Faculty authentication on a machine in the FI network
You can make faculty account authentication available on your own machine using protocols Lightweight Directory Access Protocol (LDAP) and Kerberos .
If you manage an official service against which faculty accounts are authenticated, or you want to authenticate this service to another service, we support the issuance of Kerberos principals (form
service/hostname.fi.muni.cz
) and their disclosure in the form of keytabs. Contact for more information
unixzW7Akybi8@fiuhNC=Hsop.municIKQRSPkZ.cz
.
The instructions below are aimed at Unix OS, specifically the Linux distribution Ubuntu 18.04 LTS. The procedure for other distributions and OSs may vary.
General information
Protocol
Lightweight Directory Access Protocol (LDAP) is available on the FI network and provides information about individual users and user groups. Drain (
…
) in the output means omitted text (here and in other examples of this text):
$ ldapsearch -H ldap://ldap.fi.muni.cz/ -b ou=People,dc=fi,dc=muni,dc=cz cn=xlogin -x
# xlogin, People, fi.muni.cz
dn: uid=xlogin,ou=People,dc=fi,dc=muni,dc=cz
uid: xlogin
cn: xlogin
objectClass: account
objectClass: posixAccount
userPassword:: e1NBU0x9bXl4bG9naW5ARkkuTVVOSS5DWg==
loginShell: /bin/bash
uidNumber: 12345
gidNumber: 10100
homeDirectory: /home/xlogin
gecos: Honza Login
host: aisa
host: anxur
$ ldapsearch -H ldap://ldap.fi.muni.cz/ -b ou=Group,dc=fi,dc=muni,dc=cz cn=student -x
# student, Group, fi.muni.cz
dn: cn=student,ou=Group,dc=fi,dc=muni,dc=cz
objectClass: posixGroup
objectClass: top
cn: student
gidNumber: 10100
memberUid: xlogin1
memberUid: xlogin2
…
This information can then be used as another source of Unix user and group tables using the framework Name Service Switch (NSS) . This allows, among other things share file systems across Unix machines .
Protocol Kerberos is also available in the FI network and allows authentication to faculty user accounts using the faculty password via the framework Pluggable Authentication Modules (PAM) . This allows single sign-on on faculty Unix machines.
Lightweight Directory Access Protocol
Protocol
LDAP is used by the module
Name Service Switch (NSS) in conjunction with the NSCD caching daemon, which reduces network response and load. In Ubuntu repositories, both projects are available in packages
nscd
and
libnss-ldap
:
# apt install nscd libnss-ldap
Next, you need to download a certificate for encrypted connections to LDAP servers:
$ wget https://fadmin.fi.muni.cz/cacert/FI_CA.crt
# openssl x509 -in FI_CA.crt -out /etc/openldap/certs/FI_CA.pem -inform DER -outform PEM
# chmod u=rw,g=r,o=r /etc/openldap/certs/FI_CA.pem
# chown root:root /etc/openldap/certs/FI_CA.pem
The following is the configuration of the LDAP NSS module:
$ cat /etc/ldap.conf
base dc=fi,dc=muni,dc=cz
uri ldaps://ldap1.fi.muni.cz ldaps://ldap.fi.muni.cz
nss_base_passwd ou=People,dc=fi,dc=muni,dc=cz?one
nss_base_group ou=Group,dc=fi,dc=muni,dc=cz?one
ssl yes
tls_reqcert hard
tls_checkpeer yes
tls_cacert /etc/openldap/certs/FI_CA.pem
$ cat /etc/ldap/ldap.conf
…
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/openldap/certs/FI_CA.pem
Finally, we will configure NSS so that the LDAP NSS module is used for Unix user and group tables.
$ cat /etc/nsswitch.conf
…
passwd: compat systemd ldap
group: compat systemd ldap
shadow: compat ldap
…
We should now be able to see users and user groups:
$ id xlogin
uid=12345(xlogin) gid=10100(student) groups=10340(account_myhost),10000(staff),10100(student)
User list restrictions
If we want to limit the list of users who are allowed to log in to the Unix machine, we can adjust the value of the item
nss_base_passwd
in the LDAP NSS module configuration file as follows:
$ grep nss_base_passwd /etc/ldap.conf
nss_base_passwd ou=People,dc=fi,dc=muni,dc=cz?one?host=myhost
Subsequently, we will have a group created by the technical support
account_myhost
, in which we will have the right of administrator. Further in
faculty administration fill in the list of group members and press the "Regenerate mail groups and LDAP" button. Then for users who are part of a group
account_myhost
, we will see the attribute in LDAP
host
with value
myhost
. Only these users will subsequently be visible to our machine. Similarly, we can filter users and groups according to any other LDAP attributes.
Kerberos
To support the protocol
Kerberos serves the client program to request tickets and
Pluggable Authentication Modules (PAM) Kerberos client login library. In Ubuntu repositories, both projects are available in packages
krb5-user
and
libpam-krb5
:
# apt install krb5-user libpam-krb5
The following is the Kerberos client configuration:
$ cat /etc/krb5.conf
[libdefaults]
default_realm = FI.MUNI.CZ
…
[realms]
…
FI.MUNI.CZ = {
kdc = krb.fi.muni.cz
kdc = krb1.fi.muni.cz
default_domain = fi.muni.cz
}
…
[domain_realm]
…
.fi.muni.cz = FI.MUNI.CZ
fi.muni.cz = FI.MUNI.CZ
Kerberos ticketing should work now:
$ kinit xlogin
Password for xlogin@FI.MUNI.CZ:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: xlogin@FI.MUNI.CZ
Valid starting Expires Service principal
2.10.2019 17:55:39 3.10.2019 17:55:35 krbtgt/FI.MUNI.CZ@FI.MUNI.CZ
By default, Kerberos only allows users with a UID greater than or equal to 1000 to log on. This restriction prevents the LDAP user's UID from conflicting with the system user's UID. Unfortunately, the faculty UID of some users is less than 1000 for historical reasons. Therefore, we will adjust the PAM configuration to allow users with a UID greater than or equal to 200 to log in:
$ cat /usr/share/pam-configs/krb5
Name: Kerberos authentication (MIN_UID=200)
Default: yes
Priority: 704
Conflicts: krb5-openafs
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_krb5.so minimum_uid=200 try_first_pass
Auth-Initial:
[success=end default=ignore] pam_krb5.so minimum_uid=200
Account-Type: Additional
Account:
required pam_krb5.so minimum_uid=200
Password-Type: Primary
Password:
[success=end default=ignore] pam_krb5.so minimum_uid=200 try_first_pass use_authtok
Password-Initial:
[success=end default=ignore] pam_krb5.so minimum_uid=200
Session-Type: Additional
Session:
optional pam_krb5.so minimum_uid=200
To complete the configuration, run the PAM configuration tool. If you want the home directory to be created when the user logs in for the first time, select the "Create home directory on login" item in the displayed menu and confirm with the "OK" button:
# pam-auth-update
Subsequently, we should be able to log in to the system:
$ ssh xlogin@localhost id
Password:
Creating directory '/home/xlogin'.
uid=12345(xlogin) gid=10100(student) groups=10340(account_myhost),10000(staff),10100(student)