SSH Integration
SSHLDAP implements it's functionality by first integrating PAM authentication with LDAP for login authentication for user accounts ids above ${SSHLDAP_POSIX_UID_UPPER}, then by using PAM account authorization to determine if a user has access to the specified hostId as configured in the /etc/${ziD}/sshldap/.netrc. After that the module setups sudo access (via /etc/sudoers.d/sshldap) which contains sudo directives for the group identified by the ${hostId}-sudo group. This is a mirror group that contains all user accounts allowed to sudo on the server (based on users in the group cn=${hostId}-sudo ,${SSHLDAP_SUDO_OPS_DN})
SSHLDAP runtime scripts log information to syslog. To enable debugging set the SSHLDAP_DEBUG parameter to true in the /etc/${ziD}/sshldap/sshldap-config.properties file.
LDAP Schema
SSHLDAP applies a schema to the Directory for the pubkey processing as well as data is requires to perform it's functions.
################################################ # Copyright (c) 2015 zibernetics inc. # # This file is part of zig # # zig is free software: you can redistribute it and/or modify # it under the terms of the Apache License as published by # the Apache Software Foundation, either version 2 of the License, or # (at your option) any later version. # # zig is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # Apache License for more details. # # You should have received a copy of the Apache License # along with zig. If not, see <http://www.apache.org/licenses/LICENSE-2.0>. # ################################################ dn: "${SSHLDAP_BASE_DN}" changetype: modify add: aci aci: (target = "ldap:///${SSHLDAP_BASE_DN}") (targetattr = "isMemberOf || memberOf || sshPublicKey || inetUserStatus || pwdAccountLockedTime || ds-pwp-account-disabled") (version 3.0;acl "sshldap read attributes ${SSHLDAP_BASE_DN}"; allow (search, read)(${SSHLDAP_ACI_DN_TYPE} ="ldap:///${SSHLDAP_ACI_DN}");) dn: "${SSHLDAP_GROUPS_OPS_DN}" changetype: modify add: aci aci:(target = "ldap:///${SSHLDAP_GROUPS_OPS_DN}") (targetattr = "*" ) (version 3.0; acl "sshldap administer ou=Groups"; allow(all)(groupdn = "ldap:///cn=sshldap_admins,${SSHLDAP_GROUPS_OPS_DN}");) dn: "${SSHLDAP_LAYERS_OPS_DN}" changetype: modify add: aci aci:(target = "ldap:///${SSHLDAP_LAYERS_OPS_DN}") (targetattr = "*" ) (version 3.0; acl "sshldap administer ou=Layers"; allow(all)(groupdn = "ldap:///cn=sshldap_admins,${SSHLDAP_GROUPS_OPS_DN}");) dn: "${SSHLDAP_HOSTS_OPS_DN}" changetype: modify add: aci aci:(target = "ldap:///${SSHLDAP_HOSTS_OPS_DN}") (targetattr = "*" ) (version 3.0; acl "sshldap administer ou=Hosts"; allow(all)(groupdn = "ldap:///cn=sshldap_admins,${SSHLDAP_GROUPS_OPS_DN}");) dn: "${SSHLDAP_SUDO_OPS_DN}" changetype: modify add: aci aci:(target = "ldap:///${SSHLDAP_SUDO_OPS_DN}") (targetattr = "*" ) (version 3.0; acl "sshldap administer ou=Sudoers"; allow(all)(groupdn = "ldap:///cn=sshldap_admins,${SSHLDAP_GROUPS_OPS_DN}");) dn: "${SSHLDAP_VARS_OPS_DN}" changetype: modify add: aci aci:(target = "ldap:///${SSHLDAP_VARS_OPS_DN}") (targetattr = "*" ) (version 3.0; acl "sshldap administer ou=Variables"; allow(all)(groupdn = "ldap:///cn=sshldap_admins,${SSHLDAP_GROUPS_OPS_DN}");)
################################################ # Copyright (c) 2015 zibernetics inc. # # This file is part of zig # # zig is free software: you can redistribute it and/or modify # it under the terms of the Apache License as published by # the Apache Software Foundation, either version 2 of the License, or # (at your option) any later version. # # zig is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # Apache License for more details. # # You should have received a copy of the Apache License # along with zig. If not, see <http://www.apache.org/licenses/LICENSE-2.0>. # # You must ensure that the SSHLDAP properties file is sourced and contains the following: # SSHLDAP_SVCS_OPS_DN # SSHLDAP_GROUPS_OPS_DN # SSHLDAP_SVCS_OPS_DN # SSHLDAP_BASE_OPS_DN # # In addition, you must ensure that 'localSvcSLPasswd' is defined # ################################################ dn: uid=service_sshldap,"${SSHLDAP_SVCS_OPS_DN}" objectClass: top objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person cn: service_sshldap sn: service_sshldap uid: service_sshldap userPassword: "${localSvcSLPasswd}" dn: cn=sshldap_admins,"${SSHLDAP_GROUPS_OPS_DN}" objectClass: top objectClass: groupOfUniqueNames objectClass: posixGroup cn: sshldap_admins uniqueMember: uid=service_sshldap,"${SSHLDAP_SVCS_OPS_DN}" gidNumber: $((SSHLDAP_POSIX_GUID_UPPER-1)) dn: "${SSHLDAP_HOSTS_OPS_DN}" objectClass: top objectClass: organizationalUnit ou: Hosts dn: "${SSHLDAP_LAYERS_OPS_DN}" objectClass: top objectClass: organizationalUnit ou: Layers dn: "${SSHLDAP_SUDO_OPS_DN}" objectClass: top objectClass: organizationalUnit ou: Sudoers dn: "${SSHLDAP_VARS_OPS_DN}" objectClass: top objectClass: organizationalUnit ou: Variables ################################################ # # Variables # ################################################ dn: cn=posixAccount_idx,"${SSHLDAP_VARS_OPS_DN}" objectClass: top objectClass: posixGroup cn: posixAccount_idx gidNumber: ${SSHLDAP_POSIX_GUID_UPPER} ou: Variable dn: cn=posixGroup_idx,"${SSHLDAP_VARS_OPS_DN}" objectClass: top objectClass: posixGroup cn: posixGroup_idx gidNumber: ${SSHLDAP_POSIX_UID_UPPER} ou: Variable
Add Comment