Historically, the ALOHA has only two built-in users: admin and monitor.

  • The admin user has access to administration and maintenance operations

  • The monitor user can only view the ALOHA configuration and metrics, but is not allowed to make any modification.

With the LDAP authentication feature, you can authenticate users against a remote LDAP server as opposed to a local password database, with the following benefits when compared to traditional Unix authentication:

  • Simple and more centralized user management

  • the admin or monitor passwords no longer have to be shared between several users; each user can have their own set of rights and password

  • Two different admin users can be differentiated in the logs

  • Users can be allowed or denied depending on multiple rules and criteria such as requested service, user group, etc.

  • In the WUI, you are able to see which user is logged in and if the user was remapped

  • In the shell, several environment variables will be set: ALOHA_USER, ALOHA_USER_INFO`, ``ALOHA_USER_MAPPED_AS

However, there are a few inconveniences to take into account:

  • The LDAP server can become a single point of failure, if only LDAP users are enabled to log in

  • Increased risk of lockout

Enabling LDAP authentication

Warning

Be sure to follow the procedures precisely: a mistake can lock you out of the ALOHA and require a recovery. We recommend that you keep a root shell open in order to do repairs in case of error.

Configure and enable PAM service

In the ALOHA WUI

  1. In the Services tab, select "advanced mode" (at the bottom of the page).

  2. Go to the PAM line and click edit_icon.

  3. Enable ldap_auth and autostart.

  4. Optional: You can also add debug 1 to add more information to the logs for troubleshooting.

In the command line

  1. Edit the file /etc/config.rc to add the commands below:

    # config set pam ldap_auth 1
    # config set pam autostart
    # service pam restart

Configure and enable the LDAP service

In the ALOHA WUI

  1. In the Services tab, select "advanced mode" (at the bottom of the page).

  2. Go to the nslcd line and click edit_icon.

  3. Enable autostart.

In the command line

  1. Edit the file /etc/nslcd.conf according to your LDAP server configuration.

    # config set nslcd autostart
    # service nslcd start

Enable login for LDAP users

The file /etc/security/users.conf allows you to define users and assign allowed actions.

  1. In the Services tab, select "advanced mode" (at the bottom of the page).

  2. Go to the PAM line and click edit_icon to edit the users.conf file using the options described below.

  3. If using the command line, edit the file /etc/security/users.conf.

Each line in the users.conf file contains the following:

<FILTERS>:<ACTIONS>
  • Multiple filters and actions can be on the same line, and must be separated by a space.

  • You can match filters with multiple values separated by commas. Example: user=user1,user2

  • When the user=*, it matches everything.

  • When there is no filter at all, it will also match everything.

Possible filters

  • user: a user name

  • group: a group name

  • auth_type: defines a specific authentication type. We currently support local or ldap.

  • service: defines a specific PAM service

Possible values for service

  • login: local keyboard or serial login

  • sshd: login via sshd

  • wui: login via WUI (web interface)

ALOHA stops evaluating the rules as soon as a line is matched, and applies the corresponding actions.

Possible actions

  • allow: grants access to the user

  • deny: forbids access to the user

  • map_to_user <NEW_USER>: maps the user to another user

We recommend that you remap users to monitor or admin, but you can remap them to any user present on the ALOHA.

Enable login for LDAP users

  1. Check that your DNS resolution works correctly on the ALOHA. If not, run the commands below:

    # config set system dns_domain MYDOMAIN
    # config set system dns_servers xx.xx.xx.xx
  2. Check that the ALOHA can communicate with the LDAP server. You can do a test query using ldapsearch. If there is no communication, check your network configuration.

  3. Enable PAM and LDAP authentication (see above).

  4. Configure nslcd (nss-pam-ldap daemon). For complete nslcd documentation, see https://arthurdejong.org/nss-pam-ldapd/.

  5. Reload the service:

    # service nslcd restart
  6. Reload the service:

    # service nslcd restart
  7. Optionally, you can launch nslcd in debug mode to add information for troubleshooting:

    nslcd -d -n
  8. For better reliability, we recommend the following options:

    • Set log syslog to log nslcd actions to syslog

    • Specify explicitly base dc=exemple,dc=org (according to your LDAP server configuration) to ensure that nslcd does not fail at startup, when the LDAP server is down.

    • Set nss_initgroups_ignoreusers root,admin,monitor to prevent lags when one of these users uses sudo and when the LDAP server is offline.

Results

If nslcd is working correctly, you can see the following:

  • LDAP users: getent passwd

  • Users' LDAP groups (mapped as active directory primary groups): getent group

If these steps fail, please consult the https://arthurdejong.org/nss-pam-ldapd/ documentation.

Now that your LDAP users are known by the system, you can allow them to log in.

Testing your configuration

Before you allow your LDAP users to log in, you should test a PAM configuration before you apply it.

Test a PAM configuration

  1. In your shell, edit a draft file (example: /temp/users.conf).

  2. Check that your configuration is parsed correctly:

    # test_pam_user_map check_config -f /tmp/users.conf
  3. Simulate a user logging in (example: a local user with a local UNIX account on the ALOHA called 'user1' logging in using the keyboard or the console.)

    # test_pam_user_map check_pam_auth -f /tmp/users.conf -u user1 -s login -t local
  4. Simulate another local user ('user2') logging in using ssh:

    # test_pam_user_map check_pam_auth -f /tmp/users.conf check_config -u user2 -s sshd -t ldap
    
    .. Output::

Test with LDAP users

After you are satisfied with the results, you can now test your LDAP configuration with a real user and a real password:

# test_pam_user_map check_login_pass -f /tmp/users.conf  -u user3 -p mypassword -s sshd -t ldap

Warning

Make sure you wipe your history after running this command.

This command has the same effect as when entering a user login/password with the specified authentication type and service.

Once your checks match your expectations, you can rename /tmp/users.conf to /etc/security/users.conf.

Limitations

  • When using SCP, user remapping does not work.

  • When using SSH keys, user remapping does not work (but key-based authentication does).

  • You cannot change the password of a LDAP user using the ALOHA. If you need to do so, use the tools provided with your LDAP server.

Troubleshooting

If you encounter the error message # access denied using ssh, allowed when using login, check the following:

  • You do not have the AllowGroups directive in the file /ect/ssh/sshd_config. If you do, check that your users' groups are allowed using getent group.

  • UsePAM is set to yes