{"id":1712,"date":"2023-01-22T23:11:25","date_gmt":"2023-01-23T07:11:25","guid":{"rendered":"https:\/\/surfrock66.com\/?p=1712"},"modified":"2023-02-25T08:48:44","modified_gmt":"2023-02-25T16:48:44","slug":"openldap-kerberos-and-sasl-my-experience-in-the-homelab","status":"publish","type":"post","link":"https:\/\/surfrock66.com\/?p=1712","title":{"rendered":"OpenLDAP, Kerberos and SASL – My Experience In The Homelab"},"content":{"rendered":"

I previously posted my experiences setting up OpenLDAP on Ubuntu Server<\/a>, using my own custom schema. This whole ordeal is for a couple of reasons...I wanted to learn about openLDAP and how schema works, and I wanted to eventually create something akin to "Active Directory" from my home that wasn't just "use Samba" or "use FreeIPA." I don't have anything against Samba, but it feels like using Samba is trying to acheive Microsoft functionality with Microsoft compatibility, and I don't need Microsoft compatibility, so I wanted to do it without. I have no Microsoft devices in my ecosystem and have no plans to add any. I don't have anything against FreeIPA either, but their docs target rpm distros and I tend to live in deb land, and I found the initial install frustrating unless I switched platforms...it felt like lock-in. There are other solutions and this is a problem that has been solved other ways but with shortcomings, but I wanted to really do something "from scratch" so I share this not as a recommendation, but as a start-to-finish resource with some nuggets of wisdom that may help someone else whose journey brushes up against parts of mine.<\/p>\n

When I started, I was just authenticating web services like nextcloud, jellyfin, SAML, etc. Tying those into openLDAP was very easy and has worked very well for a long time. Now though, I want to use Kerberos for Linux PAM authentication as I am about to spin up a bunch of small servers (I got a new hypervisor and am redoing a lot of infrastructure, I don't want different credential stores all over the place). Because of this, I'm bolting on MIT Kerberos as my network authentication provider; that being said, getting OpenLDAP and Kerberos to work together and only use 1 password was not intuitive. Kerberos will use LDAP as it's database, and authentication will happen through SASL. Ultimately, requests will go to openLDAP, then depending on the account, the password will either be validated in OpenLDAP for web users, or it will defer to SASL for users doing both web\/PAM stuff, which will then authenticate against the Kerberos passoword it stores in LDAP. Circular much?<\/p>\n

Here is the vision, to help you see what I'm working towards. Ultimately I have about 20 users, all of which might access web services like nextcloud, but 4 core users which will actually log into computers. One of those 4 (me) has sudo rights on any computer. All 20 users should be able to log into nextcloud, jellyfin, etc without issue, and for now I'm managing password resets if they come to my house (I had previously used phpldapadmin for password resets, but that was struggling on php7+ when I last tried). For the internal users, they will be able to sit at ANY computer and log in using their same username and password. If an web only user tries to sit and log into a computer, the'll get username not found. If any of the 3 non-sudo users tries sudo, they'll get an unauthorized error. If my account tries sudo, I can become root. I can handle password resets for the internal users via kpasswd or kadmin.local.<\/p>\n

<\/p>\n

I don't know if this is a great solution, however it has been a great learning experience and it is working. The one piece that is not clean is resetting passwords. Because some passwords are stored in LDAP and some are stored in kerberos, I have to know where to change\/update\/reset them. Most accounts I use Apache Directory Studio as an analogue to ADUC, but for my nice shiny Kerberos accounts, I have to use kpasswd on the command line. This is not a great operational procedure; if there was a decent GUI\/webapp I could see making all accounts kerberos accounts. I think this is solvable, but I'm stopping here because I want to move on to other priorities, and I have a workable solution.<\/p>\n

I'm including all my various final config files below so that the final working state can be documented for anyone else attempting to implement a solution like this. When I was done, I burned the host to the ground and rebuilt it from this documentation to make sure it was correct. Domain, subdomain, and host names are changed of course and passwords are redacted. I used my name "surfrock66" as the prototype account, but you could replace with yours. Honestly, if you did a find-replace of "subdomain", then "domain", then "ldapserverhostname", then "surfrock66", most of this would be copy\/paste. I don't recommend that; this isn't meant to be a drop in, this is a learning journey that someone could follow to learn and recreate.<\/p>\n

Some accounts are created with the ldif files below, and in my personal case I've got the hashed passwords already in the files. If you're copying this, you should generate all the passwords offline, run the ldif commands to create the account, then use Apache Directory Studio (connecting as admin) to actually change password as needed. You should pregenerate the following passwords:<\/p>\n