27.12.13

JumpBox + AuthConfig : Setup LDAP for authentication in the cloud in 10 minutes


When I first tried to figure out a way to setup LDAP.... I found a bunch of REALLY complicated websites, like this one  which attempt to walk you through the manual process of editing a whole bunch of /etc/* files to properly enable LDAP.  JumpBox + authconfig-tui saved my life.  
Setting up gluster or hadoop clusters with a unified usernames, passwords, and groups is especially important when you want to preserve multitenancy and easily add new machines to your cluster, without having to manually or decentrally validate user names.

One way to do this is synchronize /etc/passwd and /etc/groups across a cluster.  But in most cases where you might need multitenancy, you probably won't have the authorization to go willy-nilly hacking into these files.... So you need something a little more enterprisey.

Thats where LDAP comes in. 

As annoying as LDAP can be to set up and configure - its definetly a standard.  Its modular, performant, and easy to layer security on top of, and *most importantly* its very well integrated with both windows and linux.

Here's a super easy recipe for cloud based LDAP authentication.


There are 3 components to this recipe: LDAP, JumpBox, and authconfig-tui.

LDAP solves this problem :
  • The "easy" thing that it does is provide a "database" which you can can add hierarchichal entries to.  When I first heard about this it didnt make sense... why do I need LDAP for a database?  Databases are easy to setup as is.  If I needed one, I would set one up myself.
  • But the "hard" problem LDAP solves is that its been vetted and integrated by the linux folks so there are lots of utilities out there which integrate it FOR you. 
  • It natively integrates with linux, that is, linux boxes can "turn on" LDAP authentication
  • It works securely - even through your VPN - because the LDAP service sits out in the cloud.  So you can use a cloud based authenticator even if your hardware is in house :).

JumpBox provides prebaked VMs and AMIs that you can instantly deploy.  Their AMI OpenLDAP service sets up an OpenLDAP server for you, so that all you have to do is setup your clients.

Finally, authconfig-tui is a nice little utility that comes in fedora/red hat distros which can configure a machine to look to an LDAP server for login/group information and credentials.

Setting up LDAP is hard... So luckily I found a really nice pre-baked AMI made by the folks at jump box.

Setup your JumpBox OpenLDAP AMI 

Setting up JumpBox takes seconds - you directly deploy it to EC2 via a web ui.

The FIRST time you go to it, you securely register the server and setup a password.  The service authenticates you cleverly by asking you for your AMI ID

After that, you can admin the box here:  https://ec2-11-222-333-444.compute-1.amazonaws.com:3000/account/login

And you simply log in to your LDAP server to add entries here: https://ec2-11-222-333-444/phpldapadmin/htdocs/index.php


Now, add some users to your new, cloud based LDAP server - and set your linux nodes up to use your LDAP server for authentication.

[below adopted from http://wiki.jumpbox.com/doc/app/sugarcrm5/faq/openldap_integration]

Its really easy to add user entries : Just log in as "cn=Admin,o=Directory" with the original password provided, 

On the server:
  • login: cn=Admin,o=Directory
  •  Browse fromo=Directory -> ou=users
  • And create a User Account
Setup your cluster nodes to authenticate using LDAP 

Server: ec2-11-222-333-444.compute-1.amazonaws.com
  • Port Number: 389
  • Base DN: ou=users,o=Directory 

Now, you can authenticate:
yum install sssd
yum install pam-ldap
[ disable TLS in /etc/sssd/sssd.conf ]
authconfig --useshadow --enablesssd --enablesssdauth --enablesssdauth --passalgo=sha512 --enableldap --ldapserver=ec2-11-222-333-444.compute-1.amazonaws.com --ldapbasedn='ou=users,o=Directory' --enablecachecreds --enablelocauthorize --update --enableldapauth
[  OK  ] sssd: [  OK  ]


Finally -> now you can login to your linux boxes  using LDAP credentials managed by JumpBox !

No comments:

Post a Comment