HPE Data Fabric Config MCS & LDAP Server

# HPE Data Fabric Config MCS & LDAP Server # Docker host ## Install Docker LDAP Server ```shell= setenforce 0 sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux systemctl stop firewalld systemctl disable firewalld yum install -y yum-utils yum-config-manager \ --add-repo \ https://download.docker.com/linux/centos/docker-ce.repo yum install docker-ce docker-ce-cli containerd.io systemctl enable docker systemctl start docker docker run -d \ -p 389:389 -p 636:636 \ --env LDAP_ORGANISATION="HPE Taiwan LDAP" \ --env LDAP_DOMAIN="hpe-taiwan-cic.net" \ --env LDAP_ADMIN_PASSWORD="password" \ --env LDAP_CONFIG_PASSWORD="password" \ --env LDAP_READONLY_USER="true" \ --env LDAP_READONLY_USER_USERNAME="testuser" \ --env LDAP_READONLY_USER_PASSWORD="testuser" \ --name openldap-server \ osixia/openldap:1.4.0 docker run -d \ -p 443:443 \ --env PHPLDAPADMIN_LDAP_HOSTS=172.17.0.2 \ --name phpldapadmin \ osixia/phpldapadmin:0.7.1 ``` > CN=admin,DC=hpe-taiwan-cic,DC=net > > password > > ldapsearch -xD cn=admin,dc=hpe-taiwan-cic,dc=net -w password -b dc=hpe-taiwan-cic,dc=net -H ldap://ldap.hpe-taiwan-cic.net ldapsearch -xD cn=admin,dc=hpe-taiwan-cic,dc=net -w password -b dc=hpe-taiwan-cic,dc=net -H ldap://ldap.hpe-taiwan-cic.net ldapsearch -o ldif-wrap=no -x -H 'ldap://20.6.0.4:389' -b 'dc=hpe-taiwan-cic,dc=net' -s sub 'cn=taiwan-group,dc=hpe-taiwan-cic,dc=net' # MapR Host ## Config MapR LDAP Install openldap-clients & pam_ldap ```shell= yum install –y openldap-clients pam_ldap ``` vim /etc/nsswitch.conf ```shell= # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files sss ldap shadow: files sss ldap group: files sss ldap #initgroups: files sss #hosts: db files nisplus nis dns hosts: files dns myhostname # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss ldap publickey: nisplus automount: files ldap aliases: files nisplus ``` ## Config PAM ### [PAM]password-auth vim /etc/pam.d/password-auth ```shell= #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_ldap.so use_first_pass auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha256 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session optional pam_ldap.so session required pam_unix.so session optional pam_sss.so ``` ### [PAM]system-auth vim /etc/pam.d/system-auth ```shell= #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha256 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so ``` ### [PAM]sudo vim /etc/pam.d/sudo ```shell= #%PAM-1.0 **auth sufficient pam_ldap.so** auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so ``` ### [PAM]sshd vim /etc/pam.d/sshd ```shell= #%PAM-1.0 auth required pam_access.so auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare ``` ### [PAM]passwd vim /etc/pam.d/passwd ```shell= #%PAM-1.0 auth include system-auth account include system-auth password substack system-auth -password optional pam_gnome_keyring.so use_authtok password substack postlogin password sufficient pam_ldap.so ``` ### [PAM]mapr-admin vim /etc/pam.d/mapr-admin ```shell= account required pam_unix.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so auth sufficient pam_unix.so nullok_secure auth requisite pam_succeed_if.so uid >= 1000 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so password sufficient pam_unix.so md5 obscure min=4 max=8 nullok try_first_pass password sufficient pam_ldap.so password required pam_deny.so session required pam_limits.so session required pam_unix.so session optional pam_ldap.so ``` ## For LDAP Server Config ### [LDAP Server] ldap.conf vim /etc/openldap/ldap.conf ```shell= TLS_CACERTDIR /etc/openldap/cacerts # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on URI ldap://20.6.0.61/ BASE dc=skbank-demo,dc=com,dc=tw ``` ### [LDAP Server] Enable LADP Config ```shell= authconfig \ --enableldap \ --enableldapauth \ --ldapserver='ldap://20.6.0.61/' \ --ldapbasedn='dc=skbank-demo,dc=com,dc=tw' \ --enablemkhomedir \ --enableshadow \ --enablelocauthorize \ --passalgo=sha256 \ --update ``` ### [LDAP Server] Edit nslcd.conf ```shell= vim /etc/nslcd.conf ==================================================== uri ldap://20.6.0.61/ base dc=skbank-demo,dc=com,dc=tw binddn cn=admin,dc=skbank-demo,dc=com,dc=tw bindpw password ==================================================== systemctl restart nslcd ``` ## For AD Server Config ### [Windows AD Server User設定] ``` 記得新增 sn uid uidNumber ``` ### [AD Server] ldap.conf vim /etc/openldap/ldap.conf ```shell= TLS_CACERTDIR /etc/openldap/cacerts #TLS_REQCERT allow # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on URI ldap://20.6.0.51/ BASE CN=Users,DC=SKBANK-DEMO,DC=COM,DC=TW ``` ### [AD Server] Enable LADP Config ```shell= authconfig \ --enableldap \ --enableldapauth \ --ldapserver='ldap://20.6.0.51/' \ --ldapbasedn='CN=Users,DC=SKBANK-DEMO,DC=COM,DC=TW' \ --enablemkhomedir \ --enableshadow \ --enablelocauthorize \ --passalgo=sha256 \ --update ``` ### [AD Server] Edit nslcd.conf vim /etc/nslcd.conf ```shell= uri ldap://20.6.0.51/ base CN=Users,DC=SKBANK-DEMO,DC=COM,DC=TW binddn CN=Administrator,CN=Users,DC=SKBANK-DEMO,DC=COM,DC=TW bindpw admin!Q filter passwd (&(objectClass=user)(!(objectClass=computer))) map passwd uid sAMAccountName map passwd gecos displayName map passwd homeDirectory "/home/$sAMAccountName" map passwd loginShell "/bin/bash" filter shadow (&(objectClass=user)(!(objectClass=computer))) map shadow uid sAMAccountName map shadow shadowLastChange pwdLastSet filter group (objectClass=group) map group gidNumber gidNumber map group member sAMAccountName ``` ## Enable nslcd Service ```shell= systemctl restart nslcd # systemctl stop nslcd # nslcd -d (debug mode) ``` ## Edit mapr.login.conf ### mapr.login.conf vim /opt/mapr/conf/mapr.login.conf ```shell= jpamLogin { /** * net.sf.jpam.jaas.JpamLoginModule Sufficient * serviceName="sudo" * debug=true; * net.sf.jpam.jaas.JpamLoginModule Sufficient * serviceName="sshd" * debug=true; */ net.sf.jpam.jaas.JpamLoginModule Sufficient serviceName="mapr-admin" debug=true; }; ``` ### properties.cfg vim /opt/mapr/apiserver/conf/properties.cfg ```shell= ojai.cache.size=64 mapr.webui.https.port=8443 doc.url=https://mapr.com/docs/ proxy.zkservices=elasticsearch,opentsdb activity.metrics.thread.pool.size=10 authentication.pam.service=mapr-admin ``` ### Restart apiserver service ```shell= maprcli node list maprcli node services -action restart -name apiserver -nodes 'df.hpe-taiwan-cic.net' ``` ![](https://i.imgur.com/TZVFjFG.png) ![](https://i.imgur.com/iOqlyZI.png) ![](https://i.imgur.com/yjbMZka.png) ![](https://i.imgur.com/gPGRSeI.png) ![](https://i.imgur.com/WOuelv4.png) ![](https://i.imgur.com/17zETjt.png) ![](https://i.imgur.com/ErnOCnV.png) ``` https://docs.datafabric.hpe.com/62/SecurityGuide/PAM-Configuration.html ```