If you're working as Linux sys-admin in a small or middle-sized company (80-300 people) whose personal and hosted infrastructure is quicly growing, you will soon face a requirement that all running Linux servers hosting applications requires unification in existing single / clustered Users Applications to be able to Login with same User / Password across all company Linux / UNIX servers.
Having single id / passwords across multiple servers is also handy for various routine sys-admin purposes as this simplifies daily maintanance tasks and deployment of "one view" server monitoring and bunch of software easily to be replicated on new server nodes.
This is where LDAP ( Lightweight Directory Access Protocol ) comes at help. LDAP authentication with use of PAM (Pluggable Authentication Module), allows to easily achieve a common centralized login mechanism across a Linux server "farm" using SSH or Xlogin (if X some kind of GUI environment) is to be used.
Configuring Linux servers to use a centralized LDAP server to store user / passwords and other user information is also very useful whenever you want to have a common login mechanism of a group of users across both Heterogenous network with Windows / Linux and UNIX servers. By keeping the users into a centralized LDAP server, users have access with same User / Pass to both Windows / Linux ,UNIX Sun OS / HP-UX / Unix / FreeBSD etc. Centralized LDAP for Production environment and a Testing one is a common thing to see in large IT infrastructure (hosting / support) companies such as IBM / HP / Google / Yahoo etc. .
LDAP credentials centralization is common in Telecommunication companies, many universities such as Berkley / MIT and in all kind of big business-es or anywhere where its needed to have in a common database replicated across servers hundreds of thousands of users.
Here is how to Configure SSH LDAP Linux login authentication:
1. Install LDAP client and configuring it to use remote LDAP server on Debian / Ubuntu Linux
– On Debian Linux servers install the classical way to configure LDAP authentication is:
apt-get install –yes libpam-ldap libnss-ldap nscd ldap-utils
You will be asked a variety of configuration questions in the good old ncurses on LDAP server to be used:
- LDAP server Uniform Resource Identifier: ldap://LDAP-server-IP-Address
- Change the initial string from "ldapi:///" to "ldap://" before inputing your server's information
- Distinguished name of the search base:
- LDAP version to use: 3
- Make local root Database admin: Yes
- Does the LDAP database require login? No
- LDAP account for root:
- LDAP root account password: Your-LDAP-root-password
If you have inputted some wrong data to make the configuration interface pop-up again issue as root:
dpkg-reconfigure ldap-auth-config
Then to make aware the system LDAP database is to be used to through NSS (Name Services Switch) configured in /etc/nsswitch.conf
vim /etc/nsswitch.conf
To make /etc/passwd /etc/shadow and /etc/group not be queried from local system but to query LDAP defined server
passwd: ldap compat
group: ldap compat
shadow: ldap compat
Linux makes authentication to remote LDAP server through PAM (Pluggable Authentication Module) that provides authentication via series of modules which return Yes / No responce in Windows NT / XP something similar was called GINA in Windows 7 / 8 / 2012 a similar technology is used called Credential Provider.
LDAP authentication is done by using PAM, to make it possible:
vim /etc/pam.d/common-session
Place
session required pam_mkhomedir.so skel=/etc/skel umask=0022
This line makes PAM on login to create home directory for logged in user via LDAP and copy all files from /etc/skel/* to /home/username/*
To make new settings affective restart nscd service (handles passwd, group and host lookups caching previous credential results).
/etc/init.d/nscd restart
However this method of configuration is probably to be soon be obsoleted in future Debian releases the modern way to configure servers to authenticate to central LDAP server is with SSSD, i.e.
apt-get install sssd libnss-sss libpam-sss
apt-get remove nscd
vim /etc/sssd/sssd.conf
domains = LDAP
[…]
[domain/LDAP]
enumerate = true
id_provider = ldap
auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
#ldap_schema = rfc2307
ldap_uri = ldap://server1.mydom.com/
ldap_search_base = dc=mydom,dc=intern
#ldap_tls_reqcert = never
ldap_tls_cacert = /etc/ldap/ssl/cacert.pem
2. Install LDAP client and configuring it to use remote LDAP server on CentOS / Fedora / RPM based Linux
yum -y install libpam-ldap nscd ldap-utils
On client machines, both /etc/ldap.conf and /etc/openldap/ldap.conf need to contain the proper server and search base information for the organization.
There is a quick way to configure LDAP use with authconfig
[root@www ~]# authconfig –enableldap
–enableldapauth
–ldapserver=dlp.server.world
–ldapbasedn="dc=server,dc=world"
–enablemkhomedir
–update
Starting nslcd: [ OK ]
[root@www ~]# exit
logout
CentOS Linux release 7.0.1406 (Core)
3.10.0-123.4.2.el7.x86_64 on an x86_64
www login:ldap-user # LDAP user
Password:# password
Creating directory '/home/rldap-user'.
[ldap-user@www ~]$ # logined normally
[ldap-user@www ~]$ passwd # change LDAP user password (LDAP server will be notified about change)
Changing password for user redhat.
Enter login(LDAP) password: # current password
New password: # new password
Retype new password:
LDAP password information changed for redhat
passwd: all authentication tokens updated successfully.
When using authconfig to configure LDAP server authentication will be managed by SSSD (System Security Services) Daemon for more check out man sssd.
To be working sssd will require you to have following list of RPM packages installed
sssd-client
sssd-common
sssd-common-pac
sssd-ldap
sssd-proxy
python-sssdconfig
authconfig
authconfig-gtk
SSSD configuration includingn the filled in LDAP server hostname generated by authconfig is stored in /etc/sssd/sssd.conf
To reload new SSSD settings:
systemctl restart sssd
Using sssd is the new way to enable LDAP Linux authentication and people who use it should not use the old already obsolete nslcd method
3. Enabling Apache web application to authenticate to LDAP server
If you further want LDAP authorization to also work on installed and functioning Apache webserver on the host you need to load mod_auth_ldap.so
in httpd.conf
vim /etc/httpd/conf/httpd.conf
There should be a record like:
LoadModule mm_auth_ldap_module modules/mod_auth_ldap.so
On Debian / Ubuntu Linux to enable LDAP auth in Apache2:
root@www:~# a2enmod ldap authnz_ldap
Enabling module ldap.
Considering dependency ldap for authnz_ldap:
Module ldap already enabled
Enabling module authnz_ldap.
To activate the new configuration, you need to run:
service apache2 restart
Finally to make Apache load new config:
On Redhat based distro:
/etc/init.d/httpd restart
On Debian
/etc/init.d/apache2 restart
If you want to use LDAP auth within PHP/ Perl applications you will also need to install php5-ldap, libnet-ldap-perl (debs)- on Debian / Ubuntu or php-ldap, perl-LDAP.noarch (rpm) on CentOS / Fedora.
To set LDAP credentials authentication from LDAP, in Virtualhost/s or .htaccess of certain directory use config like:
AuthName "Restricted"
AuthType Basic
AuthLDAPURL ldap://ldap.domain.com:389/ou=People,dc=domain,dc=com?uid
AuthLDAPBindDN "cn=Manager,dc=domain,dc=com"
AuthLDAPBindPassword "your_secret_secret_password_to_ldap_admin"
require valid-user
4. Debug Test LDAP server remote connection
Once LDAP auth is setup to debug / test users within server use ldapsearch (part of ldap-uitls):
ldapsearch -h <ldapserver>
-b dc=<your> ,dc=<domain> -x uid=<username>
How to add OpenID functionality to WordPress Comments / What is OpenID?
Tuesday, February 14th, 2012I've recently decided to add Comment as OpenID functionality to my wordpress blog. The reasons to do that is that I myself have today created an OpenID account. Already million of people have OpenID account without even knowing. Most major search engines and social websites like Google, Yahoo, Live Journal, Hyves, Blogger, Flicker, MySpace automatically creates an OpenID account for newly registered users.
It is up to the user to check with each of the aforementioned providers what is the URL of their OpenID account.
Even though OpenID popularity is steadly rising, I'm sure there are still plenty of users who did not heard, used or noticed OpenID yet.
So What the heck is OpenID?
For all those who still haven't heard about it, OpenID is a universal web site login system With just one "unified" OpenID account the user can login to multiple websites with no need to create multiple accounts across each and every different website on the internet.
The only requirement for the user to be able to use OpenID is that the website in question to have (support) for OpenID credential and the user to have existing OpenID account.
Therefore using one single OpenID you can sign in as a certain user to multiple websites on the internet with no need for annoying registration process to each and every new website you encounter. Another benefit OpenID gives to the user is that you don't have to memorize or keep notes of a tens or thousands of different login accounts across the many different websites on the net.
Using OpenID also saves the user from troubles with forgotten password or username as just one OpenID login is used to login you everywhere.
For WordPress blogging platform the Russian Igor Korolev, has written a wordpress plugin – comments-to-wordpress . This plugin adds support for OpenID authentication in WordPress comments.
Here is how to OpenID to WordPress:
1. Download the comments-with-wordpress plugin and unzipAs of writting of this article latest comments-to-wordpress plugin is ver. 1.4.
Download the plugin to blog path directory lets say, /var/www/blog/wp-content/plugins/ and unzip:
# cd /var/www/blog/wp-content/plugins
# wget http://downloads.wordpress.org/plugin/comments-with-openid.zip
...
# unzip comments-with-openid.zip
...
I've also done a mirror for download of comments-with-openid 1.4 here
2. Enable Comments with OpenID wp plugin
Next the plugin has to be Enabled, just like any other wordpress plugin via admin menus:
Plugins -> Inactive -> Comments with OpenID (enable)
Once the plugin is enaabled it is necessery to add some code with a text editor in file /var/www/blog/wp-content/themes/default/comments.php
Small noet to make here: If you're not using the default WordPress theme (like I do), you will have to edit the /themes/your-theme-name/comments.php instead.
Inside the file look for the form input fields:
<p> <input type="text" name="author" ....
...
<p> <input type="text" name="email" id="email" ....
...
<p> <input type="text" name="url" id="url" ....
...
Before the html tags code:
Paste the following code:
<?php comments_with_openid(); ?>
Save the comments.php file and you Identification for new comments with OpenID will appear in your wordpress Comments form.
The OpenID plugin will add a number of service OpenIDs to choose between like you can see in my blog's plugin section or the screenshot below:
The URL https://www.google.com/accounts/o8/id is just a sample and showed because I clicked on the Google icon. If you have a Google profile you can check the exact ID and use it as URL there. Simply if your browser is logged in Gmail and you have Google profile. OpenID should work. As you can see the plugin supports a number of services which already support OpenID auth, the list of services can be easily extended by adding minor changes in …/plugins/comments-with-openid/comments-with-openid.php
There is also another wordpress plugin with the openid name – http://wordpress.org/extend/plugins/openid/
Downloading and enabling the other openid plugin also adds support for OpenID login in your http://your-url.com/wp-admin/ login page.
Installing the OpenID plugin is needed especially if you're a blogger blogging on 5 or 10 different topic oriented blogs, once downloading and installing the OpenID plugin will allow you to login across the blog ring without loosing time or bothering to remember different passwords across all the blogs. Here is a screenshot of the /wp-admin wordpress login page with the OpenID wp plugin enabled:
As of time of writting according to http://openid.net/get-an-openid/what-is-openid/'s website there are over 50000 major websites on the net already accepting OpenID login.
Of course as every technlogy OpenID is not perfect and along with its convenience in some cases it could impose security hole. OpenID opponents claim under some circumstances OpenID is prone to forgery, XSS (cross site scripting) and XSFR attacks. Everyone who is about to use OpenID should be also aware of the great security risk it impose if one OpenID account gets stolen through sniffing, this could mean multiple websites can be accesses with the one single OpenID by the malicious user and a lot of confidential data owned by the user can be revealed or deleted …
With this said I think OpenID is not a recommended login technology for Windows users, as windows is famous for being vulnerable to so many Viruses and Spyware/Malware etc..
With non-free software OSes like MS Windows, the user never cannot for sure if the system is infected, hence using OpenID to transfer credentials over the internet or store an OpenID SSL/(TLS) certificate to identify in websites is TOO DANGEROUS!
Hope this article was helpful. Cya
Tags: authentication, Auto, benefit, code, Comment, Draft, file, functionality, google, hyves, igor korolev, Journal, login, login accounts, major search engines, need, openid, password, php, platform, plugin, popularity, quot, Russian, Search, support, tens, text, type, universal web, url, username, wget, what the heck, Wordpress, writting, Yahoo
Posted in System Administration, Web and CMS, Wordpress | 2 Comments »