Managing the LDAP Directory
Connecting
With the exceptions of conehead and grub, all of the LDAP servers require a physical or VPN connection to the Virginia Tech network in order to be accessed for management activities. LDAP directories can be anonymously searched for public information on port 11389 from the Virginia Tech network, but service and management accounts must bind to the directory to access protected attributes of directory entries. Directory managers can bind to the directory using their uid=*,ou=Administrators,ou=NIS,o=vt accounts and obtain manager authorization as detailed in the section below.
Directory administrators that need full access to the OpenLDAP software and the root of the directory tree must connect to the server via SSH with their VT usernames and escalate their privileges with the sudo su - openldap command. After becoming the openldap user, administrative operations can be performed through the LDAP IPC socket by passing -H ldapi:/// -Y external options to the ldap client utilities: ldapadd, ldapcompare, ldapdelete, ldapmodify, ldapmodrdn, ldappasswd, ldapsearch.
Obtaining Manager Authorization
Manager authorization is granted through the SASL Proxy Authorization feature of OpenLDAP using the -e option to the ldap utilities mentioned above. Users who are authorized to change data in the o=vt subtree have authzFrom attributes set for them in the cn=Manager,o=vt entry, which is the RootDN for o=vt. They can be listed with ldapsearch -b cn=Manager,o=vt -s base authzFrom as the openldap operating system user.
Helpful Aliases for Directory Managers
It can be a little cumbersome to always have to pass your authorization credentials with every ldap command, so these aliases can make your life easier. Just put them in your ~/.bash_aliases file, and then use mgrldapsearch instead of ldapsearch to view entries that your user doesn't have access to view, or mgrldapmodify instead of ldapmodify when you need to make an update.
~/.bash_aliases
alias mgrldapadd="ldapadd -e \!authzid=dn:cn=Manager,o=vt $*"
alias mgrldapdelete="ldapdelete -e \!authzid=dn:cn=Manager,o=vt $*"
alias mgrldapmodify="ldapmodify -e \!authzid=dn:cn=Manager,o=vt $*"
alias mgrldapsearch="ldapsearch -e \!authzid=dn:cn=Manager,o=vt $*"
alias mgrldapwhoami="ldapwhoami -e \!authzid=dn:cn=Manager,o=vt $*"
The Online Configuration Database
Configuration settings for the running LDAP directory can be modified with the ldapmodify command without a restart, yet will persist after a restart.
About LDIF Files
While updates to the LDAP directory can be done inline, the more common approach is to store the operations in an LDIF file and use the -f something.ldif option of the ldap client utilities that change data. It is important to store these files securely and delete them promptly when using this technique to alter sensitive data.
About the FreeRADIUS Data
In order for any network system to send access requests to the FreeRadius servers, that system must be in a list of ‘clients’ that FreeRadius is aware of. The majority of those clients are the wireless network controllers and the routers and switches that make up the wired network infrastructure -- of which there are over two-thousand. Rather than maintain that list on every individual FreeRadius server, each server queries the directory for the known clients when its own radiusd process is started. These clients are recorded in the Clients subtree.
Among the identifying information recorded is a cleartext radiusClientSecret which the client must provide and match whenever it sends an access request to the FreeRadius server.
example
dn: radiusClientNUID=48581922809,ou=Clients,ou=FreeRADIUS,ou=Configuration,ou=NIS,o=vt
radiusClientNUID: 48581922809
radiusClientIpAddr: 172.16.246.52
radiusClientSecret: REDACTREDACTREDACTREDACTREDACTREDACTREDACTREDACTREDACTREDACT
radiusClientShortname: VTC-BC-AA-01
radiusClientIdentifier: VTC-BC-AA-01.cns.vt.edu
radiusClientLastUpdated: 1574349635
objectClass: radiusClient
The FreeRadius servers query the directory when authenticating users for the eduroam network, basic vpn, or rlan-vpn. The user’s uid (pid) is leveraged to find both a network account record and entitlement record, under the People and Entitlement subtrees respectively.
The network account contains the nt hashed password for authentication, and a prohibited attribute to denote administratively locked accounts.
example
dn: nuid=1815024,ou=People,ou=NIS,o=vt
nuid: 1815024
uid: markhw
sn: Williams
cn: Mark Williams
userPassword: {nt}REDACTREDACTREDACTREDACTREDACTED
prohibited: FALSE
objectClass: nisUserAccount
objectClass: inetOrgPerson
objectClass: radiusprofile
Each network account may be associated with up to three service subscriptions: wireless, basic vpn, or rlan-vpn access. For each subscription there will be a matching entitlement record. Existence of the record is equivalent to having a subscription.
In addition to the pid, both the network account and the entitlement reference the ‘uid’ value associated with that same pid in Enterprise Directory. The entitled attribute of each entitlement references the dn of the associated network account.
example
dn: nuid=9056724418,ou=Entitlements,ou=NIS,o=vt
nuid: 9056724418
entitled: nuid=1815024,ou=People,ou=NIS,o=vt
entitledUID: markhw
entitlement: cns.service.network.vpn
objectClass: nisEntitlement
dn: nuid=4512003484,ou=Entitlements,ou=NIS,o=vt
nuid: 4512003484
entitled: nuid=1815024,ou=People,ou=NIS,o=vt
entitledUID: markhw
entitlement: cns.service.network.wireless
objectClass: nisEntitlement
dn: nuid=0101010101,ou=Entitlements,ou=NIS,o=vt
nuid: 0101010101
entitled: nuid=010101,ou=People,ou=NIS,o=vt
entitledUID: player1
entitlement: cns.service.network.rlanvpn
objectClass: nisEntitlement
The FreeRadius servers query the directory when authenticating users and applications for access to network equipment and network configuration software. After successfully matching the salted, SHA1 hashed password, the FreeRadius server returns ALL values stored in the radiusAttribute fields to the authenticating client.
example
dn: nuid=81412786070,ou=Administrators,ou=NIS,o=vt
nuid: 81412786070
uid: markhw
cn: NetAdmin - markhw
radiusAttribute: Juniper-Local-User-Name=network-administrator
radiusAttribute: Cisco-AVPair+="shell:priv-lvl=15"
radiusAttribute: Aruba-CPPM-Role=Super-Admin
radiusAttribute: PaloAlto-Admin-Role=ITSO-Admin
mail: markhw@vt.edu
userPassword: {ssha}REDACTREDACTREDACTREDACTREDACTREDACT1234
objectClass: radiusprofile
objectClass: nisUserAccount
objectClass: radiusObjectProfile
objectClass: extensibleObject
The FreeRadius servers run a few different queries against the directory when authenticating users trying to access the F5 load-balancers. Radius filters for a uid matching the username provided in the access request, and looks for an additional radiusProfileDN attribute.
example
dn: nuid=1815024,ou=People,ou=NIS,o=vt
nuid: 1815024
uid: markhw
sn: Williams
cn: Mark Williams
userPassword: {nt}REDACTREDACTREDACTREDACTREDACTED
prohibited: FALSE
radiusProfileDN: cn=AppEditor,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
objectClass: nisUserAccount
objectClass: inetOrgPerson
objectClass: radiusprofile
That value informs another query against the directory for a groupOfNames, which contain the authorization attributes to be handed back to the load-balancer in the access reply.
example
dn: cn=AppEditor,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
cn: AppEditor
description: Entries for the Application Editor group user accounts
member: nuid=88888888,ou=People,ou=NIS,o=vt
member: nuid=77777777,ou=People,ou=NIS,o=vt
member: nuid=66666666,ou=People,ou=NIS,o=vt
objectClass: groupOfNames
objectClass: radiusprofile
radiusAttribute: F5-LTM-User-Info-1+=AppEditor
radiusAttribute: F5-LTM-User-Partition+=All
radiusAttribute: F5-LTM-User-Shell+=tmsh
radiusAttribute: F5-LTM-User-Role+=300
Useful NetAdmin LDAP queries
These examples require the LDAP client binaries on your local machine.
For PPRD or DEV environments, respectively substitute hornet or owlfly for cricket below.
Lookup your nuid using your uid (replace xxxxxxxx with your uid)
ldapsearch -H ldap://cricket.nis.vt.edu:11389 -LLL -x ou=Administrators,ou=NIS,o=vt -s one uid=xxxxxxxx nuid
Retrieve the RADIUS client secret for a given IP address (replace xxxxxxxx with your nuid and 0.0.0.0 with IP address)
ldapsearch -H ldap://cricket.nis.vt.edu:11389 -ZZ -x -D nuid=xxxxxxxx,ou=Administrators,ou=NIS,o=vt -W -b ou=clients,ou=FreeRADIUS,ou=Configuration,ou=NIS,o=vt radiusClientIpAddr=0.0.0.0 radiusClientSecret
Retrieve the RADIUS client secret for a given shortname (replace xxxxxxxx with your nuid and yyyyyyyy with shortname)
ldapsearch -H ldap://cricket.nis.vt.edu:11389 -ZZ -x -D nuid=xxxxxxxx,ou=Administrators,ou=NIS,o=vt -W -b ou=clients,ou=FreeRADIUS,ou=Configuration,ou=NIS,o=vt radiusClientShortname=77777777 radiusClientSecret
These examples are executed on the LDAP provider (cricket, hornet, or owlfly)
Retrieve a network administrator account and save to an LDIF file
source /apps/etc/openldap/profile
ldapsearch -e \!authzid=dn:cn=Manager,o=vt -x -ZZ -H ldap://:11389 -LLL -W -D nuid=your_nuid,ou=Administrators,ou=NIS,o=vt -b ou=Administrators,ou=NIS,o=vt uid=uid_of_network_admin > ~/filename.ldif
Update a network administrator account from an LDIF file
source /apps/etc/openldap/profile
ldapmodify -e \!authzid=dn:cn=Manager,o=vt -x -ZZ -H ldap://:11389 -W -D nuid=your_nuid,ou=Administrators,ou=NIS,o=vt -f ~/filename.ldif
Network administrators should consider defining aliases for themselves on cricket, hornet, and owlfly to simplify the command syntax in the above two examples.