In this topic, I will show how I have configured authentication for Linux/Ubuntu hosts in the project’s LDAP (https://devops-db.com/category/laboratory/openldap/).

To do this, you need to have an LDAP server created and configured, with TLS, Sudo, ReadOnly Bind User, etc. All these topics have already been covered in the OpenLDAP section.

For authentication on Linux VMs I will basically use the SSSD tools https://sssd.io/

Starting from a new VM, with Ubuntu 22.04, I start with the update and installation of basic services. One of them, ldap-utils is required for configurations.

apt-get update
apt-get install -y python3 wget gnupg2 net-tools gpg lsb-release vim libcap2-bin curl python3-pip less iputils-ping ssh software-properties-common dnsutils jq ldap-utils

With everything already installed, validate that the host has communication with the LDAP server:

$ ldapsearch -v -x -H ldap://ldap.devops-db.info:389 -b "cn=Fausto Branco,ou=UserGroups,dc=ldap,dc=devops-db,dc=info" -D "cn=readonly-bind-dn,ou=ServiceGroups,dc=ldap,dc=devops-db,dc=info" -w "1234qwer"

ldap_initialize( ldap://ldap.devops-db.info:389/??base )
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <cn=Fausto Branco,ou=UserGroups,dc=ldap,dc=devops-db,dc=info> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Fausto Branco, UserGroups, ldap.devops-db.info
dn: cn=Fausto Branco,ou=UserGroups,dc=ldap,dc=devops-db,dc=info
cn: Fausto Branco
gidNumber: 10000
givenName: Fausto
homeDirectory: /home/fbranco
loginShell: /bin/bash
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
sn: Branco
uid: fbranco
uidNumber: 10000

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Install the SSSD tools for authentication.

apt-get install -y sssd libpam-sss libnss-sss sssd-tools libsss-sudo

Certificate preparation.

First, you need to copy the OpenLDAP certificate to the Gitlab host. The certificate is in /etc/ssl/openldap/certs/ldapserver-cert.crt, we can do this in several ways, I’ll leave two of the simplest.

From within the OpenLDAP host, cat the file and take the content between BEGIN CERTIFICATE and END CERTIFICATE

cat /etc/ssl/openldap/certs/ldapserver-cert.crt

[...]
-----BEGIN CERTIFICATE-----
MIIFwjCCA6qgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwgYQxCzAJBgNVBAYTAlBU
MQ4wDAYDVQQIDAVQb3J0bzEOMAwGA1UEBwwFUG9ydG8xEjAQBgNVBAoMCURldm9w
cy1EQjEcMBoGA1UEAwwTbGRhcC5kZXZvcHMtZGIuaW5mbzEjMCEGCSqGSIb3DQEJ
ARYUYWRtaW5AZGV2b3BzLWRiLmluZm8wHhcNMjQwNDA4MTEzMzE0WhcNMjUwNDA4
MTEzMzE0WjB0MQswCQYDVQQGEwJQVDEOMAwGA1UECAwFUG9ydG8xEjAQBgNVBAoM
CURldm9wcy1EQjEcMBoGA1UEAwwTbGRhcC5kZXZvcHMtZGIuaW5mbzEjMCEGCSqG
SIb3DQEJARYUYWRtaW5AZGV2b3BzLWRiLmluZm8wggIiMA0GCSqGSIb3DQEBAQUA
A4ICDwAwggIKAoICAQCz6rcxPNUdN37jfFmMf/Mwdxmf6ST3hulCJAxNBBHzOSOW
+umvVhfqtw88X3dgq3CW7fQvGQ2izqzN/2MLSe7yV9I1LGqLmtwN2IHTTpC3NAeH
8qlfuwHi+IvO2eFr0EGaL4rT5O+h8qnthPWI1/Rh9xdkx9xvTvVTsElkNZJ+zAZs
E41XwWRsxwHUyDRxQIL2EGbUVyjbJgTzoxQQHdetIeYc6Vya7ABHa6iwfSMKR99A
NdOujpnNecGnGJSzQ0B6RXp2ae28LjjyVdMV1wo6PrvgsKqt5MO4GxyPKginVp0s
ly2zVshCzREw6/4lxxJXqRHcmcS6mhm0U77QTG32A2bU+SJONqxF6GVil60sGm59
MxwDvkgQuE9QDQ4+txYh8K97PfxqVcPG92PS2sYOinc1EBsnD6TEsuvfc8m0Ev3m
njZ+jgJA4Gf+e9AbfgQVJEbdQj7mM2gRFL7CWKAgzk2KRh9xWTlk8nCwqCwHx57d
hE+qfC/SkInZCQHGTSQ22+RidEXq7GxtY2KDNSFSTPeGjR8KA5+lqeuIf8ZeHc6s
HEtK12B8yvYDfRyCBnPugXxs77CiTcmUvWCfBP9GZv4icoCdDTzfnfTNaGO9X16+
XY5sC27o24WsxXLF9EDtp6FpnGX1moR6h89Jky+clCwpDUj4sucWz4WPtHpAnwID
AQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTP5qF7BCcepDXMDBBq+Bbonlr2
FzAfBgNVHSMEGDAWgBRN6D0ZxNB2qFyd9JTxZ/oYSBfMTjANBgkqhkiG9w0BAQsF
AAOCAgEAjz2Hx2s8A+liNwaEGPS1B/TDHDUKgzsrjXPEVfni3vhlhqgczej/rDAX
d8pLJ4QawlFPbQVZqFFsyJjo6dAG2WfIJeA0c+7kw1pVcbVqQKymq7UtOaHiZF8j
jkBuxKJH4P+lxBLSWCiktvqhTJ/1IgQ66R3wve8J0+KCHGsX2BFMA8Zqc48PTXnu
NGLUsIIYNwMlsCyfEYRY9s6Lg5q8Vcb1dN39uJwMe+Q8XKM0tPM+Dn1z4289q9CZ
poGfhonu3u/9e/LsrptE0ZURGqBFCXXU8gAq0Yg1ViGwcA8e6HC6iia6H0Y4vS6j
q33VIswn0In56zw4gOD/BnYHU5B/277hY8UIsU6vQaTZbpE/GpW8RT85V4MT6r5W
MI2WF8ZATyBbJ5PbXctYfmnydQwTXpoNnioGmxH4Qu0S+ydc+yneAIlZWURlq5gB
YuZrmI7xuGxs5UfzQBEFroRlI6QmW95ebkac5XwURTW1/bI5deJZnfTOezRJKr5n
L1yySSIs2rYXQkphDwV6HqSNg3eJSEGusCbV9Kgx52X5uorfot5i1bZUJcSKJJby
38UpFzQ4/SOBewNfWAq6Q1NBWUbfn8BARv96L7n3uK4JrxfkUrHGjzWGJmtlgx+b
shJhA/b/35i7KxmdI6eGy0I3vylbGjaH0WGS4+QRYeJKWXPm6kk=
-----END CERTIFICATE-----

Run the command below from any host and also, take the content between BEGIN CERTIFICATE and END CERTIFICATE

openssl s_client -connect ldap.devops-db.info:389 -starttls ldap -showcerts < /dev/null | openssl x509 -text | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

[...]
-----BEGIN CERTIFICATE-----
MIIFwjCCA6qgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwgYQxCzAJBgNVBAYTAlBU
MQ4wDAYDVQQIDAVQb3J0bzEOMAwGA1UEBwwFUG9ydG8xEjAQBgNVBAoMCURldm9w
cy1EQjEcMBoGA1UEAwwTbGRhcC5kZXZvcHMtZGIuaW5mbzEjMCEGCSqGSIb3DQEJ
ARYUYWRtaW5AZGV2b3BzLWRiLmluZm8wHhcNMjQwNDA4MTEzMzE0WhcNMjUwNDA4
MTEzMzE0WjB0MQswCQYDVQQGEwJQVDEOMAwGA1UECAwFUG9ydG8xEjAQBgNVBAoM
CURldm9wcy1EQjEcMBoGA1UEAwwTbGRhcC5kZXZvcHMtZGIuaW5mbzEjMCEGCSqG
SIb3DQEJARYUYWRtaW5AZGV2b3BzLWRiLmluZm8wggIiMA0GCSqGSIb3DQEBAQUA
A4ICDwAwggIKAoICAQCz6rcxPNUdN37jfFmMf/Mwdxmf6ST3hulCJAxNBBHzOSOW
+umvVhfqtw88X3dgq3CW7fQvGQ2izqzN/2MLSe7yV9I1LGqLmtwN2IHTTpC3NAeH
8qlfuwHi+IvO2eFr0EGaL4rT5O+h8qnthPWI1/Rh9xdkx9xvTvVTsElkNZJ+zAZs
E41XwWRsxwHUyDRxQIL2EGbUVyjbJgTzoxQQHdetIeYc6Vya7ABHa6iwfSMKR99A
NdOujpnNecGnGJSzQ0B6RXp2ae28LjjyVdMV1wo6PrvgsKqt5MO4GxyPKginVp0s
ly2zVshCzREw6/4lxxJXqRHcmcS6mhm0U77QTG32A2bU+SJONqxF6GVil60sGm59
MxwDvkgQuE9QDQ4+txYh8K97PfxqVcPG92PS2sYOinc1EBsnD6TEsuvfc8m0Ev3m
njZ+jgJA4Gf+e9AbfgQVJEbdQj7mM2gRFL7CWKAgzk2KRh9xWTlk8nCwqCwHx57d
hE+qfC/SkInZCQHGTSQ22+RidEXq7GxtY2KDNSFSTPeGjR8KA5+lqeuIf8ZeHc6s
HEtK12B8yvYDfRyCBnPugXxs77CiTcmUvWCfBP9GZv4icoCdDTzfnfTNaGO9X16+
XY5sC27o24WsxXLF9EDtp6FpnGX1moR6h89Jky+clCwpDUj4sucWz4WPtHpAnwID
AQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTP5qF7BCcepDXMDBBq+Bbonlr2
FzAfBgNVHSMEGDAWgBRN6D0ZxNB2qFyd9JTxZ/oYSBfMTjANBgkqhkiG9w0BAQsF
AAOCAgEAjz2Hx2s8A+liNwaEGPS1B/TDHDUKgzsrjXPEVfni3vhlhqgczej/rDAX
d8pLJ4QawlFPbQVZqFFsyJjo6dAG2WfIJeA0c+7kw1pVcbVqQKymq7UtOaHiZF8j
jkBuxKJH4P+lxBLSWCiktvqhTJ/1IgQ66R3wve8J0+KCHGsX2BFMA8Zqc48PTXnu
NGLUsIIYNwMlsCyfEYRY9s6Lg5q8Vcb1dN39uJwMe+Q8XKM0tPM+Dn1z4289q9CZ
poGfhonu3u/9e/LsrptE0ZURGqBFCXXU8gAq0Yg1ViGwcA8e6HC6iia6H0Y4vS6j
q33VIswn0In56zw4gOD/BnYHU5B/277hY8UIsU6vQaTZbpE/GpW8RT85V4MT6r5W
MI2WF8ZATyBbJ5PbXctYfmnydQwTXpoNnioGmxH4Qu0S+ydc+yneAIlZWURlq5gB
YuZrmI7xuGxs5UfzQBEFroRlI6QmW95ebkac5XwURTW1/bI5deJZnfTOezRJKr5n
L1yySSIs2rYXQkphDwV6HqSNg3eJSEGusCbV9Kgx52X5uorfot5i1bZUJcSKJJby
38UpFzQ4/SOBewNfWAq6Q1NBWUbfn8BARv96L7n3uK4JrxfkUrHGjzWGJmtlgx+b
shJhA/b/35i7KxmdI6eGy0I3vylbGjaH0WGS4+QRYeJKWXPm6kk=
-----END CERTIFICATE-----

With the content obtained, in any of the ways above and back on the Gitlab host, create the file: /etc/ssl/certs/ldapcacert.crt

I already have this certificate saved on my Host, so I can distribute it among the other hosts I created.
Later, it will also be added to this GitLab, so automations will be able to be copied to any other.

Validate the certificate by connecting to the LDAP host

$ openssl s_client -connect ldap.devops-db.info:389 -CAfile /etc/ssl/certs/ldapcacert.crt

CONNECTED(00000003)
40C75159867F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:308:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 321 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Configure LDAP.

For this type of authentication, I will create two groups LinuxAdmin and GitLabAdmin, the first group I create to actually have a group in which users will have permissions to login to any Linux host. The GitLabAdmin group is an example of how to use more than one group in the filter.
The host’s sudoers, for example, will only be users who are in the AdminGroups group, as explained in the SUDO configuration post in OpenLDAP.

Create the files and apply the creation of groups and user association in LDAP.

cat << EOL > /work/ldap/linuxadmin_sec_group.ldif
dn: cn=LinuxAdmin,ou=SecurityGroups,dc=ldap,dc=devops-db,dc=info
objectClass: groupOfNames
cn: admins
member: cn=Fausto Branco,ou=UserGroups,dc=ldap,dc=devops-db,dc=info
EOL

ldapadd -x -H ldaps://ldap.devops-db.info:636 -D "CN=admin,dc=ldap,dc=devops-db,dc=info" -f /work/ldap/linuxadmin_sec_group.ldif -w "JbBmKx#lK@ZX4*amqd5l"


cat << EOL > /work/ldap/GitLabAdmin_sec_group.ldif
dn: cn=GitLabAdmin,ou=SecurityGroups,dc=ldap,dc=devops-db,dc=info
objectClass: groupOfNames
cn: admins
member: cn=Fausto Branco,ou=UserGroups,dc=ldap,dc=devops-db,dc=info
EOL

ldapadd -x -H ldaps://ldap.devops-db.info:636 -D "CN=admin,dc=ldap,dc=devops-db,dc=info" -f /work/ldap/GitLabAdmin_sec_group.ldif -w "JbBmKx#lK@ZX4*amqd5l"

The SSSD configuration file needs to be created from scratch, it is not created during installation.

cat > /etc/sssd/sssd.conf << 'EOL'
[sssd]
services = nss, pam
config_file_version = 2
domains = default

[nss]

[pam]
offline_credentials_expiration = 60

[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=ldap,dc=devops-db,dc=info
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_uri = ldaps://ldap.devops-db.info:636
ldap_default_bind_dn = cn=readonly-bind-dn,ou=ServiceGroups,dc=ldap,dc=devops-db,dc=info
ldap_default_authtok = 1234qwer
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/ssl/certs/ldapcacert.crt
ldap_tls_cacertdir = /etc/ssl/certs
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_sudo_search_base = ou=AdminGroups,dc=ldap,dc=devops-db,dc=info
ldap_access_order = filter
ldap_access_filter = (|(memberOf=cn=LinuxAdmin,ou=SecurityGroups,dc=ldap,dc=devops-db,dc=info)(memberOf=cn=GitLabAdmin,ou=SecurityGroups,dc=ldap,dc=devops-db,dc=info))
EOL

Note in the file that I use the ReadOnly Bind User, the Admin group for Sudo (ldap_sudo_search_base), and the ldap_access_filter, the filter that defines who can log in to the host, has two groups.
The SSSD needs to have a TLS connection with OpenLDAP, but if the certificate, as in my case, is self signed, authentication generates an error, which is why it is necessary to configure the “ldap_tls_reqcert = never” parameter.

Now change the LDAP configuration file:

vi /etc/ldap/ldap.conf

TLS_CACERT	 /etc/ssl/certs/ldapcacert.crt
sudoers_base ou=AdminGroups,dc=ldap,dc=devops-db,dc=info

For the user’s first login to the host, it is necessary to create the HOME folder structure, for this add the line below at the end of the configuration file:

vi /etc/pam.d/common-session

session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022

Everything ready, adjust the file permissions and restart the SSSD service.

chmod 600 -R /etc/sssd
systemctl restart sssd 

systemctl status sssd

If you want to follow the sssd log:

tail -500f /var/log/sssd/sssd_nss.log

Testing and use.

TLS lookup test of group configured for host access:

$ ldapsearch -v -x -H ldaps://ldap.devops-db.info:636 -b "cn=LinuxAdmin,ou=SecurityGroups,dc=ldap,dc=devops-db,dc=info" -D "cn=readonly-bind-dn,ou=ServiceGroups,dc=ldap,dc=devops-db,dc=info" -w "1234qwer"


ldap_initialize( ldaps://ldap.devops-db.info:636/??base )
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <cn=LinuxAdmin,ou=SecurityGroups,dc=ldap,dc=devops-db,dc=info> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# LinuxAdmin, SecurityGroups, ldap.devops-db.info
dn: cn=LinuxAdmin,ou=SecurityGroups,dc=ldap,dc=devops-db,dc=info
objectClass: groupOfNames
cn: admins
cn: LinuxAdmin
member: cn=Fausto Branco,ou=UserGroups,dc=ldap,dc=devops-db,dc=info

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

So let’s validate login, if the result is like the one below, it means that the host is searching in LDAP.

getent passwd fbranco
fbranco:*:10000:10000:Fausto Branco:/home/fbranco:/bin/bash

id fbranco
uid=10000(fbranco) gid=10000(AllUsers) groups=10000(AllUsers)

So exit sudo and do the first login, validate HOME and sudo.

vagrant@srv-hostldap-01:~$ su fbranco
Password:

fbranco@srv-hostldap-01:/home/vagrant$ cd ~

fbranco@srv-hostldap-01:~$ pwd
/home/fbranco

fbranco@srv-hostldap-01:~$ sudo -s
root@srv-hostldap-01:/home/fbranco#

If you already have ssh configured, just log in:

ssh fbranco@172.21.5.151
fbranco@172.21.5.151's password:
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-92-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

  System information as of Wed Apr 10 10:16:23 PM UTC 2024

  System load:  0.00048828125      Processes:             149
  Usage of /:   13.8% of 30.34GB   Users logged in:       0
  Memory usage: 30%                IPv4 address for eth0: 10.0.2.15
  Swap usage:   0%                 IPv4 address for eth1: 172.21.5.151


This system is built by the Bento project by Chef Software
More information can be found at https://github.com/chef/bento

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

fbranco@srv-hostldap-01:~$

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.