Procedure to add LDAP users to Linux groups using pam configuration

Change-Id: I6e35e6124231744b454601cd36d507cf34e3c8e5
Signed-off-by: Ngairangbam Mili <ngairangbam.mili@windriver.com>
This commit is contained in:
Ngairangbam Mili 2024-07-16 09:40:50 +00:00
parent d663b2122b
commit 9171c6ccf7
5 changed files with 164 additions and 232 deletions

View File

@ -0,0 +1,141 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _add-ldap-users-to-linux-groups-using-pamcconfiguration-d31d95e255e1:
======================================================
Add LDAP Users to Linux Groups Using PAM Configuration
======================================================
The Linux pam_group module enables binding/mapping of |LDAP| users/groups to a
specified list of one or more Linux groups. The mapping will occur after the
|SSSD| service has discovered the |LDAP| users and groups and cached them on the
host.
The mapping between the discovered |LDAP| users and their group membership to the
local Linux groups works for all Linux groups, including system groups, such as
``sudo`` and ``root``.
.. note::
The procedure described in this section applies to all the |LDAP| users, both local
OpenLDAP and |LDAP| users in the remote Windows Active Directory servers.
.. rubric:: |proc|
Perform the following |PAM| configuration on all the hosts after the system is installed:
#. To configure pam_group module, add the following line to the top of the
``/etc/pam.d/common-auth`` file after the comments.
.. code-block::
auth required pam_group.so use_first_pass
#. Update ``/etc/security/group.conf`` with |LDAP| groups mapping to Linux groups.
For each |LDAP| group mapping to a local Linux group(s), the following line
needs to be added to the bottom of the ``/etc/security/group.conf`` file
using the format ``services;ttys;users;times;groups``:
.. code-block::
*;*;%<fully qualified wad group name>;Al0000-2400;<list of local Linux groups>
Where, ``Al0000-2400`` stands for times. It is used to indicate when these
groups are available to the user. The times format is a logical list
of day/time-range entries. ``Al`` stands for all seven days of the week.
Each day/time-range can be prefixed with a `!` to indicate `anything but`.
The time-range part is two 24-hour times HHMM separated by a hyphen
that indicates the start and finish time. More information on the line format
can be found in the file ``/etc/security/group.conf``.
For example:
.. code-block::
*;*;%pvtest@wad.mydomain.com;Al0000-2400;sys_protected,root,sudo
The example above can be read as: For all services and all ttys, members(%)
of ``pvtest@wad.mydomain.com`` group, for all days and times (Al0000-2400),
add these users to the following local Linux groups:  ``sys_protected``,
``root``, and ``sudo``.
.. note::
The pam_group configuration will enforce the |LDAP| group membership in Linux
groups, after a |LDAP| mapped group member is successfully authenticated in the
platform, either with |ssh| or direct login.
After the login of a |LDAP| user that is part of a mapped |LDAP| group, you can
view the new membership to Linux groups. The |LDAP| user memberships and
privileges set with the above example mapping gives a user the following sudo
privileges:
|WAD| user example:
.. code-block::
Last login: Mon Jul 8 12:53:12 2024 from 10.10.10.1
pvtest1@wad.mydomain.com@controller-0:~$ source /etc/platform/openrc
[pvtest1@wad.mydomain.com@controller-0 ~(keystone_admin)]$ sudo su
Password:
root@controller-0:/var/home/wad.mydomain.com/pvtest1# groups
root
root@controller-0:/var/home/wad.mydomain.com/pvtest1# exit
exit
[pvtest1@wad.mydomain.com@controller-0 ~(keystone_admin)]$ groups
eng@wad.mydomain.com root sudo sys_protected pvtest@wad.mydomain.com
Local OpenLDAP user example:
Add the line ``;%managers;Al0000-2400;sys_protected,root,sudo`` in
``/etc/security/group.conf`` to map users of the local OpenLDAP group
``managers`` to linux groups: ``sys_protected``, ``root`` and ``sudo``.
Log in with user ``johndole`` from ``managers`` group and check the user's
group memberships and privileges.
.. code-block::
johndole@controller-0:~$ id
uid=10007(johndole) gid=100(users) groups=100(users),0(root),27(sudo),345(sys_protected),10001(managers)
johndole@controller-0:~$ source /etc/platform/openrc
[johndole@controller-0 ~(keystone_admin)]$ kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* kubernetes-admin@kubernetes kubernetes kubernetes-admin
[johndole@controller-0 ~(keystone_admin)]$ groups
users root sudo sys_protected managers
[johndole@controller-0 ~(keystone_admin)]$
[johndole@controller-0 ~(keystone_admin)]$ sudo -l
Password:
Matching Defaults entries for johndole on controller-0:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
lecture=never,
secure_path=/usr/local/bin\:/usr/bin\:/bin\:/usr/local/sbin\:/usr/sbin\:/sbin,
lecture=never,
secure_path=/usr/local/bin\:/usr/bin\:/bin\:/usr/local/sbin\:/usr/sbin\:/sbin,
passprompt="Password: "
User johndole may run the following commands on controller-0:
(ALL : ALL) ALL
(ALL) ALL
[johndole@controller-0 ~(keystone_admin)]$

View File

@ -82,6 +82,13 @@ For convenience, identify the user's Keystone account user name in |prod-long|.
Add teamadmin to sudoer list? (yes/NO): yes
Successfully added sudo access for user teamadmin to LDAP
.. note::
There is another procedure to add ``sudo`` capabilities to a local |LDAP|
linux account. For details, see :ref:`add-ldap-users-to-linux-groups-using-pamcconfiguration-d31d95e255e1`.
It is recommended to use either of the procedures but not both to
avoid overlapping.
#. Specify a secondary user group for this |LDAP| user. For example, ``sys_protected group``.
The purpose of having OpenLDAP/WAD users as a part of the ``sys_protected`` group on the |prod|
@ -98,6 +105,14 @@ For convenience, identify the user's Keystone account user name in |prod-long|.
Secondary group to add user to? [sys_protected]:
Successfully added user teamadmin to group cn=sys_protected,ou=Group,dc=cgcs,dc=local
.. note::
There is another procedure to add ``sys_protected`` capabilities to
a local |LDAP| linux account. For details, see
:ref:`add-ldap-users-to-linux-groups-using-pamcconfiguration-d31d95e255e1`.
It is recommended to use either of the procedures but not both to
avoid overlapping.
#. Change the password duration.
.. code-block:: none

View File

@ -162,6 +162,13 @@ Extra-vars parameter options:
Specifies the number of days before password expiration that the Local
|LDAP| user is warned.
.. note::
There is another procedure to set ``sudo`` and ``sys_protected`` capabilities for a
local |LDAP| account. For details, see
:ref:`add-ldap-users-to-linux-groups-using-pamcconfiguration-d31d95e255e1`.
It is recommended to use either of the procedures but not both to avoid
overlapping.
---------------------------------------------
Use the created composite Local LDAP accounts

View File

@ -54,3 +54,4 @@ For more information, refer to the following:
kubernetes-cli-from-local-ldap-linux-account-login
manage-local-ldap-39fe3a85a528
selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c
add-ldap-users-to-linux-groups-using-pamcconfiguration-d31d95e255e1

View File

@ -330,238 +330,6 @@ The |WAD| users home directories created on the platform will not be removed
after the |WAD| domain configuration is removed. It is administrator's
responsibility to clean up users' home directories that are no longer used.
------------------------------------------
SUDO Capability and Local Group Membership
------------------------------------------
This section describes how to enable the ``sudo`` and ``sys_protected`` privileges
for configured users in |WAD| servers.
The Linux specification stipulates that the GUID values in the range 0 to 99
should be statically allocated by the system and shall not be created by
applications. Therefore, a ``sudo`` group with GUID 27 and the ``root`` group
GUID 0 are special groups that cannot be created by the |SSSD| client interfacing
with the |WAD| server.
The ``sudo`` privileges can be assigned to |WAD| users using the ``sudo rules`` mechanism.
``Sudo rules`` are access control rules that define the users who are granted access,
the commands a user has access to, and the target hosts to which the rules
apply.
Enable Sudo Privileges for WAD Users
-------------------------------------
You can enable ``sudo All`` privileges for LDAP users from a remote |WAD| server.
Enabling ``sudo`` privileges allows the LDAP users to execute the following
operations:
- ``sw_patch`` to unauthenticated endpoint
- ``docker`` and/or ``crictl`` commands to communicate with the respective daemons
- Utilities ``show-certs.sh`` and ``license-install`` (recovery only)
- IP configuration for local network setup
- Password change of local openldap users
- Access to restricted files, example: restricted logs
- Manual reboots
Load Sudo Schema in WAD LDAP Server
-----------------------------------
The ``sudo rules`` schema is not a part of standard |WAD| installation. For |WAD|
servers, the schema needs to be loaded and installed using the ``ldifde``
utility.
LDAP ``sudo rules`` schema is contained in the package ``libsss-sudo``. The
schema will be loaded in ``/usr/share/doc/sudo-ldap/schema.ActiveDirectory.gz``
during system installation.
Install Schema
--------------
.. rubric:: |proc|
#. Extract the schema from ``schema.ActiveDirectory.gz`` and copy it in a file
on the |WAD| server.
#. Install the schema by running the following command on the |WAD| server:
.. code-block:: none
ldifde -v -i -f ``schema.ActiveDirectory.txt`` -j
.. rubric:: |result|
The following shows the successful loading of a schema:
.. code-block:: none
Importing directory from file ``schema.ActiveDirectory.txt``
Loading entries
…….
12 entries modified successfully.
The command has completed successfully
Create Directory Entry for Sudo Rules in WAD Server
---------------------------------------------------
The ``sudoers`` OU needs to be created on the domain root. This OU will hold all
the ``sudo rules`` defined using ``sudoRole`` object.
.. note::
The ``sudoers`` OU directory path will be automatically set as the
``ldap_sudo_search_base`` parameter value in the sssd configuration file
``/etc/sssd/sssd.conf``. The ``ldap_search_base`` parameter
must be set at the same level in the domain root as shown in the following example:
.. code-block:: none
ldap_search_base = CN=Users,DC=domain,DC=com (set using ``system service-parameter`` command)
ldap_sudo_search_base = OU=sudoers,DC=domain,DC=com (pre-configured in sssd configuration)
.. rubric:: |proc|
#. Create an ``ldif`` file with the following content:
.. code-block:: none
dn: OU=sudoers,DC= dc=domain,DC=com
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: sudoers
#. Import the file by running the following command on the |WAD| server:
.. code-block:: none
ldifde -v -i -f "sudoers_ou.txt" -j
where, ``sudoers_ou.txt`` is the ``ldif`` file created in the previous step.
.. rubric:: |result|
The following shows the successful loading of the ``ldif`` file:
.. code-block:: none
Connecting to ``ad.domain.com``
Logging in as current user using SSPI
Importing directory from file "sudoers_ou.txt"
Loading entries
1: OU=sudoers,DC=domain,DC=com
Entry modified successfully
Create a Sudo Rule for a WAD User
---------------------------------
.. rubric:: |proc|
#. To assign ``sudo All`` privileges to a |WAD| user with name ``techadmin``, create
and load the following ``ldif`` file content:
.. code-block:: none
dn: CN=techadmin,OU=sudoers,DC=domain,DC=com
changetype: add
objectClass: top
objectClass: sudoRole
cn: techadmin
distinguishedName: CN=techadmin,OU=sudoers,DC=domain,DC=com
name: techadmin
sudoUser: techadmin
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
#. Load the ``ldif`` file by running the following command on the |WAD| server:
.. code-block:: none
ldifde -v -i -f "sudo-rule.txt" -j
where, ``sudo-rule.txt`` is the ``ldif`` file created in the previous step.
.. rubric:: |result|
The following shows the successful loading of the ``ldif`` file:
.. code-block:: none
Connecting to "ad.domain.com"
Logging in as current user using SSPI
Importing directory from file "sudo-rule.txt"
Loading entries
1: CN=techadmin,OU=sudoers,DC=domain,DC=com
Entry modified successfully.
1 entry modified successfully.
The command has completed successfully
The ``sudo rules`` will be discovered by sssd service and cached in the |prod|
platform. The sssd logs in ``/var/log/sssd/sssd_ad.domain.log`` will show the
number of rules downloaded from |WAD| server that indicates that the ``sudo rules``
were received.
.. code-block:: none
(2023-02-28 22:35:16): [be[ad.domain.com]] [sdap_search_bases_ex_donee] (0x0400): Receiving data from base [OU=sudoers,DC=domain,DC=com]
(2023-02-28 22:35:16): [be[ad.domain.com]] [sdap_sudo_load_sudoers_done] (0x0200): Received 1 sudo rules
(2023-02-28 22:35:16): [be[ad.domain.com]] [sdap_sudo_refresh_done] (0x0400): Received 1 rules
Verify Sudo All Privileges for the WAD Sudo User
------------------------------------------------
SSH to the |prod| platform using the ``sudo`` user and verify that the user has
``sudo All`` privileges.
.. code-block:: none
techadmin@controller-0:~$ sudo -l
Password:
Matching Defaults entries for techadmin on controller-0:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
lecture=never,
secure_path=/usr/local/bin\:/usr/bin\:/bin\:/usr/local/sbin\:/usr/sbin\:/sbin,
lecture=never,
secure_path=/usr/local/bin\:/usr/bin\:/bin\:/usr/local/sbin\:/usr/sbin\:/sbin,
passprompt="Password: "
User techadmin may run the following commands on controller-0:
(ALL) ALL
techadmin@controller-0:~$
Creating a User in the Linux Sys_protected Group on a WAD Server
----------------------------------------------------------------
Create a ``sys_protected`` group in the |WAD| server and set the ``gidNumber`` to
345 to be the same as Linux ``sys_protected`` group. Add a |WAD| user (example:
techadmin) as a member in the ``sys_protected`` group. The ``sys_protected``
LDAP group and its member will be discovered and cached in the |prod| platform
by SSSD service.
To check if the |WAD| user has been added to the ``sys_protected`` group, SSH to
|prod| as the |WAD| user and check the groups the user is a member of.
.. code-block:: none
Linux controller-0 5.10.0-6-amd64 #1 SMP PREEMPT StarlingX Debian 5.10.162-1.stx.64 (2023-02-16) x86_64
Last login: Fri Mar 10 22:20:16 2023 from 10.10.10.254
techadmin@controller-0:~$ groups
domain users sys_protected
techadmin@controller-0:~$
.. note::
When creating a |WAD| user that will be discovered and created on the
|prod| Linux host as part of the ``users`` group, set the |WAD| user GUID value
to 100 that is the same as that of the Linux ``users`` group. The |WAD| user
UID should be set to a unique value within the Linux ``users`` group.
When a new |WAD| user is created using the Active Directory Users and Group
Administration tool, the **User must change password at next login**
checkbox must be unchecked, otherwise the user login to the |prod| host will fail.
-------------------------------------------
Default Local OpenLDAP Domain Configuration
-------------------------------------------