Installing and Enabling secure ldap-nsswitch operation on Fedora Core 2 (implemented on Fedora Core 2 - Test 2) Install Fedora ------------------ Workstation Configuration Open firewall No SELinux Default Software packages Install RedHat Packages ------------------ yum install krb5-workstation # For kerberos installations yum install cyrus-sasl yum install cyrus-sasl-gssapi # For kerberos installations yum install cyrus-sasl-plain yum install cyrus-sasl-devel yum install nss_ldap Errors were thrown by the SELinux resolver. This is unimportant(?) as we did not enable SELinux. I presume that if SELinux was enabled, these errors would not have been thrown at all. Your mileage may vary. Setting up NSSWITCH ------------------- in /etc/nsswitch.conf add ldap to any line you want to resolve (passwd) so it looks like the following: passwd files ldap This will cause nsswitch to fall back to ldap to find non-local users. Of course, you can remove the 'files' entry alltogether and make ldap a critical service. Note though that if ldap breaks then, you are without even a root user (no su!) and will require a boot into single-user mode to fix. If you want to make ldap the primary userbase, then just keep system users (and root) in the local files and add all new users to ldap. Edit /etc/ldap.conf ------------------- specify the location of the ldap server you wish to use, as well as the base dn of any service you wish to resolve. See the sample ldap.conf file for more details as to which entries to use. In a nutshell, the most basic set of entries is: host lucca.citi.umich.edu base dc=lucca,dc=citi,dc=umich,dc=edu nss_base_passwd ou=localUsers,dc=lucca,dc=citi,dc=umich,dc=edu nss_base_shadow ou=localUsers,dc=lucca,dc=citi,dc=umich,dc=edu Enabling TLS ------------------- You can enable TLS (Transport Layer Security) using SSL by adding the following lines to your /etc/ldap.conf ssl start_tls ssl on tls_checkpeer yes tls_ciphers TLSv1 tls_cacertdir tls_cert tls_key Obviously, appropriate cert/key pairs must be generated for the client machine and the CA cert chain must be placed in an accessible location. The server cert must be covered by the CA chain as well. Using TLS, you can make secure, anonymous/simply bound queries to the LDAP server. This may be all you need. If you do not have a PKI infrastructure set up and would like to use Kerberos, then do not bother enabling TLS. Troubleshooting: Make sure that the cert and key are accessible. If you are running nscd and it is running as the nscd user, then the cert and key must be accessible to the nscd user. Run the LDAP server in debug mode to see what is failing. Enabling Kerberos/GSSAPI ------------------------ Make sure you installed the krb5-workstation and cyrus-sasl-gssapi packages. Edit /etc/krb5.conf and set your default realm and realm info. At this point, kinit and make sure that you can authenticate using kerberos. Have your kerberos admin make an nssldap/ principal and create a keytab for that principal. Install the keytab on your local machine in /etc/ (some distros might preffer /etc/krb5/krb5.keytab) (ldap_tabfile can be a new file and does not have to be part of an existing keytab) Edit /etc/ldap.conf and include the following lines: use_sasl on sasl_auth_id nssldap/ Set up your crontab to refresh your local service ticket cache using the keytab. 0 */6 * * * /usr/bin/kinit -k -t /etc/ -c /etc/.ldapcache nssldap/ && chown nscd:nscd /etc/.ldapcache && chmod 0644 /etc/.ldapcache Edit the startup file that fires off nscd and set the environment variable KRB5CCNAME=/etc/.ldapcache for the nscd instance Unfortunately, it does not look like fedora enabled a krb5ccname configuration in the nss_ldap build, so we are stuck with using the environment var instead of a configuration file. :-/ We could patch this... but it would require a SRPM patch and rebuild.... (not hard, but not turnkey either) Incidentally, if you do not use nscd, then GSSAPI abilities are contingent upon the local user having valid kerberos creds. Setting Up NSCD --------------- Make sure you've got the nscd package installed. yum install nscd Look over /etc/nscd.conf and see if you like what you see. Troubleshooting: Launch nscd (at least the first time) using the /etc/init.d/nscd script. This script sets up the /var/run/nscd directory and performs sanity checks on the install. You can start nscd in debugging mode with the -d flag. Also, make sure that the nscd user exists if you are trying to run nscd as the nscd user. Resources: ----------- http://www.hut.fi/cc/docs/kerberos/nss_ldap.html notes: lucca-mapping.notes