Applications

Intended Audience: System architects, developers and system administrators

  1. Client parameters
    1. Search parameters
    2. Bind parameters
      1. TLS parameters
      2. Simple bind
      3. SASL/EXTERNAL
  2. PAM/NSS services
    1. Simple PAM/NSS clients
      1. sssd
      2. nss-pam-ldapd (aka nslcd)
      3. nsscache
    2. Smart PAM/NSS clients
        aehostd -- Custom NSS/PAM demon
  3. SSH proxy
  4. LDAP proxy for another LDAP server
  5. Wifi access point

Client parameters

Integrating an LDAP-enabled application/system with Æ-DIR does not require detailed configuration tweaking. In general setting less special parameters are better than more because Æ-DIR ACLs internally sort out most stuff.

Search parameters

Search base:
ou=ae-dir (or whatever you configured in ansible default variable aedir_suffix)
Search scope:
subtree
Various possible filters for searching for all visible users accounts:
  • (objectClass=account)
  • (objectClass=inetOrgPerson)
  • (objectClass=person)
Filter for searching a particular account...
...by username
(uid=<username>)
...by e-mail address
(mail=<e-mail address>)
Additionally ensure the found user has login right on your system:
(&(uid=<username>)(pwdChangedTime=*))

Bind parameters

Bear in mind that your system always must bind to be granted access for searching users and groups etc.

TLS parameters

Clear-text connections are strictly disallowed. Therefore your system has to know the following parameters for estabilishing a validated TLS connection:

Simple bind

Bind-DN

The bind-DN in client configuration files should be the unique short-form instead of the complete DN. This allows moving the accompanying host or service entry within the DIT to another zone and/or beneath another service group without having to reconfigure the client side.

Hosts (OS login):
host=<canonical hostname>,ou=ae-dir
Server services (application/service login):
uid=<service name>,ou=ae-dir

SASL/EXTERNAL

The OpenLDAP server can use authentication credentials available at the transport layer to authenticate the client if it connects via LDAP over IPC (LDAPI) or with TLS encryption and sends a SASL bind operation with mechanism EXTERNAL.

In case of TLS with client cert authentication the configuration requires these parameters to be set:

PAM/NSS services

aehostd -- Custom NSS/PAM demon

While you can integrate your Linux systems with any NSS/PAM service demon it is highly recommended to use aehostd which gives better search performance and has features specifically useful when using Æ-DIR.

Simple PAM/NSS clients

Simple PAM/NSS clients do not have any special knowledge about Æ-DIR DIT and schema.

sssd

While the System Security Services Daemon (SSSD) for Linux is not a simple component the configuration of sssd-ldap(5) for Æ-DIR does deliberately not use any of its special features.

The following diagram illustrates the integration of sssd into Linux login:

Æ-DIR integration of Linux with sssd components

Two example configuration files for simple bind and SASL/EXTERNAL bind with TLS client certs: client-examples/sssd/

Example ansible role: ansible/roles/ae-dir-linux-client/ (set ansible variable nsswitch_module to "sss")

See also:

nss-pam-ldapd (aka nslcd)

Arthur de Jong's nss-pam-ldapd is also a demon providing NSS and PAM services and runs on various POSIX (non-Linux) platforms.

Example nslcd.conf in directory client-examples/nss-pam-ldapd/

Example ansible role: ansible/roles/ae-dir-linux-client/ (set ansible variable nsswitch_module to "ldap")

See also:

nsscache

If you like syncing the NSS maps locally for off-line use you can look at nsscache and its NSS module libnss-cache.

SSH proxy

It is possible to implement an authorizing SSH proxy which uses exactly the same Æ-DIR entry references to check whether a user is allowed to login to target SSH host.

SSH proxy integrated with Æ-DIR

See also:

LDAP proxy for another LDAP server

If you want to secure administrative access to another LDAP server you can use OpenLDAP's slapd-ldap(5) (aka back-ldap) for integrated authentication and authorization.

The following picture shows an example for a separate LDAP server serving DNS and DHCP data (or anything else) which gets maintained via LDAPS.

LDAP proxy integrated with Æ-DIR

Further notes:

See also:

Wifi access point

For setting up a very simple wireless access point using WPA2 enterprise authentication you can install hostapd and FreeRADIUS on one system and configure the latter as LDAP client as shown in the following picture.

Wifi access point integrated with Æ-DIR

Further notes:

See also: