pam_apparmor
The Authentication Server is based on LDAP and optionally Kerberos. On SUSE Linux Enterprise Server, you can configure it with a YaST wizard.
For more information about LDAP, see Chapter 5, LDAP—A Directory Service, and about Kerberos, see Chapter 7, Network Authentication with Kerberos.
To set up an authentication server for user account data, make sure the
yast2-auth-server
,
openldap2
,
krb5-server
, and
krb5-client
packages are installed; YaST will
remind you and install them if one of these packages is missing. For
Kerberos support, the krb5-plugin-kdb-ldap
package is required.
The first part of the Authentication Server configuration with YaST is setting up an LDAP server, then you can enable Kerberos.
Start YaST as root
and select › to invoke the configuration wizard.
Configure the Figure 4.1, “YaST Authentication Server Configuration”:
of your LDAP server (you can change these settings later)—seeSet LDAP to be started.
If the LDAP server should announce its services via SLP, check
.Configure
.Click
.Select the server type:
, , or .Select security options (
).It is strongly recommended to Procedure 4.2, “Editing Authentication Server Configuration”, Step 4.
. For more information, seeEnabling TLS ensures passwords are sent encrypted over the network. If this option is not enabled, passwords are sent unencrypted.
Also consider using LDAP over SSL with certificates.
Confirm Figure 4.2, “YaST LDAP Server—New Database”.
with entering an and then clicking —seeIn the Figure 4.3, “YaST Kerberos Authentication”.
dialog, decide whether to enable Kerberos authentication or not (you can change these settings later)—seeChoose whether Kerberos support is needed or not. If you enable it, also specify your
. Then confirm with .The
allows you to specify various aspects such as or ports to use.Finally, check the
and click to exit the configuration wizard.For changes or additional configuration start the Authentication Server module again and in the left pane expand Figure 4.4, “YaST Editing Authentication Server Configuration”:
to make subentries visible—seeWith
, configure the degree of logging activity (verbosity) of the LDAP server. From the predefined list, select or deselect logging options according to your needs. The more options are enabled, the larger your log files grow.Configure which connection types the server should offer under
. Choose from:This option enables connection requests (bind requests) from clients using the previous version of the protocol (LDAPv2).
Normally, the LDAP server denies any authentication attempts with empty credentials (DN or password). Enabling this option, however, makes it possible to connect with a password and no DN to establish an anonymous connection.
Enabling this option makes it possible to connect without authentication (anonymously) using a DN but no password.
Enabling this option allows non-authenticated (anonymous) update operations. Access is restricted according to ACLs and other rules.
also lets you configure the server flags. Choose from:
The server will no longer accept anonymous bind requests. Note, that this does not generally prohibit anonymous directory access.
Completely disable Simple Bind authentication.
The server will no longer force an authenticated connection back to the anonymous state when receiving the StartTLS operation.
The server will disallow the StartTLS operation on already authenticated connections.
To configure secure communication between client and server, proceed with
:Activate
to enable TLS and SSL encryption of the client/server communication.Add Schema files to be included in the server's configuration by selecting
in the left part of the dialog. The default selection of schema files applies to the server providing a source of YaST user account data.
YaST allows to add traditional Schema files (usually with a name
ending in .schema
) or LDIF files containing Schema
definitions in OpenLDAP's LDIF Schema format.
To configure the databases managed by your LDAP server, proceed as follows:
Select the
item in the left part of the dialog.Click
to add a new database.Enter the requested data:
Enter the base DN of your LDAP server.
Enter the DN of the administrator in charge of the server. If you
check cn
of the administrator and the system fills in
the rest automatically.
Enter the password for the database administrator.
For convenience, check this option if wanted.
In the next dialog configure replication settings.
In the next dialog, enable enforcement of password policies to provide extra security to your LDAP server:
Check
to be able to specify a password policy.Activate
to have clear text passwords be hashed before they are written to the database whenever they are added or modified.provides a relevant error message for bind requests to locked accounts.
Do not use the “Locked Account” error message provides security-sensitive information that can be exploited by a potential attacker.
option if your environment is sensitive to security issues, because theEnter the DN of the default policy object. To use a DN other than the one suggested by YaST, enter your choice. Otherwise, accept the default settings.
Complete the database configuration by clicking
.If you have not opted for password policies, your server is ready to run at this point. If you have chosen to enable password policies, proceed with the configuration of the password policy in detail. If you have chosen a password policy object that does not yet exist, YaST creates one:
Enter the LDAP server password. In the navigation tree below
expand your database object and activate the item.Make sure
is activated. Then click .Configure the password change policies:
Determine the number of passwords stored in the password history. Saved passwords may not be reused by the user.
Determine if users can change their passwords and if they will need to change their passwords after a reset by the administrator. Require the old password for password changes (optional).
Determine whether and to what extent passwords should be subject to quality checking. Set the minimum password length that must be met before a password is valid. If you select
, users are allowed to use encrypted passwords, even though the quality checks cannot be performed. If you opt for only those passwords that pass the quality tests are accepted as valid.Configure the password time-limit policies:
Determine the minimum password time-limit (the time that needs to pass between two valid password changes) and the maximum password time-limit.
Determine the time between a password expiration warning and the actual password expiration.
Set the number of postponement uses of an expired password before the password expires permanently.
Configure the lockout policies:
Enable password locking.
Determine the number of bind failures that trigger a password lock.
Determine the duration of the password lock.
Determine the length of time that password failures are kept in the cache before they are purged.
Apply your password policy settings with
.To edit a previously created database, select its base DN in the tree to the left. In the right part of the window, YaST displays a dialog similar to the one used for the creation of a new database (with the main difference that the base DN entry is grayed out and cannot be changed).
After leaving the Authentication Server configuration by selecting
, you are ready to go with a basic working configuration for your Authentication Server. To fine-tune this setup, use OpenLDAP's dynamic configuration back-end.
The OpenLDAP's dynamic configuration back-end stores the configuration
in an LDAP database. That database consists of a set of
.ldif
files in
/etc/openldap/slapd.d
. There is no need to access
these files directly. To access the settings you can either use the
YaST Authentication Server module (the
yast2-auth-server
package) or an LDAP client
such as ldapmodify
or ldapsearch
.
For more information on the dynamic configuration of OpenLDAP, see the
“OpenLDAP Administration Guide”.
For editing LDAP users and groups with YaST, see Section 5.3, “Configuring LDAP Users and Groups in YaST”.
YaST includes the
module that helps with defining authentication scenarios. Start the module by selecting › . The YaST Authentication Client is a shell for configuring the System Security Services Daemon (SSSD). SSSD then can talk to remote directory services that provide user data, and provide various authentication methods. This way, the host can be both, an LDAP or an Active Directory (AD) client. SSSD can locally cache these user data and then allow users to use of the data, even if the real directory service is (temporarily) unreachable. An NSS (Name Service Switch) and PAM (Pluggable Authentication Module) interface are also available.
First you must configure at least one authentication domain. An
authentication domain is a database that contains user information. Click
ldap
as the
and krb5
as
the and leave
enabled (see
Figure 4.7, “Authentication Client: Adding New Domain (LDAP and Kerberos)”).
In the next step you see that ldap://ldap.example.com
as the
, the IP address of the Kerberbos
server (192.168.1.114
as ), and EXAMPLE.COM
as (normally, your Kerberos realm is
your domain name in uppercase letters). Then confirm.
For more information and additional configuration option the SSSD man
pages such as sssd.conf
(man
sssd.conf
) and sssd-ldap
(man
sssd-ldap
). It is also possible to select later all parameters
available for the selected identification and authentication providers.
If you use LDAP, TLS is mandatory. Do not select
ldap_tls_reqcert
, if an official certificate is not
available.
SSSD provides following identification providers:
proxy
Support a legacy NSS provider.
local
SSSD internal provider for local users.
ldap
LDAP provider. See sssd-ldap(5) for more information on configuring LDAP.
ipa
FreeIPA and Red Hat Enterprise Identity Management provider.
ad
Active Directory provider.
Supported authentication providers are:
ldap
Native LDAP authentication.
krb5
Kerberos authentication.
ipa
FreeIPA and Red Hat Enterprise Identity Management provider.
ad
Active Directory provider.
proxy
Relaying authentication to some other PAM target.
none
Disables authentication explicitly.
If you enter more than one authentication domain, SSSD will query one
after the one in the order they appear in the
/etc/sssd/sssd.conf
configuration file. If a domain
is rarely used and you need to avoid waiting for the timeout, remove it
from the list of the
section.
Clicking one of the listed sssd.conf
sections such as
or .
If you click
in the main dialog, YaST will enable and start the SSSD service. You can check it on the command line with:systemctl status sssd
sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
Active: active (running) since Thu 2015-10-23 11:03:43 CEST; 5s ago
...
To allow login when the authentication back-end is unavailable, SSSD will continue to use its cache even if it was invalidated. SSSD still operates until the back-end is available again.
To invalidate the cache, run sss_cache -E
(the
command sss_cache
is part of the package
sssd-tools).
To completely remove the SSSD cache, run:
systemctl stop sssd
rm -f /var/lib/sss/db/*
systemctl start sssd