yast / yast-auth-server Goto Github PK

License: GNU General Public License v2.0

Ruby 100.00%

yast-auth-server's Introduction

yast2-auth-server

The program assists system administrators to create new directory server and Kerberos server instances that help to maintain centralised user identity database for a network.

The features are:

Create new directory server instance.

Install

To install the latest stable version on openSUSE or SLE, use zypper:

$ sudo zypper install yast2-auth-server

Run

Visit Yast control panel and launch "Create New Directory Server".

Development

You need to prepare your environment with:

ruby_version=$(ruby -e "puts RbConfig::CONFIG['ruby_version']")
zypper install -C "rubygem(ruby:$ruby_version:yast-rake)"
zypper install -C "rubygem(ruby:$ruby_version:rspec)"
zypper install git yast2-devtools yast2-testsuite yast

You can then run the auth-server module with:

rake run
rake run[module name]
rake run[ldap-server]

For the 389-ds setup, you'll require a CA + pkcs12 bundle with a cert to use. You can generate these with certutil from the package mozilla-nss-tools.

mkdir local_ca
cd local_ca
echo "password" > password.txt
certutil -N -f password.txt -d .
certutil -S -n CAissuer -t "C,C,C" -x -f password.txt -d . -v 24 -g 4096 -Z SHA256 --keyUsage certSigning -2 --nsCertType sslCA -s "CN=ca.nss.dev.example.com,O=Testing,L=example,ST=Queensland,C=AU"

certutil -S -n Server-Cert -t ",," -c CAissuer -f password.txt -d . -s "CN=test_b.dev.example.com,O=Testing,L=example,ST=Queensland,C=AU"

certutil -L -n CAissuer -a -d . > ca.pem
pk12util -o server-export.p12 -d . -k password.txt -n Server-Cert

Tests

rake test:unit

Logs

If you are running as a non-root user, the logs are located in:

~/.y2log

If you are running as root, these logs are in:

/var/log/YaST2/y2log

For more detailed logging, you are able to execute YaST with debugging environment variables:

Y2DEBUG=1 rake run[ldap-server]

Build

You can build the package with:

rake osc:build

yast-auth-server's People

Contributors

Stargazers

Watchers

Forkers

mchf teclator firstyear pzirnik fieldberrygruppe joseivanlopez noelpower scabrero

yast-auth-server's Issues

yast2 ldap-server and yast2 user/group management

Hello,
I am struggling with ldap 389-ds since suse 42.x
something is correctly running now with 389-ds-1.4.4.1~git0.2333d75d5-lp151.95.1.x86_64 and yast2-auth-server-4.2.3-lp151.70.1.noarch but yast2 users/groups management (ldap filter) does not work correctly with them

I can get the demo_user with dsidm :
ceres:~ # cat .dsrc
[ceres-y]
uri = ldap://ceres.2sapins.ponctey.fr
basedn = dc=2sapins,dc=ponctey,dc=fr
binddn = cn=Directory Manager

ceres:~ # dsidm ceres-y account list
Enter password for cn=Directory Manager on ldap://ceres.2sapins.ponctey.fr:
dc=2sapins,dc=ponctey,dc=fr
ou=groups,dc=2sapins,dc=ponctey,dc=fr
ou=people,dc=2sapins,dc=ponctey,dc=fr
ou=permissions,dc=2sapins,dc=ponctey,dc=fr
ou=services,dc=2sapins,dc=ponctey,dc=fr
uid=demo_user,ou=people,dc=2sapins,dc=ponctey,dc=fr
cn=demo_group,ou=groups,dc=2sapins,dc=ponctey,dc=fr

with yast2-users with LDAP filter and anonymous login I can see the demo user but not with the right password in order to enter modifications :
La connexion au serveur LDAP n'a pas pu être établie.
Invalid credentials
(No such entry)

NB the demo-user has ID 99998 instead of 1000<ID<60000

Password file for KDC not generated by YaST

File new_krb_inst.rb

Line 182:

Make common and KDC configuration files

This has to occur the PW files else the default realm is not known

to the pwstash command below.

pass_file_path = '/var/lib/kerberos/krb5kdc/ldap.creds'

Line 196:

Create password file for KDC

MITKerberos.append_to_log('Generating KRBADM/KDC Passwords to %s' % pass_file_path)
out, ok = MITKerberos.save_password_into_file(kdc_dn, kdc_pass, pass_file_path)
MITKerberos.append_to_log('%s' % out)
if !ok
  Popup.Error(_('Failed to create password file! Log output may be found in /var/log/YaST/y2log'))
  UI.ReplaceWidget(Id(:busy), Empty())
  return
end
out, ok = MITKerberos.save_password_into_file(admin_dn, admin_pass, pass_file_path)
MITKerberos.append_to_log('%s' % out)
if !ok
  Popup.Error(_('Failed to create password file! Log output may be found in /var/log/YaST/y2log'))
  UI.ReplaceWidget(Id(:busy), Empty())
  return
end

Upon completion of the YaST script, I have a running krb5kdc service and a running kadmind service, but no password file in the location mentioned in the above script. I don't know if this will be a problem without further testing.

No output of error messages in the user interface

When configuring a new directory server in the Yasdt2 auth server module, the input of a password is required. If this password does not meet the hidden requirements, Yast2 simply outputs that the user should lock to a log file to find out the real reasons for the failure.

The mentioned log file show:

2023-02-20 13:30:01 <1> host(11996) [Ruby] dir/ds389.rb(append_to_log):87 DEBUG: PASSED: instance checking
2023-02-20 13:30:01 <1> host(11996) [Ruby] dir/ds389.rb(append_to_log):87 DEBUG: root_password must be at least 8 characters long
2023-02-20 13:30:01 <1> host(11996) [Ruby] dir/ds389.rb(append_to_log):87 Traceback (most recent call last):
2023-02-20 13:30:01 <1> host(11996) [Ruby] dir/ds389.rb(append_to_log):87   File "/usr/sbin/dscreate", line 99, in <module>
2023-02-20 13:30:01 <1> host(11996) [Ruby] dir/ds389.rb(append_to_log):87     result = args.func(inst, log, args)
2023-02-20 13:30:01 <1> host(11996) [Ruby] dir/ds389.rb(append_to_log):87   File "/usr/lib/python3.6/site-packages/lib389/cli_ctl/instance.py", line 71, in instance_create
2023-02-20 13:30:01 <1> host(11996) [Ruby] dir/ds389.rb(append_to_log):87     if sd.create_from_inf(args.file):
2023-02-20 13:30:01 <1> host(11996) [Ruby] dir/ds389.rb(append_to_log):87   File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line 560, in create_from_inf
2023-02-20 13:30:01 <1> host(11996) [Ruby] dir/ds389.rb(append_to_log):87     self.create_from_args(general, slapd, backends, self.extra)
2023-02-20 13:30:01 <1> host(11996) [Ruby] dir/ds389.rb(append_to_log):87   File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line 685, in create_from_args
2023-02-20 13:30:01 <1> host(11996) [Ruby] dir/ds389.rb(append_to_log):87     self._prepare_ds(general, slapd, backends)
2023-02-20 13:30:01 <1> host(11996) [Ruby] dir/ds389.rb(append_to_log):87   File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line 622, in _prepare_ds
2023-02-20 13:30:01 <1> host(11996) [Ruby] dir/ds389.rb(append_to_log):87     raise ValueError("root_password must be at least 8 characters long")
2023-02-20 13:30:01 <1> host(11996) [Ruby] dir/ds389.rb(append_to_log):87 ValueError: root_password must be at least 8 characters long
2023-02-20 13:30:01 <1> host(11996) [Ruby] dir/ds389.rb(append_to_log):87 ERROR: Error: root_password must be at least 8 characters long

It would be nice if such messages would be presented in the yast2 user interface e.g a message box should appear showing root_password must be at least 8 characters long in this case.

Container DN potential for "double entry" on dir suffix

Looking at the "Create Kerberos Instance" Form, the impression is to enter a fully qualified dn for the existing Users container, i.e. ou=people, dc=example, dc=com. Looking at the code in file new_krb_inst.rb on line 97, you will find the equation:

[code]
container_dn = UI.QueryWidget(Id(:container_dn), :Value) + ',' + dir_suffix
[/code]

This leads me to believe that the final value of container_dn could be something like ou=people, dc=example, dc=com, dc=example, dc=com. Please confirm.

Missing PAckage during installation phase of Kerberos Instance

The package, krb5-plugin-kdb-ldap, is not installed by default with the other packages when configuring a new Kerberos Instance through Yast. This creates a problem later on after users are created in LDAP. Not sure where in the code the command, /usr/lib/mit/sbin/kdb5_ldap_util, gets called. Please investigate.

ldap.conf configuration and location for Kerberos Instance

I don't believe the issue lies with this module, but the installation of a new Kerberos Instance appears to rely on the proper configuration of the OpenLDAP client, specifically making sure that secure ldap is configured in /etc/openldap/ldap.conf:

uri ldaps://ldap.example.com:636/
base dc=example,dc=com
timelimit 30
tls_reqcert allow

Without the above configuration, the Kerberos Instance form fails with a SASL Simple Bind error in the installation log.

Configuring the file through "YaST2 -> Network Services -> LDAP and Kerberos Client" does not work; it configures the file, /etc/ldap.conf, which in my testing is not referenced by openldap, and not consequently referenced during the Kerberos Instance installation. I'm making this note as a reference. Please forward this to the appropriate team responsible for the LDAP and Kerberos Client setup under Yast.

krb5.conf must exit for Kerberos Instance installation to succeed

Looking at the script, one might assume the the file, /etc/krb5.conf, may be created by the "Create New Kerberos Instance" script using the input from the associated form. The config file pre-existed due to the software installation phase. The script looks like it will probably try to write the default realm information into the config file, but doesn't do this. If I remove the pre-existing file, it does not create a new one and populate the realm information into it. I must manually edit the krb5.conf file and specify the default realm as posted in the REALM field on the form. Without this pre-configuration, the installation will fail. This function is located in the same ruby file I mentioned previously. I'll post the name as a reply.

Remove kerberos server with LDAP DB functionality

It seems that some of the krb functionality hasn't worked cleanly for about 2 years. Because of the lack of issues raised about this, I can only assume this feature is not used widely.

As a result I would like to remove it. We should not be recommending kerberos in 2022 due to it's complexity and risk.

This will mean you can no longer setup new kerberos databases that are ldap backend via yast. Existing instals will keep working, and new installs will need to be configured by hand.

Incorrect path in message generated by yast2-auth-server package

When configuring a new ldap server instance, messages are displayed in case of error or success.

This message refers to a log file named "/var/log/YaST/y2log" that is not present on an installation of openSUSE Leap 15.4 and may confuse user.

The correct path is /var/log/YaST2.

The locations where this incorrect path are used:

grep -rn  "YaST/y2log" /usr/share/YaST2/
/usr/share/YaST2/lib/authserver/dir/ds389.rb:59:  # The output of setup script is written into file .y2log or /var/log/YaST/y2log
/usr/share/YaST2/lib/authserver/ui/new_krb_inst.rb:156:      Popup.Error(_('Failed to create Kerberos KDC connection user! Log output may be found in /var/log/YaST/y2log'))
/usr/share/YaST2/lib/authserver/ui/new_krb_inst.rb:163:      Popup.Error(_('Failed to create Kerberos KDC connection user! Log output may be found in /var/log/YaST/y2log'))
/usr/share/YaST2/lib/authserver/ui/new_krb_inst.rb:170:      Popup.Error(_('Failed to create Kerberos administration user! Log output may be found in /var/log/YaST/y2log'))
/usr/share/YaST2/lib/authserver/ui/new_krb_inst.rb:177:      Popup.Error(_('Failed to create Kerberos KDC administration user! Log output may be found in /var/log/YaST/y2log'))
/usr/share/YaST2/lib/authserver/ui/new_krb_inst.rb:201:      Popup.Error(_('Failed to create password file! Log output may be found in /var/log/YaST/y2log'))
/usr/share/YaST2/lib/authserver/ui/new_krb_inst.rb:208:      Popup.Error(_('Failed to create password file! Log output may be found in /var/log/YaST/y2log'))
/usr/share/YaST2/lib/authserver/ui/new_krb_inst.rb:217:      Popup.Error(_('Kerberos initialisation failure! Log output may be found in /var/log/YaST/y2log'))
/usr/share/YaST2/lib/authserver/ui/new_krb_inst.rb:226:      Popup.Error(_('Failed to modify directory permission! Log output may be found in /var/log/YaST/y2log'))
/usr/share/YaST2/lib/authserver/ui/new_krb_inst.rb:233:      Popup.Error(_('Failed to modify directory permission! Log output may be found in /var/log/YaST/y2log'))
/usr/share/YaST2/lib/authserver/ui/new_krb_inst.rb:251:    Popup.Message(_('New instance has been set up! Log output may be found in /var/log/YaST/y2log'))
/usr/share/YaST2/lib/authserver/ui/new_dir_inst.rb:123:      Popup.Error(_('Failed to set up new instance! Log output may be found in /var/log/YaST/y2log'))
/usr/share/YaST2/lib/authserver/ui/new_dir_inst.rb:132:        Popup.Error(_('Failed to set up new instance! Log output may be found in /var/log/YaST/y2log'))
/usr/share/YaST2/lib/authserver/ui/new_dir_inst.rb:145:    Popup.Message(_('New instance has been set up! Log output may be found in /var/log/YaST/y2log'))

Looking for references to the mentioned logfile gives:

$ grep -rnw  "y2log" /usr/share/YaST2/
...
/usr/share/YaST2/clients/inst_kickoff.rb:221:              Ops.add(Directory.logdir, "/y2log")
/usr/share/YaST2/clients/inst_kickoff.rb:285:                Ops.add(Directory.logdir, "/y2log")
/usr/share/YaST2/clients/inst_kickoff.rb:348:                Ops.add(Directory.logdir, "/y2log")
/usr/share/YaST2/clients/inst_kickoff.rb:406:              Ops.add(Directory.logdir, "/y2log")

which means that a Ruby variable with the correct path exists and should be used in the relevant places.

Initial reported at https://bugzilla.opensuse.org/show_bug.cgi?id=1207831

Improve CA/TLS string names

It was suggested that we change the names of the CA/TLS elements in DS setup to be:

Server TLS certificate authority in PEM format
-> CA certificate in PEM format

Server TLS certificate and key in PKCS12 format with friendly name "Server-Cert"
-> Server private key/cert in PKCS12 format with friendly name "Server-Cert"

UI is not clear about if ca/pkcs12 needed

We aren't clear on if we need "both", "one", or "none" in the TLS area. This can be improved.