11 April,19 at 11:51 AM
Introduction
As mentioned in the introduction, this guide contains a walk-through on configuring and debugging the Centrify LDAP proxy for use with NSS and PAM integration with LDAP on agentless systems (systems that will be integrated with identities kept inCentrify zones in Active Directory, without installing the Centrify DirectControl agent).
Due to specific limitations in the Centrify LDAP proxy, in practice, it often is required to troubleshoot/debug the Centrify LDAP proxy configuration, and investigate which return attributes have been requested, in case queries fail silently. Once they have been identified, mappings can be updated in the Centrify LDAP proxy server configuration files, in order to let LDAP queries for these attribute succeed.
This guide will follow a procedure that explains how to set up and debug integration of legacy systems using PAM and NSS integration with the Centrify LDAP proxy, and will go through some rounds of identifying return attributes that are requested by the pam_ldap module that is present in the RHEL/CentOS 6.8 repository.
The same procedure can then be applied to other UNIX platforms that will be integrated with a pam_ldap (or equivalent) module, that support RFC2307 LDAP queries.
In this guide we will use the following hostnames to designate machines representing various roles:
Step 1 - Setting up UNIX access controls in the Centrify Zone for legacy systems
Prerequisites
Account credentials that can manage authorizations in the Centrify Zone (e.g. a Centrify zone admin)
Steps
Step 2 - Setting up the Centrify LDAP proxy
Prerequisites for this step
Note that this guide will not work with agent & ldap proxy packages from Centrify Server Suite 2016 and older; 2016.1 is the minimum supported version, as it will refuse an LDAP simple bind with incorrect user password. The ldap proxy in the Server Suite 2016 release and earlier, would accept an LDAP simple bind for a valid user regardless of the password, and subsequently would refuse to return results for the LDAP query if the bind information is incorrect. This order of events would translate into any valid username getting access to a legacy system that is using pam_ldap, as the pam_ldap module determines whether a user credentials are valid, based on whether the simple bind gets accepted by the LDAP server.
Steps
Install the LDAP proxy by installing its software package
# dzdo rpm -Uvh centrifydc-ldapproxy-5.3.1-rhel4-x86_64.rpm
Configure rsyslog (the standard syslog daemon on RHEL/CentOS 6) to redirect message for local4.debug to the log file /var/log/ldapproxy.log
# dzdo echo -e "local4.debug\t\t/var/log/ldapproxy.log" > /etc/rsyslog.d/centrifyldapproxy.conf
Restart the rsyslog daemon for the configuration to be read
# dzdo service rsyslog restart
Configure the LDAP proxy to listen on all interfaces, on the default port for connections for ldap and ldaps protocols (port 389 and 636 respectively), and enable debugging of all connection/authentication and ldap queries (loglevel 256) to the local4.debug SYSLOG facility
# dzdo echo "STARTUP_OPTS=\"-d 256 -h 'ldap:/// ldaps:///' 2>&1 | logger -p local4.debug -t slapd &\"" > /etc/sysconfig/centrify-ldapproxy
For more information on log levels for OpenLDAP (on which the Centrify LDAP proxy is based), please consult the OpenLDAP documentation.
Open firewall ports for the Centrify LDAP proxy port 389 and 636, by inserting the following lines in the /etc/sysconfig/iptables file, directly underneath the entry "-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT":
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
Reload the iptables running configuration:
# dzdo service iptables restart
The Centrify LDAP proxy is now ready for an initial round of debugging, in order to identify all the requested return attributes, and update the mappings if needed.
Restart the Centrify ldap proxy to apply the updated configuration specified in /etc/sysconfig/centrify-ldapproxy
# dzdo service centrify-ldapproxy restart
Validate that the adquery us er output shows the profiles of all users that should have login access to the legacy ldap servers.
# adquery user
Note that anyone with login access to the LDAP proxy server itself, will automatically also be included in the output of adquery user, and as a consequence, also be able to log into legacy UNIX systems. Plan access rights to the LDAP proxy servers with this fact in mind.
Write down a name in the output of this command that shows a valid shell, as this will be used in step 3. In this example we will use 'dwirth' as example user.
In the follow-up article, integration of a 'legacy' system with the Centrify LDAP proxy for agentless authentication is detailed.