Because I am currently managing both Housing and ResTek servers (separate entities, similar needs), I’ve been trying to find a few ways to share resources between them. My manager also requested that the staff over at Housing be able to access the ResTek wiki (and maybe vise versa).
Thanks to former administrator Gordon, Housing servers were switched from SLES to FreeBSD, which is what most of our ResTek servers are. The setups now are really similar, with one exception being the fact that ResTek uses LDAP (PAM+NSS) for authentication and other things. Housing is still using local accounts because there hasn’t been a need to move to LDAP.
The goal was to add accounts for Housing employees into our ResTek LDAP directory, and then eventually share things like our wiki, Nagios, etc.
To accomplish this, I simply created another group (posixGroup) in our directory: cn=webteam. All of our ResTek employees have a primary group of cn=restek. All Housing “web team” members would have a primary group of ‘webteam.’
This seems simple enough, but there was one problem, and that was for special cases like myself, that needed to be in both groups (to access both resources). In other words, I needed a way to make myself a member of ‘webteam’ without it being a primary group. That is as simple as adding my short user name to the group’s entry as a memberUid attribute. So, we end up with something like the following (abbreviated):
Groups:cn=restek,ou=Group,dc=restek,dc=wwu,dc=edu gidNumber: 5000 memberUid: jonny cn=webteam,ou=Group,dc=restek,dc=wwu,dc=edu gidNumber: 4000 memberUid: kianPeople:
uid=kian,ou=People,dc=restek,dc=wwu,dc=edu gidNumber: 5000 uid=jonny,ou=People,dc=restek,dc=wwu,dc=edu gidNumber: 4000
What does this result in? Kian’s primary group will be ‘restek’, and he will also be a member of ‘webteam’. Jonny’s primary group will be ‘webteam’, but he’ll be a member of the ‘restek’ group too.
Now, to allow Webteam Jonny into our Nagios page, the following can be added to Apache’s httpd.conf:
<directory "/usr/local/www/nagios/">
Options All
Order allow,deny
Allow from all
Include etc/apache22/ldap-auth-base.conf
require valid-user
</directory>
ldap-auth-base.conf:
# Don't want people to be allowed to authenticate insecurely SSLRequireSSL AuthType Basic AuthBasicProvider ldap AuthName "ResTek Login" AuthLDAPURL "ldap://ldap.restek.wwu.edu/ou=People,dc=restek,dc=wwu,dc=edu?uid??" TLS AuthLDAPBindDN "cn=BINDUSER,dc=restek,dc=wwu,dc=edu" AuthLDAPBindPassword SUPERSECRETPASSWORD # group members are short names (uid), not full distinguished names AuthLDAPGroupAttributeIsDN off AuthLDAPGroupAttribute memberUid
In other words, any valid user will be allowed to log in. If we want to restrict it to members of the ‘restek’ group (primary OR secondary, we would do the following instead:
Include etc/apache22/ldap-auth-base.conf require ldap-attribute gidNumber=5000 require ldap-group cn=restek,ou=Group
In other news, we’ve moved our IDS/monitoring tools off of our firewalls and onto a separate OpenBSD server. All of our WAN traffic is mirrored from the router onto the second interface of that server, where the monitoring tools listen. It’s helping reduce the CPU load on our firewalls a bit, and is also probably a better practice security-wise.