/etc/init.d/krb5-kdc restart).

Add a service

dn: uid=serviceA,ou=ITaccounts,dc=example,dc=com
objectClass: inetOrgPerson
uid: serviceA
cn: serviceA
sn: serviceA
displayName: serviceA
ou: Example

Add it to LDAP:

ldapadd -x -D cn=admin,dc=example,dc=com -W -f /home/jeroen/extraservice.ldif 
Enter LDAP Password: 
adding new entry "uid=serviceA,ou=ITaccounts,dc=example,dc=com"
Change password as described here.

Delete LDAP user

ldapmodify -x -D cn=admin,dc=example,dc=com -W
Enter LDAP Password: 
dn: uid=john,ou=employees,dc=example,dc=com

deleting entry "uid=frank,ou=employees,dc=example,dc=com"

Change an LDAP password

ldappasswd -x -D "cn=admin,dc=example,dc=bcom" -W -S "uid=testuser,ou=employees,dc=example,dc=com"

Change an Kerberos password

kadmin -p john@EXAMPLE.COM
Authenticating as principal john@EXAMPLE.COM with password.
Password for john@EXAMPLE.COM: 
kadmin:  cpw -pw testpassword john
Password for "john@EXAMPLE.COM" changed.
kadmin:  quit

Reset/change password PHP script
This is what you have to do in order to let your users change/reset their password via a webportal. The new password will be emailed to the user. The mail will be PGP encrypted.

apt-get install php-pear gnupg libgpgme11 libgpgme11-dev php5-dev libgpg-error0
pecl install gnupg
pecl install kadm5

In /etc/php5/apache2/php.ini

Restart apache2:

/etc/init.d/apache2 restart

Add your public keys to the gnupg keyring:

gnupg --homedir /var/www/.gnupg *.asc

For the webform in php we need some extra stuff:

pear install Mail
pear install Net_SMTP

Now add a kerberos principal that is able to only change passwords of other users (using kadmin.local):

kadmin.local: addprinc pwdchange/

Add the following rule to the kerberos ACL (/etc/krb5kdc/kadm5.acl):

pwdchange/ c *

These ACLs are simple. It says the following: pwdchange (pwdchange/ is allowed to change © passwords for every user (*).

The apache2 webserver is setup with a basic configuration of ModSecurity which is installed from the Ubuntu repo.

The following 2 files contain the source code of the webportal: