Skip to content

Advanced user account management using LDAP

How to configure LDAP to access user account information

There are different ways to configure user accounts on SLC and CC machines at CERN. If you only need to create a few AFS accounts, you should simply use the useraddcern command.

If you need to give access to larger groups of accounts, that are centrally managed in FIM / Active Directory, read on...

This document describes how to configure a client CC or SLC machine to use the central LDAP service xldap.cern.ch to give access to AFS user groups. Examples:

  • How to give access to all users of some Unix groups?
  • How to give access to all member of an E-group?
  • How to deny access to users with disabled accounts?
  • How to override certain attributes, like the login shell or the homedirectoy

The xldap.cern.ch LDAP service

The xldap.cern.ch LDAP service allows anonymous read-access to the user information in FIM / Active Directory. In particular, it contains the account information for all AFS users, and the membership of the CERN E-groups.

The xldap.cern.ch LDAP service is described here

CERN CentOS 7

What is sssd ?

SSSD provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources as well as D-Bus interface.

Configuring sssd

The /etc/sssd/sssd.conf configuration describes the CERN configuration:
[sssd]
config_file_version = 2
services = nss, pam
domains = CERN

[nss]
filter_groups = sshd,apache,root
filter_users = sshd,apache,root

[pam]
pam_id_timeout = 600

[domain/CERN]
id_provider = ldap
ignore_group_members = True
access_provider = ldap
ldap_schema = AD
ldap_initgroups_use_matching_rule_in_chain = True

ldap_uri = ldap://xldap.cern.ch:389, ldap://xldap.cern.ch:389, ldap://xldap.cern.ch:389

ldap_referrals = False
ldap_id_use_start_tls = False
ldap_search_base = DC=cern,DC=ch
ldap_user_search_base = OU=Users,OU=Organic Units,DC=cern,DC=ch
ldap_user_search_scope = one
ldap_user_object_class = person
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory

ldap_group_search_base = OU=Unix,OU=Workgroups,DC=cern,DC=ch
ldap_group_search_scope = one
ldap_group_object_class = group

# allow users
ldap_access_filter = (&(objectClass=user) (cn=*))

ldap_force_upper_case_realm = True

krb5_realm = CERN.CH
krb5_server = cerndc.cern.ch

auth_provider = krb5
chpass_provider = krb5
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
You can install it by following this recipe as root :
# curl -o /etc/sssd/sssd.conf http://linux.web.cern.ch/docs/sssd.conf.example
# chown root:root /etc/sssd/sssd.conf
# chmod 0600 /etc/sssd/sssd.conf
# restorecon /etc/sssd/sssd.conf
In the following section we will explain how it can be tweaked.

General options

This section describes the main options to be configured in /etc/sssd/sssd.conf.
  • services is a comma separated list of services that are started when sssd itself starts. Supported services: nss, pam , sudo, autofs, ssh, pac, ifp
  • domain is a database containing user information.SSSD can use more domains at the same time.
  • filter_users, filter_groups exclude certain users from being fetched from the sss NSS database.This is particularly useful for system accounts. This option can also be set per-domain or include fully-qualified names to filter only users from the particular domain.
  • pam_id_timeout option controls how long we can cache the identity information to avoid excessive round-trips to the identity provider

Filtering results

With the general options above, your machine now has allows access from all accounts in the LDAP service. That is probable not what you want... This section gives some examples of filters that you can set to restrict the results to some useful sets of accounts.
  • How to give access to all users of some Unix groups?
    • Only allow the users of Unix group xx (gid 1160):
    •         ldap_access_filter = (&(objectClass=user) (gidNumber=1160))
              
    • Allow users from Unix groups t3 and zp (gid's 1081 and 1307):
    •         ldap_access_filter = (&(objectClass=user) (|(gidNumber=1160) (gidNumber=1307)))
          
  • How to give access to all members of an e-group?
    • Allows members of lxsoft-admins (non-recursive) e-group:
    •         ldap_access_filter = (&(objectClass=user) (memberOf=CN=lxsoft-admins,OU=e-groups,OU=Workgroups,DC=cern,DC=ch))
              
    • The above does not work for "recursive e-groups", where some members are e-groups themselves. To support such e-groups, you can modify the filter:
    •         ldap_access_filter = (&(objectClass=user) (memberOf:1.2.840.113556.1.4.1941:=CN=info-experiments,OU=e-groups,OU=Workgroups,DC=cern,DC=ch))
              
  • How to deny access to users with disabled accounts?
    • Accounts that are disabled in Active Directory can be filtered out like this:
              ldap_access_filter = (&;(|(|(&(objectClass=user) (cn=*))))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
              
      For an explanation, please go the Microsoft Knowledge Base
Note: ldap_access_filter accepts standard LDAP filter syntax so get as creative as you want.

Overriding attribute values

sssd-ldap allows to override certain attribute values, like the login shell or the use home directory. This may be useful on certain server machines. Example:
ldap_user_shell = /dev/null
ldap_user_home_directory = /nfs/home/%u (man sssd.conf for allowed sequences)
All available settings can be found in the manual
# man sssd-ldap

Notes from linux support

  • To enable verbose debug messages you can append "debug_level = 0x1310" to each section.
  • If you have to deal with old user ID < 1000 you can use "min_id/max_id" in the [domain/CERN] section

Enable sssd

# authconfig --enablesssd --enablesssdauth --update
The /etc/nsswitch.conf configuration file describes the order in which password-file lookups are performed. It should have these entries configured by the previous command :
passwd:     files sss
shadow:     files sss
group:      files sss

Run sssd

Now you need to make sure sssd runs and is enabled by default :
# systemctl enable sssd
# systemctl stop sssd
# systemctl start sssd
NOTE: If you experiment with sssd and you want to be sure to clean all the caches please run the folllowing command :
# systemctl stop sssd
# rm -f /var/lib/sss/mc/*
# rm -f /var/lib/sss/db/*
# systemctl start sssd
# sss_cache -E

Run a simple test

You can run the following command where "login" correspond to an authorized CERN user :
# getent passwd login

Scientific Linux CERN

Configuring /etc/nsswitch.conf

The /etc/nsswitch.conf configuration file describes the order in which password-file lookups are performed. To make sure that local accounts take precedence over LDAP accounts, it should have these entries:
passwd:     files ldap
shadow:     files
group:      files ldap

Run man nsswitch.conf for more information.

[SLC5] Configuring /etc/ldap.conf

The /etc/ldap.conf configuration file is used to set system-wide defaults to be applied when running ldap clients. This mechanism is available on SLC5 and SLC4, the SLC6-specific mechanism is described below.

This section describes the options that are relevant to configure account lookups in the xldap.cern.ch LDAP service. An example configure file containing the options described below is can be found here. Please edit it to suit your needs - in particular the nss_base_passwd option!

Please make sure that the nss_ldap RPM is installed on your client machine. Run yum install nss_ldap if this RPM is not installed.

For more information, run man ldap.conf and/or man nss_ldap.

Please note the recipes below have not been extensively tested on SLC4.

General options

This section describes the main options to be configured in /etc/ldap.conf.
  • Set the distinguished name of the search base:
    # The distinguished name of the search base.
    base dc=cern,dc=ch
    
  • Use the uri directive to specify the LDAP service. Note that we specify the server multiple times, to allow failover between different servers behind the DNS alias xldap.cern.ch:
    # Another way to specify your LDAP server is to provide an
    # uri with the server name. This allows to use
    # Unix Domain Sockets to connect to a local LDAP Server.
    uri ldap://xldap.cern.ch/ ldap://xldap.cern.ch/ ldap://xldap.cern.ch/
    
  • The xldap.cern.ch LDAP service is a frontend to Active Directory, and we need to map the services accordingly:
    # Services for UNIX 3.5 mappings
    nss_map_objectclass posixAccount User
    nss_map_objectclass shadowAccount User
    nss_map_attribute uid sAMAccountName
    nss_map_attribute uniqueMember Member
    #nss_map_attribute userPassword msSFU30Password
    nss_map_attribute homeDirectory unixHomeDirectory
    nss_map_objectclass posixGroup Group
    pam_login_attribute sAMAccountName
    #pam_filter objectclass=User
    #pam_password ad
    
  • Configure basic result filtering:
    # RFC2307bis naming contexts
    # Syntax:
    # nss_base_XXX          base?scope?filter
    # where scope is {base,one,sub}
    # and filter is a filter to be &'d with the
    # default filter.
    # You can omit the suffix eg:
    # nss_base_passwd       ou=People,
    # to append the default base DN but this
    # may incur a small performance impact.
    nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one
    nss_base_group OU=Workgroups,DC=cern,DC=ch?sub?gidNumber=*
    
    This limits the search results to all Unix accounts in Active Directory.

    More sophisticated filters are described in the next section.

  • By default, the server will return only the first 1000 results. If you expect more results, you should enable support for paged results:
    # Enable support for paged results
    nss_paged_results yes
    
  • Using SSL to verify the identity of the xldap.cern.ch

    Work in progress - to be released and documented in the near future

  • Should you need to debug your configuation, you can set the following options:
    # Enable debugging
    logdir /var/log
    debug 255
    

Filtering the results

With the general options above, your machine now has allows access from all accounts in the LDAP service. That is probable not what you want... This section gives some examples of filters that you can set to restrict the results to some useful sets of accounts.
  • How to give access to all users of some Unix groups?
    • Only allow the users of Unix group xx (gid 1160):
      nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?gidNumber=1160
    • Allow users from Unix groups t3 and zp (gid's 1081 and 1307):
      nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?|(gidNumber=1081)(gidNumber=1307)
      Alternatively, using the fact that these filters are added to the default search filter, we can specify two separate lines:
      nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?gidNumber=1081
      nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?gidNumber=1307
  • How to give access to all members of an e-group?
    • Allows members of lxsoft-admins (non-recursive) e-group:
      nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?memberOf=CN=lxsoft-admins,OU=e-groups,OU=Workgroups,DC=cern,DC=ch
    • Note: the above does not work for "recursive e-groups", where some members are e-groups themselves. To support such e-groups, you can modify the filter:
      nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?memberOf:1.2.840.113556.1.4.1941:=CN=info-experiments,OU=e-groups,OU=Workgroups,DC=cern,DC=ch
      But beware: full password file lookups (getent passwd) take a performance hit. This seems to be a limitation of the Active Directory LDAP server, we are contacting Microsoft about this.
  • How to deny access to users with disabled accounts?
    • Accounts that are disabled in Active Directory can be filtered out like this:
      nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?!(userAccountControl:1.2.840.113556.1.4.803:=2)
      For an explanation, please go the Microsoft Knowledge Base

Note that filters can be combined! For example: to allow all CMS users with enabled accounts:

nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?&(gidNumber=1399)(!(userAccountControl:1.2.840.113556.1.4.803:=2))

Overriding attribute values

nss_ldap allows to override certain attribute values, like the login shell or the use home directory. This may be useful on certain server machines. Examples:
# Set the user homedirectory to /dev/null
nss_override_attribute_value unixHomeDirectory /dev/null
# Set the login shell to /sbin/nologin
nss_override_attribute_value loginShell /sbin/nologin
Note that these values are applied on all results of the LDAP filtering.

[SLC6] Configuring /etc/nslcd.conf

The /etc/nslcd.conf configuration file is used to set system-wide defaults to be applied when running ldap clients. This mechanism is available on SLC6, the SLC5- and SLC4-specific mechanism is described above.

This section describes the options that are relevant to configure account lookups in the xldap.cern.ch LDAP service. An example configure file containing the options described below is can be found here. Please edit it to suit your needs - in particular the filter passwd entry!

Please make sure that the nss-pam-ldapd RPM is installed on your client machine. Run yum install nss-pam-ldapd if this RPM is not installed.

Then, make sure that the nslcd runs, and gets started at boot time:

/sbin/service nslcd restart
/sbin/chkconfig --level 345 nslcd on
Note: the nslcd service must be restarted after changes to the /etc/nslcd.conf have been made!

For more information, run man nslcd.conf and/or man nslcd.

NOTE: Due to a bug, please add a line to /etc/sysconfig/network

NETWORKWAIT=1

General options

This section describes the main options to be configured in /etc/nslcd.conf.
  • Set the distinguished name of the search base:
    # The distinguished name of the search base.
    base dc=cern,dc=ch
    
  • Use the uri directive to specify the LDAP service. Note that we specify the server multiple times, to allow failover between different servers behind the DNS alias xldap.cern.ch:
    # The uri pointing to the LDAP server to use for name lookups.
    # Multiple entries may be specified. The address that is used
    # here should be resolvable without using LDAP (obviously).
    uri ldap://xldap.cern.ch ldap://xldap.cern.ch ldap://xldap.cern.ch
    
  • Configure search bases:
    # The distinguished name of the search base.
    base   dc=cern,dc=ch
    
    and
    # Customize certain database lookups.
    base   group  ou=Workgroups,dc=cern,dc=ch
    base   passwd ou=Users,ou=Organic Units,dc=cern,dc=ch
    
  • The xldap.cern.ch LDAP service is a frontend to Active Directory, and we need to map the services accordingly. The snippet below defines the mappings, and sets the filters to return all user accounts found in Active Directory. In addition, it sets the number of paged result to limit the number of results per query.
    # Mappings for Active Directory
    pagesize 1000
    referrals off
    filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*))
    map    passwd uid              sAMAccountName
    map    passwd homeDirectory    unixHomeDirectory
    map    passwd gecos            displayName
    
    filter shadow (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*))
    map    shadow uid              sAMAccountName
    map    shadow shadowLastChange pwdLastSet
    
    filter group  (objectClass=group)
    map    group  uniqueMember     member
    
    More sophisticated filters are described in the next section.
  • Set the search timelimit to allow recursive queries to finish
    # Search timelimit.
    timelimit 30
    
  • To verify the identity of the xldap.cern.ch server:
    • Make sure the CERN Certificate Authority certificates are installed:
      yum install CERN-CA-certs
      
    • Enable start_tls in /etc/nslcd.conf:
      # Use StartTLS without verifying the server certificate.
      #ssl no
      ssl start_tls
      #tls_reqcert never
      
      # CA certificates for server certificate verification
      #tls_cacertdir /etc/ssl/certs
      tls_cacertdir /etc/pki/tls/certs/
      

Filtering the results

With the general options above, your machine now has allows access from all accounts in the LDAP service. That is probable not what you want... This section gives some examples of filters that you can set to restrict the results to some useful sets of accounts.
  • How to give access to all users of some Unix groups?
    • Only allow the users of Unix group xx (gid 1160):
      filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(gidNumber=1160))
    • Allow users from Unix groups t3 and zp (gid's 1081 and 1307):
      filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(|(gidNumber=1081)(gidNumber=1307)))
  • How to give access to all members of an e-group?
    • Allows members of lxsoft-admins (non-recursive) e-group:
      filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(memberOf=CN=lxsoft-admins,OU=e-groups,OU=Workgroups,DC=cern,DC=ch))
    • Note: the above does not work for "recursive e-groups", where some members are e-groups themselves. To support such e-groups, you can modify the filter:
      filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(memberOf:1.2.840.113556.1.4.1941:=CN=info-experiments,OU=e-groups,OU=Workgroups,DC=cern,DC=ch))
      But beware: full password file lookups (getent passwd) take a performance hit. This seems to be a limitation of the Active Directory LDAP server, we are contacting Microsoft about this.
  • How to deny access to users with disabled accounts?
    • Accounts that are disabled in Active Directory can be filtered out like this:
      filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
      For an explanation, please go the Microsoft Knowledge Base

Note that filters can be combined! For example: to allow all CMS users with enabled accounts:

filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(&(gidNumber=1399)(!(userAccountControl:1.2.840.113556.1.4.803:=2))))

Overriding attribute values

nslcd.conf allows to override certain attribute values, like the login shell or the use home directory. This may be useful on certain server machines. Examples:
# Set the user homedirectory to /home/$USER
map    passwd homeDirectory    "/home/$sAMAccountName"
# Set the login shell to /sbin/nologin
map    passwd loginShell       "/sbin/nologin"
Note that these values are applied on all results of the LDAP filtering.

References

Feedback

Please send feedback and comments on this document to Linux support.