OpenLDAP server installation is standard. Use your Linux distribution packages, example with Debian:
apt-get install slapdRead OpenLDAP Software Administrator's Guide, section "Building and Installing OpenLDAP Software" to get more information.
The file acls.schema has to be put in /etc/ldap/schema and a line
include /etc/ldap/schema/acls.schemahas to be added at the beginning of the /etc/ldap/slapd.conf. In the level of access setup in this file, one can add:
#INL access for acls
access to dn="ou=acls,dc=nufw,dc=org"
by dn="uid=nufw,ou=Users,dc=nufw,dc=org" write
by dn="uid=nuauth,ou=Users,dc=nufw,dc=org" read
by dn="cn=admin,dc=nufw,dc=org" write
by * none
nufw user is able to modify the policy and the nuauth user
can only read the acls.
You can start with a LDIF file such as:
dn: dc=nufw,dc=org objectClass: top objectClass: dcObject objectClass: organization o: nufw.org dc: nufw structuralObjectClass: organization dn: ou=Users,dc=nufw,dc=org objectClass: organizationalUnit ou: Users structuralObjectClass: organizationalUnit dn: ou=acls,dc=nufw,dc=org objectClass: organizationalUnit ou: acls structuralObjectClass: organizationalUnit
To use LDAP support for acl checking, we need to modify the nuauth.conf file:
nuauth_acl_check_module="libldap"and we have to setup the connection parameters:
ldap_bind_dn="uid=nuauth,ou=Users,dc=nufw,dc=org" ldap_bind_password="secretpassword" ldap_basedn="dc=nufw,dc=org" ldap_acls_base_dn="ou=Acls,dc=nufw,dc=org"
INL has released a powerful Netfilter rules generator system for NuFW and Netfilter. It is called Nuface and it is available at: http://software.inl.fr/trac/trac.cgi/wiki/EdenWall/NuFace It generates a set of rules for NuFW and Netfilter that can directly be applied from the web interface.
nuaclgen is a script that can help you maintain a simple set of acls in an LDAP tree.
It is advised that you use Nuface rather than Nuaclgen, if possible, since it makes things simpler. In particular, be aware that when you use nuaclgen, you need to also modify by hand your Netfilter rules.
The file nuaclgen.conf contains the informations about LDAP connections. It needs to be modified to suit your configuration, for example:
$ldap_host="localhost"; $username="uid=nufw,ou=Users,dc=nufw,dc=org"; $password="writepasswd"; $basedn="ou=Acls,dc=nufw,dc=org";[1]
To allow ssh for users of group 513 if they use /usr/bin/ssh application, we can use:
nuaclgen --Aclname cn=ssh,ou=Acls,dc=nufw,dc=org -p 6 --dport 22 -AppName "/usr/bin/ssh" -j ACCEPT -g 513
Or for access directed to a web server:
nuaclgen --Aclname cn=apt,ou=Acls,dc=nufw,dc=org -p 6 --dport 80 \ -AppName "/usr/lib/apt/methods/http" -j ACCEPT -g 1042This ACL gives access to group 1042 which is used by root user of some server of ours. Thus root user can only get file to update the computer, but other users can not access the web.
| [1] | The nuaclgen.conf file contains sensitive data and thus must have limited rights. |