1 00:00:07,380 --> 00:00:09,780 - So now that we have set up the IPA server, 2 00:00:09,780 --> 00:00:11,550 which really is an LDAP server, 3 00:00:11,550 --> 00:00:13,747 we can talk about LDAP authentication. 4 00:00:13,747 --> 00:00:15,192 Little bit of background, 5 00:00:15,192 --> 00:00:17,820 authentication requests are handled 6 00:00:17,820 --> 00:00:20,910 by Pluggable Authentication Modules, or PAM. 7 00:00:20,910 --> 00:00:23,220 We've talked about PAM earlier in this course. 8 00:00:23,220 --> 00:00:28,220 For authentication, PAM uses PAM underscore triple s dot so, 9 00:00:28,500 --> 00:00:31,500 which is the library that forwards authentication requests 10 00:00:31,500 --> 00:00:34,050 to the triple s d service. 11 00:00:34,050 --> 00:00:36,810 And the triple s d service finds its configuration 12 00:00:36,810 --> 00:00:39,810 in etc triple s d dot conf 13 00:00:39,810 --> 00:00:42,360 and the related drop-in configuration files 14 00:00:42,360 --> 00:00:44,670 that's specified by which service authentication 15 00:00:44,670 --> 00:00:46,203 should be further handled. 16 00:00:47,460 --> 00:00:50,490 Now, apart from the triple s d configuration, 17 00:00:50,490 --> 00:00:52,699 which is purely about authentication, 18 00:00:52,699 --> 00:00:55,320 there's also some open LDAP tools. 19 00:00:55,320 --> 00:00:57,720 These tools are generic and these are tools 20 00:00:57,720 --> 00:01:00,930 like LDAP search and LDAP add. 21 00:01:00,930 --> 00:01:03,417 And that is the direct straight communication 22 00:01:03,417 --> 00:01:04,923 to the LDAP server. 23 00:01:05,760 --> 00:01:07,710 Now a command like LDAP search 24 00:01:07,710 --> 00:01:10,500 works even without authentication. 25 00:01:10,500 --> 00:01:13,242 That is because users need to be able to request resources 26 00:01:13,242 --> 00:01:15,240 from the LDAP server. 27 00:01:15,240 --> 00:01:16,320 So if you want to test that, 28 00:01:16,320 --> 00:01:19,350 use LDAP search minus x minus H, 29 00:01:19,350 --> 00:01:21,390 followed by the LDAP URL. 30 00:01:21,390 --> 00:01:22,980 That will be the name or IP address 31 00:01:22,980 --> 00:01:24,570 of your IPA server, 32 00:01:24,570 --> 00:01:28,660 followed by minus b for the base context, 33 00:01:28,660 --> 00:01:31,530 dc is example, dc is local. 34 00:01:31,530 --> 00:01:35,340 That is the domain where the resources 35 00:01:35,340 --> 00:01:36,810 are going to be searched for. 36 00:01:36,810 --> 00:01:39,570 And minus s sub object class star 37 00:01:39,570 --> 00:01:42,930 is going to print all objects that are not protected 38 00:01:42,930 --> 00:01:44,970 with role-based access control. 39 00:01:44,970 --> 00:01:47,970 And normally that should print all the users on your system. 40 00:01:49,230 --> 00:01:52,594 Now as mentioned, FreeIPA, apart from the LDAP utilities, 41 00:01:52,594 --> 00:01:54,030 comes with the IPA tool 42 00:01:54,030 --> 00:01:56,403 and that provides an easy-to-use interface. 43 00:01:58,216 --> 00:02:01,470 Now in the LDAP client's configuration, there's a couple 44 00:02:01,470 --> 00:02:03,570 of things that play a role. 45 00:02:03,570 --> 00:02:06,720 So after installing the FreeIPA server, 46 00:02:06,720 --> 00:02:09,750 an LDAP client has been configured as well on that server 47 00:02:09,750 --> 00:02:11,730 and that is ready to use. 48 00:02:11,730 --> 00:02:14,160 And this LDAP client allows you to fetch information 49 00:02:14,160 --> 00:02:16,170 from the IPA server. 50 00:02:16,170 --> 00:02:19,230 And by default, the LDAP client is good for testing. 51 00:02:19,230 --> 00:02:22,533 For more secure usage, certificates should be configured. 52 00:02:23,680 --> 00:02:26,250 To get an idea of what's going on, 53 00:02:26,250 --> 00:02:27,720 check the client configuration 54 00:02:27,720 --> 00:02:30,507 in etc triple s d triple s d dot conf 55 00:02:31,830 --> 00:02:33,570 and notice that there is also 56 00:02:33,570 --> 00:02:37,500 the etc open LDAP dot conf, which file is not used 57 00:02:37,500 --> 00:02:40,650 by triple s d, but by plain LDAP utilities 58 00:02:40,650 --> 00:02:44,163 like LDAP search to set default values. 59 00:02:45,450 --> 00:02:46,833 Let me demonstrate these. 60 00:02:51,600 --> 00:02:54,210 Okay, so from any server where you 61 00:02:54,210 --> 00:02:57,153 have the LDAP utilities, you can use LDAP search. 62 00:03:01,920 --> 00:03:03,783 With the appropriate parameters. 63 00:03:04,650 --> 00:03:05,483 And there we go. 64 00:03:05,483 --> 00:03:06,330 So what is this? 65 00:03:06,330 --> 00:03:09,150 Well, this is printing the LDAP information 66 00:03:09,150 --> 00:03:12,450 for the resources that were found. 67 00:03:12,450 --> 00:03:14,310 And as you can see, search result. 68 00:03:14,310 --> 00:03:15,442 Search two. 69 00:03:15,442 --> 00:03:17,310 Why search two? 70 00:03:17,310 --> 00:03:20,550 Well probably because we have two users, right? 71 00:03:20,550 --> 00:03:22,052 Here is LDAP user one, 72 00:03:22,052 --> 00:03:25,653 who is a member of a group, and here is LDAP user two. 73 00:03:26,820 --> 00:03:29,040 Now, this is not so very exciting, 74 00:03:29,040 --> 00:03:32,670 what is more exciting is the actual login procedure. 75 00:03:32,670 --> 00:03:36,720 Now, in order to do that, you need to set up an IPA client. 76 00:03:36,720 --> 00:03:38,190 Setting up an IPA client, 77 00:03:38,190 --> 00:03:39,570 it's a little bit beyond the scope 78 00:03:39,570 --> 00:03:41,280 of what we are doing here, 79 00:03:41,280 --> 00:03:43,130 because in order to do it right, 80 00:03:43,130 --> 00:03:45,660 you need to take care of secure LDAP, 81 00:03:45,660 --> 00:03:47,163 of TLS certificates, 82 00:03:48,090 --> 00:03:50,130 of Kerberos, and much more. 83 00:03:50,130 --> 00:03:52,080 And that is why I'm going to show you 84 00:03:52,080 --> 00:03:56,130 the IPA client configuration on the IPA server. 85 00:03:56,130 --> 00:03:59,700 Fortunately, the IPA server is also a client of itself. 86 00:03:59,700 --> 00:04:01,500 Here we can see what it's all about. 87 00:04:03,300 --> 00:04:06,900 So, we have domain set to example dot local, 88 00:04:06,900 --> 00:04:08,970 where the ID provider is set to IPA, 89 00:04:08,970 --> 00:04:11,772 telling the client that it should use IPA. 90 00:04:11,772 --> 00:04:14,726 Where we can find the name of the IPA server 91 00:04:14,726 --> 00:04:18,210 and where we can also find the CA certificate. 92 00:04:18,210 --> 00:04:20,300 That's a certificate that's required to connect 93 00:04:20,300 --> 00:04:22,680 to this server. 94 00:04:22,680 --> 00:04:25,263 Now if you want to test if this is working, 95 00:04:26,340 --> 00:04:29,910 just use su minus LDAP user 1. 96 00:04:29,910 --> 00:04:30,743 And what do we see? 97 00:04:30,743 --> 00:04:32,400 We see "warning cannot change directly 98 00:04:32,400 --> 00:04:34,131 to home LDAP user 1." 99 00:04:34,131 --> 00:04:34,964 That's okay. 100 00:04:34,964 --> 00:04:38,280 The fact that I see LDAP user 1 or my prompt right now, 101 00:04:38,280 --> 00:04:42,210 means that I successfully authenticated through IPA. 102 00:04:42,210 --> 00:04:45,193 I do want to give you a little bit of insight 103 00:04:45,193 --> 00:04:48,990 about what is going on in the background. 104 00:04:48,990 --> 00:04:51,350 That's an etc PAM dot d, 105 00:04:51,350 --> 00:04:56,350 where we have this system dash auth. 106 00:04:56,490 --> 00:04:58,260 And in this system dash auth, 107 00:04:58,260 --> 00:05:00,240 the lines that matter is this line: 108 00:05:00,240 --> 00:05:03,120 auth sufficient PAM unix dot so. 109 00:05:03,120 --> 00:05:05,280 That means that it's first going to check 110 00:05:05,280 --> 00:05:07,380 if you have a local user account. 111 00:05:07,380 --> 00:05:10,474 If you can log in with the local user account, that's okay. 112 00:05:10,474 --> 00:05:12,180 If you can't, 113 00:05:12,180 --> 00:05:13,380 it will move forward 114 00:05:13,380 --> 00:05:17,220 and it'll check PAM underscore triple s dot so. 115 00:05:17,220 --> 00:05:20,190 And that is a connection that is made to triple s d, 116 00:05:20,190 --> 00:05:22,980 and this is what makes sure that LDAP 117 00:05:22,980 --> 00:05:25,713 authentication through triple s d is working.