Monday 24 November 2008

Restricted access based on ldap groups

It looks quite baroque to me as there are at least three ways of doing:

  • delegate to ssh

  • delegate to pam

  • delegate to ldap

ssh


Using ssh is the easier way, I think. It is enought adding to sshd_config:

AllowUsers @my_group

The downside is it applies only to ssh. If you need to rule more services, it is useless.

pam


Delegate to pam can be done with pam_listfile, pam_access, pam_time and maybe others.
Just add a line to /etc/pam.d/my_service:

account required /lib/security/pam_listfile.so onerr=fail item=group sense=allow
file=/etc/pam.d/allowed_groups

and fill allowed group with the name (cn) of the allowed groups, one per line.
The downside is that this method looks harder than others.

ldap


Delegate to ldap took me more time to figure out how to do. The trick is not to trigger pam_unix.
Either remove ldap from /etc/nsswitch.conf passwd, group and shadow lines, or remove pam_unix.so from pam file. For example:

# PAM configuration for the Secure Shell service
auth required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so

than modify /etc/pam_ldap.conf:

# Group to enforce membership of
pam_groupdn cn=my_group,ou=Groups,dc=my_domain,dc=com
# Group member attribute
pam_member_attribute memberUid

(if my_group is of objectClass posixAccount) or

# Group to enforce membership of
pam_groupdn cn=my_group,ou=Groups,dc=my_domain,dc=com
# Group member attribute
pam_member_attribute memberUid

(if my_group is of objectClass groupOfUniqueNames)

The downside is that you should consider carefully if non-ldap user (root?) should access the service.

Thursday 13 November 2008

Sendmail as a MTA client with x509 certificates authentication

My institution has decided to disallow un-authenticated bind to smtp server. Either username and password or x509 client certificate authentication is required.

I'm a exim4 user, but I was in charge of fixing a couple of sendmail-using servers.

So I did some research and the key points looks like adding in /etc/mail/postfix.mc:

define(`CERT_DIR', `/usr/local/ssl')
define(`confCACERT_PATH', `CERT_DIR/certs')
define(`confCACERT', `CERT_DIR/certs/my-ca-chain.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/certs/server.pem')
define(`confCLIENT_KEY', `CERT_DIR/private/server.key')
define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl

actually last line is about key certificate being 640 with group openldap, which is exactly my case.

Then run make (or make && make install for freebsd) and then /etc/init.d/sendmail restart.

Tuesday 11 November 2008

Rails 2.1 named scope

The local rails guru pointed me to the new -- well, kind of -- feature of rails 2.1: the named scope.

In short, it's a way to store a query in the model, semantically very clearly.

I used this feature for the local mailserver administration program.

This is the addition to the MailAddres model:

named_scope :kept, :conditions => { :keep => true }
named_scope :unkept, lambda {{ :conditions => ['keep = 0 or keep IS NULL'] } }
named_scope :my_domain, :conditions => { :domain => "my_domain.it" }
named_scope :cadet, lambda {{ :conditions => ['position > 1'] } }
named_scope :personal, lambda {|username, surname| { :conditions => ["local_part = ? or local_part like ?", username, "%"+ActiveSupport::Inflector.parameterize(surname.downcase, '')+"%" ] }}

Now I can use:

UserAccount.find_by_username('test').mail_addresses.my_domain.cadet.personal.unkept

To fetch addresses of the user 'test' which are in my_domain, is not the first address, are personal alias (no functional alias or nicknames) but are not choosen by the user.

Monday 10 November 2008

Unable to have emacs working

I switched to a new client, actually a Wyse S50 thinclient, bound to a xen4 debian virtual machine. I work by opening a shell on the debian client and popping graphical application to thinclient via x-forwarding.

Debian is Etch.

emacs doesn't start properly: error is

Warning: Cannot convert string "-*-courier-medium-r-*-*-*-120-*-*-*-*-iso8859-*" to type FontStruct
Warning: Cannot convert string "-*-helvetica-medium-r-*--*-120-*-*-*-*-iso8859-1" to type FontStruct

then no text is shown but only blocks.

Obviously I botched something with fonts.

Well, I must admit I turned crazy and apt-get installed so many things now I can't remember.

Ok, I fixed a unexisting symlink which arose a warning everytime a font package was installed:
warning: directory /usr/lib/X11/fonts/Type1 does not exist
sudo ln -s /usr/share/fonts/X11 /usr/lib/X11/fonts

My xorg.conf looks like:

Section "Files"
FontPath "/usr/share/fonts/X11/misc"
FontPath "/usr/X11R6/lib/X11/fonts/misc"
FontPath "/usr/share/fonts/X11/cyrillic"
FontPath "/usr/X11R6/lib/X11/fonts/cyrillic"
FontPath "/usr/share/fonts/X11/100dpi/:unscaled"
FontPath "/usr/X11R6/lib/X11/fonts/100dpi/:unscaled"
FontPath "/usr/share/fonts/X11/75dpi/:unscaled"
FontPath "/usr/X11R6/lib/X11/fonts/75dpi/:unscaled"
FontPath "/etc/X11/fon/etc/X11/fonts/Type1"
FontPath "/usr/X11R6/lib/X11/fonts/Type1"
FontPath "/usr/share/fonts/X11/100dpi"
FontPath "/usr/X11R6/lib/X11/fonts/100dpi"
FontPath "/usr/share/fonts/X11/75dpi"
FontPath "/usr/X11R6/lib/X11/fonts/75dpi"
# path to defoma fonts
FontPath "/var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType"
EndSection

As soon as I find a solution I will post it.

Friday 7 November 2008

Split shibboleth-sp 1.3 configuration

I'm trying to clarify to myself how to configure shibboleth-sp 1.3 on Debian GNU/Linux with two name based virtual hosts.

The problem is: it should redirect user to IdP, but IdP should redirect back to the correct caller.

I'm quite sure on metadata.xml are to appear two entries hardcoded to the sitename.

I'm less sure how to modify shibboleth.xml. Actually the matter is if I should add a Application element inside Applications. Please note this Application is nearly empty, as it inherits the Session and CredentialUse elements.

Ok: it turns out that a Application inside Applications is needed in shibboleth.xml:

<application id="my_id" homeurl="http://my_virtual_host.unimore.it"
saml="urn:oasis:names:tc:SAML:1.0:assertion" md="urn:oasis:names:tc:SAML:2.0:metadata">
<errors session="/etc/shibboleth/sessionError.html"
metadata="/etc/shibboleth/metadataError.html" rm="/etc/shibboleth/rmError.html"
access="/etc/shibboleth/accessError.html" ssl="/etc/shibboleth/sslError.html"
supportcontact="my_admin@unimore.it" logolocation="/shibboleth-sp/logo.jpg"
stylesheet="/shibboleth-sp/main.css">
</errors>
</application>

And then a new Host element inside RequestMapper again in shibboleth.xml:

<Host name="my_virtual_host.unimore.it" applicationId="my_id">
<Path name="secure" authType="shibboleth" requireSession="true"/>

But, surprise surprise, on the metadata.xml it is enought to add two more bindings to <AssertionConsumerService>:

<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
Location="http://my_first_virtual_host.unimore.it/Shibboleth.sso/SAML/POST"
index="1"></AssertionConsumerService> <AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
Location="http://my_first_virtual_host.unimore.it/Shibboleth.sso/SAML/Artifact"
index="2"></AssertionConsumerService><AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
Location="http://my_second_virtual_host.unimore.it/Shibboleth.sso/SAML/POST"
index="3"></AssertionConsumerService>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
Location="http://my_second_virtual_host.unimore.it/Shibboleth.sso/SAML/Artifact"
index="4"></AssertionConsumerService>