This article describes how to set up your NAS so that client machines on your local network authenticate against domain users in the QNAP LDAP database using sssd on client machines so that:
- Users can authenticate against domain users on the NAS
- Users can change their own passwords
- Users cannot login to any account you have set to expired on the NAS
Whilst doing this myself I came across numerous difficulties so I'm posting this so that others won't have to wade through sssd source code or follow developer threads which I had to do.
In this article I am specifically talking about the QNAP supplied LDAP database which is part of the firmware, if you are using an installed LDAP databse then this article may help but may not be totally suitable to your needs. The QNAP supplied LDAP presents some challenges that are described in this article and, as you will see, they are easily overcome.
I'm going to assume some knowledge of the way LDAP works; I don't intend to make this a tutorial on LDAP.
Something to note is the version of sssd your distribution installs, if it's 1.9.0 or above then you're good to go, if it's 1.8.x or below then the best you're going to get is basic authentication; you won't be able to expire an account and your users will not be able to change their own passwords.
Why do this
I guess there are two questions:
Why set up your users in an LDAP database?
My answer to this is: because I'm lazy. I have six people in my house and there are four computers (not counting the NAS). That's a total of twenty four local user accounts for me to administer. I'd like to centralise all user accounts. There's also another reason, my NAS serves files via NFS so all my users accounts need to have their details (user ids, groups ids) synchronised, that comes automatically with the LDAP approach.
Why use sssd on the clients
sssd provides an interface to the LDAP server but the main functions it serves on my network is caching of user credentials so that if a laptop is taken to another location or my NAS is down then users can still log on to their PCs. You can to this with nscd and pam_ccreds but I found this solution unsatisfactory as log in times grew to a point where people complained (to me, dammit) and you are forced to flush the cache periodically.
The Process
Step 1
Get some domain users onto the NAS. This simply means enabling the LDAP database, setting it up with a domain and adding some users. All this can be done with the QNAP web interface. Do it now, don't worry, I'll wait, just don't use any user names that are the same as on your client machines.
You will need to configure the LDAP server with a domain name, in this article I will assume your domain name is "example.com" so the LDAP server will be configured as "dc=example,dc=com".
You will also have to set a root DN on the server with a password, the root DN is already defined as "cn=admin,dc=example,dc=com" but you will need to give it a password.
Once you get things working you can delete the local users on the client machines and re-create them on the NAS but lets get things working first. Older versions of the QNAP firmware didn't quite create the domain users properly; they missed setting the attribute "homeDirectory" but don't worry we'll check this later and fix it if needs be. Any firmware from 3.8 onwards and you should be okay.
Step 2
We need to set up your local machines to talk to the LDAP server, how you do this will depend on your distribution but please note that you will need the ldap utilities; on Debian you will need to install ldap-utils which should pull in libldap, other distributions will be similar.
Now that we've got LDAP on our local machine then we need to see if the PC can talk "LDAP" with the NAS so let's configure it. When sssd performs its duties it demands to have an encrypted link between the PC and the NAS so we're going to get the public certificate off the NAS.
Use ssh to logon to the NAS and look at this file: /etc/openldap/slapd.conf, you will find a line that starts with "TLSCertificateFile". Find the file referenced on this line (in my case it is /etc/config/stunnel/backup.cert) and copy it to the PC, put it somewhere permanent, maybe under /etc/ssl. It's probably a good idea to change the name of the file to something meaningful, in this article I'll assume /etc/ssl/mynas.cert.
Edit the file /etc/ldap/ldap.conf and change it so it looks like this.
Code: Select all
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=example,dc=com
URI ldap://<FQDN of NAS> ldaps://<FQDN of NAS>
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/mynas.cert
TLS_REQCERT never
Ok, now your PC should be able to query the LDAP server on the NAS, try this:
Code: Select all
ldapsearch -x
That was a clear text query, lets try one that requires TLS (as sssd will).
Code: Select all
ldapsearch -ZZ -D "cn=admin,dc=example,dc=com" -W
Step 3
Now that the PC and the NAS are talking "LDAP" we can check if the NAS set up the users properly. From the list generated at the end of step 2 have a look at the attributes of one of the users you created, it should have a "homeDirectory" attribute, if it has you can skip the rest of this step. If not, do the following:
Create a file, lets call it "addhome", and make it look like this
Code: Select all
dn: cn=<user>,dc=example,dc=com
changetype: modify
add: homeDirectory
homeDirectory: /home/<user>
Now run this command:
Code: Select all
ldapmodify -ZZ -D "cn=admin,dc=example,dc=com" -W -f addhome
Step 4
We are now ready to install sssd onto your PCs but before we do please take note:
WARNING
Having a badly configured sssd can seriously ruin your day
You need to have a recovery strategy if sssd does not work for any reason as you can find yourself unable to login as any user including root. Personally I have a copy of System Rescue on both cd and flash drive, and yes, I have needed to use them.
Now install the following packages onto your PC:
- sssd
- sssd-tools
- libnss-sss
- libpam-sss
sssd runs as a daemon at start up and is configured by editing /etc/sssd/sssd.conf. This file does not exist when sssd is first installed so we'll create it now. In addition sssd is fussy about who can access this file so we'll change this as well. This won't be the first time you'll notice the sssd developers trying to hold our hands and insist we use their policy instead of ours.
Run the following as root:
Code: Select all
touch /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf
Edit sssd.conf so it looks like this:
Code: Select all
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://<fqdn>
ldap_user_search_base = ou=people,dc=example,dc=com
enumerate = true
cache_credentials = true
tls_reqcert = never
ldap_tls_cacert = /etc/ssl/mynas.cert
You will now need to run the sssd daemon, if it starts successfully then try to login as one of the domain users you set up in step 1. If everything is well you'll be able to login as a domain user and that user should be able to change their password using the passwd utility.
Step 5
If you're not interested in expiring any accounts then you can finish now but if you do want the ability to use the QNAP web interface to set accounts as expired and have your PCs honour that setting then you need to add a few more lines to sssd.conf.
All the lines we're going to add will have to be inserted after the line that says "[domain/LDAP]".
First of all we're going to tell sssd that we want it to take note of the shadow attributes for each user. You may be tempted to try "ldap_pwd_policy = shadow" but do not do this. If you do then you'll find that your users will be unable to change their own passwords. This behaviour is by DESIGN; the sssd developers have decided that shadow policies should be invoked at the server. OpenLDAP does this with the ppolicy module but QNAP have not included this. Instead we add the following lines:
Code: Select all
access_provider = ldap
ldap_account_expire_policy = shadow
ldap_access_order = expire
ldap_chpass_update_last_change = true
Code: Select all
access to attrs=shadowLastChange,sambaPwdLastSet
by self write
by users read
To get around this we need to tell sssd to bind as the root LDAP user as this user bypasses all access controls. To do this add the following lines to sssd.conf:
Code: Select all
ldap_default_bind_dn = cn=admin,dc=example,dc=com
ldap_default_authtok = <password>
Restart sssd and that's it! You now should have a PC that can:
- Authenticate against domain users on the NAS
- Users can change their own passwords
- Users cannot login to any account you have set to expired on the NAS