Tag: LDAP

Blocking or disabling autofs automounts with the -null map

Suppose you have a linux network setup with automounter maps that come from the network (via nis, sssd, LDAP etc.) and you want to block some of them acting on a particular system. In our case we have an automount map that acts on /opt and mounts various software packages from network shares. The problem with this is that you can’t then install your own stuff locally to /opt, which is what a lot of Debian/Ubuntu packages expect to be able to do.

It turns out there is a option in the automounter for this sort of situation. There is a built-in map called -null that blocks any further automounts to a particular mountpoint. In our case we want to block auto.opt, so we add a line to auto.master (somewhere before the bottom +auto.master line)

/opt  -null

Then restart the autofs service (if stuff was mounted on /opt then unmount it). Or reboot the system. You should find that you can put stuff in the local /opt.

To check the map is blocked you can also run

automount --dumpmaps

(also handy for checking what is actually meant to be mapped where).

Another way of doing this that leaves the system auto.master untouched is to create a file /etc/auto.master.d/opt.autofs (the first part of the name can be anything you want). Put the same contents in the file, e.g.

/opt  -null

Note that using this mechanism normally requires two files – one in /etc/auto.master.d/ and a map file that it refers to. In this case -null is a built-in map.

Unfortunately this option is not well documented. Places where it is referred to are:

There are also other built-in maps, e.g. -passwd, -hosts, -fedfs. Of these only the -hosts map is documented in the auto.master(5) man page.

-null is confirmed to work in CentOS 7, CentOS 8, Ubuntu 20.04, Debian 10.

WordPress login time with the wpDirAuth plugin

The WordPress wpDirAuth plugin currently has a hard coded session time of 1 hour for directory authenticated (LDAP etc.) users. Hopefully at some point in the future this will become configurable. Discussion here.

On a related note, inserting

define( 'AUTOSAVE_INTERVAL', 60 ); // Seconds

in wp-config.php changes the autosave interval (default is 60 seconds).

Edit: Fixed in V1.9.3 thanks to patch submitted by Sean Leavey – time is now configurable.

LDAP on Debian setup notes

LDAP server package is slapd. LDAP command-line stuff gets installed along with it.

First database is set up automatically – only requirement is admin password. Root DN is taken from host IP domain name – so get dc=physics,dc=gla,dc=ac,dc=uk if not careful. And with OpenLDAP there’s no easy way to delete databases.

Browsers

Web-based

phpLDAPadmin works reasonably well as a server-based browser. Needs Apache. This template gives you users with the RDN set to uid rather than cn, and email entry.

Note that for this to work you need an existing group and user with numbers set, otherwise the autonumber logic doesn’t work. Or the template could be modified to let you enter them directly.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE template SYSTEM "template.dtd">
 
<template>
<askcontainer>1</askcontainer>
<description>New User Account</description>
<icon>ldap-user.png</icon>
<invalid>0</invalid>
<rdn>uid</rdn>
<!--<regexp>^ou=People,o=.*,</regexp>-->
<title>Custom: User Account with Email</title>
<visible>1</visible>
 
<objectClasses>
<objectClass id="inetOrgPerson"></objectClass>
<objectClass id="posixAccount"></objectClass>
</objectClasses>
 
<attributes>
<attribute id="givenName">
	<display>First name</display>
	<icon>ldap-uid.png</icon>
	<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
	<onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
	<order>1</order>
	<page>1</page>
</attribute>
<attribute id="sn">
	<display>Last name</display>
	<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
	<onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
	<!-- <onchange>=autoFill(homeDirectory;/home/users/%uid|0-1/l%/%uid%)</onchange> -->
	<order>2</order>
	<page>1</page>
</attribute>
<attribute id="cn">
	<display>Common Name</display>
	<order>3</order>
	<page>1</page>
</attribute>
<attribute id="uid">
	<display>User ID</display>
	<onchange>=autoFill(homeDirectory;/home/users/%uid%)</onchange>
	<order>4</order>
	<page>1</page>
	<spacer>1</spacer>
</attribute>
<attribute id="homeDirectory">
	<display>Home directory</display>
	<!-- <onchange>=autoFill(homeDirectory;/home/users/%gidNumber|0-0/T%/%uid|3-%)</onchange> -->
	<order>8</order>
	<page>1</page>
</attribute>
<attribute id="uidNumber">
	<display>UID Number</display>
	<icon>terminal.png</icon>
	<order>6</order>
	<page>1</page>
	<readonly>1</readonly>
	<value>=php.GetNextNumber(/;uidNumber)</value>
</attribute>
<attribute id="gidNumber">
	<display>GID Number</display>
	<!-- <onchange>=autoFill(homeDirectory;/home/users/%gidNumber|0-0/T%/%uid|3-%)</onchange> -->
	<order>7</order>
	<page>1</page>
	<value><![CDATA[=php.PickList(/;(&(objectClass=posixGroup));gidNumber;%cn%;;;;cn)]]></value>
</attribute>
<attribute id="loginShell">
	<display>Login shell</display>
	<order>9</order>
	<page>1</page>
	<!-- <value><![CDATA[=php.PickList(/;(&(objectClass=posixAccount));loginShell;%loginShell%;;;;loginShell)]]></value> -->
	<type>select</type>
	<value id="/bin/sh">/bin/sh</value>
	<value id="/bin/csh">/bin/csh</value>
	<value id="/bin/tsh">/bin/tsh</value>
</attribute>
<attribute id="userPassword">
	<display>Password</display>
	<!-- <helper>
		<display>Encryption</display>
		<id>enc</id>
		<value>=php.PasswordEncryptionTypes()</value>
	</helper> -->
	<icon>lock.png</icon>
	<order>5</order>
	<page>1</page>
	<post>=php.PasswordEncrypt(%enc%;%userPassword%)</post>
	<spacer>1</spacer>
	<verify>1</verify>
</attribute>
<attribute id="mail">
	<display>Email</display>
	<order>10</order>
	<page>1</page>
</attribute>
</attributes>
 
</template>

 Windows

There are a few browsers that work with Windows. JXplorer is cross platform – couldn’t get it to work on Win7 x64 with Java 7. Trying out LDAP Admin which looks quite nice

 Firewall Setup

Using usual setup – following the guide at http://www.medorion.net/p/19.xhtml edit the /etc/network/interfaces file to include the command pre-up iptables-restore < /etc/iptables.conf just after the loopback stuff (why? dunno) so the file looks something like

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.conf

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
...
*filter
 
# Create filter chain for Physics subnets only
-N PHYSICSONLY
-A PHYSICSONLY -s 130.209.45.0/24 -j ACCEPT
-A PHYSICSONLY -s 130.209.202.0/24 -j ACCEPT
-A PHYSICSONLY -s 130.209.204.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.45.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.202.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.204.0/24 -j ACCEPT
 
# This will allow all loopback (lo0) traffic and drop all traffic to 127/8
# that does not use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
 
#  This accepts all already established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# This allows all outbound traffic
-A OUTPUT -j ACCEPT
 
# Allow SSH and pings from Physics subnets only
-A INPUT -p tcp -m state --state NEW --dport 22 -j PHYSICSONLY
-A INPUT -p icmp -m icmp --icmp-type echo-request -j PHYSICSONLY
-A INPUT -p tcp -m state --state NEW --dport 443 -j PHYSICSONLY
 
# Allow HTTP(S) from anywhere
#-A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
#-A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
 
# Allow LDAP(S) queries from Physics only
-A INPUT -p tcp -m state --state NEW --dport 389 -j PHYSICSONLY
-A INPUT -p tcp -m state --state NEW --dport 636 -j PHYSICSONLY
 
# Reject all other inbound traffic
-A INPUT -j REJECT
-A FORWARD -j REJECT
 
COMMIT