Applications

Intended Audience: System architects, developers and system administrators

  1. Client parameters
    1. Search parameters
    2. Bind parameters
      1. TLS parameters
      2. Simple bind
      3. SASL/EXTERNAL
  2. PAM/NSS services
    1. aehostd -- Custom NSS/PAM demon
    2. sssd
    3. nss-pam-ldapd (aka nslcd)
    4. nsscache
  3. OpenSSH Certificate Authority
  4. SSH proxy
  5. LDAP proxy for another LDAP server
  6. Wifi access point

Client parameters

Integrating an LDAP-enabled application/system with Æ-DIR does not require detailed configuration tweaking. In general setting less special parameters are better than more because Æ-DIR ACLs internally sort out most stuff.

Search parameters

Search base:
ou=ae-dir (or whatever you configured in ansible default variable aedir_suffix)
Search scope:
subtree
Various possible filters for searching for all visible users accounts:
  • (objectClass=account)
  • (objectClass=inetOrgPerson)
  • (objectClass=person)
Filter for searching a particular account...
...by username
(uid=<username>)
...by e-mail address
(mail=<e-mail address>)
Additionally ensure the found user has login right on your system:
(&(uid=<username>)(pwdChangedTime=*))

Bind parameters

Bear in mind that your system always must bind to be granted access for searching users and groups etc.

TLS parameters

Clear-text connections are strictly disallowed. Therefore your system has to know the following parameters for estabilishing a validated TLS connection:

Simple bind

Bind-DN

The bind-DN in client configuration files should be the unique short-form instead of the complete DN. This allows moving the accompanying host or service entry within the DIT to another zone and/or beneath another service group without having to reconfigure the client side.

Hosts (OS login):
host=<canonical hostname>,ou=ae-dir
Server services (application/service login):
uid=<service name>,ou=ae-dir

SASL/EXTERNAL

The OpenLDAP server can use authentication credentials available at the transport layer to authenticate the client if it connects via LDAP over IPC (LDAPI) or with TLS encryption and sends a SASL bind operation with mechanism EXTERNAL.

In case of TLS with client cert authentication the configuration requires these parameters to be set:

PAM/NSS services

aehostd -- Custom NSS/PAM demon for Æ-DIR

aehostd is the preferred solution to integrate Linux and other POSIX systems. It gives better search performance and has other specific features.

See also:

sssd

While the System Security Services Daemon (SSSD) for Linux provides lots of special features for enforcing security policies locally the configuration of sssd-ldap(5) for Æ-DIR deliberately does not make use of them.

See also:

nss-pam-ldapd (aka nslcd)

Arthur de Jong's nss-pam-ldapd is also a demon providing NSS and PAM services and runs on various POSIX (non-Linux) platforms.

Example nslcd.conf in directory client-examples/nss-pam-ldapd

See also:

OpenSSH Certificate Authority

To avoid the need for implementing an out-of-band trust process for authorized keys and enforce rotation of user keys it is recommended to issue temporary OpenSSH user certificates only valid for a limited time-span (e.g. a few hours).

While there are several SSH-CA implementations out there the easiest solution is to use the integrated EKCA services.

SSH proxy

It is possible to implement an authorizing SSH proxy which queries exactly the same Æ-DIR login relationship to check whether an user is allowed to login to a specific target SSH host through the SSH proxy.

SSH proxy integrated with Æ-DIR

Notes:

See also:

LDAP proxy for another LDAP server

If you want to secure administrative access to another LDAP server you can use OpenLDAP's slapd-ldap(5) (aka back-ldap) for integrated authentication and authorization.

The following picture shows an example for a separate LDAP server serving DNS and DHCP data (or anything else) which gets maintained via LDAPS.

LDAP proxy integrated with Æ-DIR

Notes:

See also:

Wifi access point

For setting up a very simple wireless access point using WPA2 enterprise authentication you can install hostapd and FreeRADIUS on one system and configure the latter as LDAP client as shown in the following picture.

Wifi access point integrated with Æ-DIR

Notes:

See also: