My two ¢'s » ldap

BigIP Client Certificates

daniel — Tue, 02 Dec 2008 18:22:28 +0000

This howto will show you how to use client certificates to authenticate against applications hosted by a BigIP loadbalancer. You may find this howto (or parts of it) on ask.f5.com as they was no documentation before on this topic. I forwarded it to F5 some time ago. This is the only way to use client certificates without purchasing addon modules from F5.

Purpose

If you host a website/application which should only be accessible by some users you you may have already thought about client certificates. This makes brute force attacks against login panels impossible.
This increases the overall application security by adding another layer a user must pass.

The mapping between certificates and access rights is based on a LDAP directory.

Overview

The loadbalancer reads the CN from the client certificate and searches the defined group for the virtual server for a matching entry. The loadbalancer verifies CA and CRL’s before the lookup takes place.

LDAP Setup

Example Tree

                            dc=company,dc=com
                              /         \
                             /           \
                           ...      ou=datacenter
                                     /        \
                                    /          \
                                  ...       ou=webauth
                                              /    \
                                             /      \
                                       ou=users    ou=groups

User & Group LDIF

Here are two LDIF examples for users and groups:

User

dn: cn=Example User,ou=users,ou=webauth,ou=datacenter,dc=company,dc=com

cn: Example User

sn: Example User

objectClass: person

description: It's just a example user

Group

dn: cn=Example Group,ou=groups,ou=webauth,ou=datacenter,dc=company,dc=com

cn: Example Group

objectClass: posixGroup

description: Group is allowed to connect to BigIP's VHOST secure.company.com

memberUid: cn=Example User,ou=users,ou=webauth,ou=datacenter,dc=company,dc=com

memberUid: cn=Example User No2,ou=users,ou=webauth,ou=datacenter,dc=company,dc=com

gidNumber: 145

The “memberUid” has to match exactly the certificates CN because this is the key the BigIP is looking for.

BigIP Configuration

Authentication Configuration

As a firsz step we create a new “Authentication Configuration”. Just open the web frontend and navigate to:

Local Traffic -> Profiles -> Authentication -> Configuration

You have to create a new config for every virtual host you want to secure. This is force by the LDAP group used because every config can only use one group. Here’s a example configuration:

Parameter	Value
Hosts	1.2.3.4
Search Type	User
User Base DN	ou=users,ou=webauth,ou=datacenter,dc=company,dc=com
User Key	cn
Admin DN	DN for binding
Admin Password	Bind password
Group Base DN	ou=groups,ou=webauth,ou=datacenter,dc=company,dc=com
Group Key	cn
Group Member Key	memberUid
Valid Groups	Corresponding LDAP group

Authentication Profile

The next step is to create a profile which inherits the new created config. You need a profile for every configuration. Navigate to

Local Traffic -> Profiles -> Authentication -> Profiles

Parameter	Value
Type	SSL Client Certificate LDAP
Parent Profile	ssl_cc_ldap
Mode	Enabled
Configuration	NAME OF CONF JUST CREATED

CA Upload

If your CA certificate(s) have not been installed it’s time to do so.

Local Traffic -> SSL Certificates -> Import

SSL Profiles

To use SSL (without client certificates too) you need a SSL profile. Navigate to

Local Traffic -> Profiles -> SSL -> Client

Create a new profile based on “clientsl” or one of your already defined profiles.

Parameter	Value
Chain	CompanyBundle
Trusted Certificate Authorities	CompanyBundle
Client Certificate	require
Frequency	always
Advertised Certificate Authorities	CompanyBundle

Virtual Host Configuration

You may create a new virtual host or modify a existing host. Navigate here

Local Traffic -> Virtual Servers

Modify the following parameters (if you already used SSL in this vhost):

Parameter	Value
SSL Profile (Client)	Profile created earlier
Authentication Profiles	Profile created earlier

That’s it!

Import your client certificates to your browser and enjoy your secure connection.

If you have any trouble don’t hesitate to contact me: daniel {A_T} linuxaddicted {D_O_T} de

Postfix Relay based on OpenLDAP

daniel — Mon, 27 Oct 2008 21:12:53 +0000

This howto describes the configuration of a Postfix relay based on OpenLDAP. These are the features of the relay:

User verification through LDAP
Separation on internal and external users
Greylisting
User Relaying based on TLS and LDAP authentication
Forwarding to local mailserver

/etc/postfix/main.cf

#####################################################################
## Global settings
#####################################################################
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
mail_owner = postfix
smtpd_banner = mail.company.com ESMTP MailRelay
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = /usr/share/doc/postfix-2.3.6/html
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
readme_directory = /usr/share/doc/postfix-2.3.6/readme
home_mailbox = .maildir/
alias_database = hash:/etc/mail/aliases
 
#####################################################################
## Internet and domain names
#####################################################################
myhostname = mail.company.com
mydomain = company.com
 
#####################################################################
## Sending mail (local)
#####################################################################
myorigin = company.com
 
#####################################################################
## Receiving mail
#####################################################################
inet_interfaces = all
proxy_interfaces =
mydestination =
local_recipient_maps =

As incoming mail doesn’t terminate on the relay we have to remove the values from “mydestination”.
That’s why “local_recipients” is unset as well.

#####################################################################
## Relay control
#####################################################################
relay_domains = company.com
relay_recipient_maps = proxy:ldap:/etc/postfix/ldap/relay_recipients.cf
mynetworks = 192.168.1.0/28

The relay_recipient_map contains the users that mail should be relayed for. It’s not a static list as you may have used it before. It contains the definition where and how to find valid users within the LDAP directory.

The parameter “mynetworks” contains the network of the internal mailservers. There are better (and more secure) ways to do this but for not it’s sufficient.

#####################################################################
## Mail transport
#####################################################################
transport_maps = hash:/etc/postfix/transport

Transport maps define the target system based on the domain.

#####################################################################
## SASL configuration
#####################################################################
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_sasl_auth_clients = yes
 
#####################################################################
## TLS configuration
#####################################################################
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
 
smtpd_tls_CAfile = /etc/postfix/ssl/company-bundle.crt
smtpd_tls_key_file = /etc/postfix/ssl/mail.company.com.key.pem
smtpd_tls_cert_file = /etc/postfix/ssl/mail.company.com.cert.pem

The SASL configuration should be pretty self explanatory. It’s madatory that “smtpd_sasl_security_options” are set to “noanonymous”. If not it would be possible to logon anonymously. This settings force TLS encryption for every login. No TLS -> No Login. The creation and maintenance of SSL certificates is not covered by this howto.

#####################################################################
## SMTP restrictions
#####################################################################
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
check_policy_service unix:private/postgrey,
reject_unauth_destination,
permit

These parameters declare what has to be accomplished that mail is accepted:

Sucessful SASL logon
Mail comes from a trusted network
Postgrey is happy and agreed

/etc/postfix/master.cf

Disable local transport…

...
#local     unix  -       n       n       -       -       local
...

/etc/postfix/transport

company.com        smtp:[mailgw-int.company.com]

This map defines the target mailserver mailgw-int.company.com for the domain company.com.
The square brackets skip the DNS MX check for every delivery.

Don’t forget to convert the map after editing:

[color=red]Nach dem ändern der Map das konvertieren nicht vergessen[/color]:

# postmap hash:/etc/postfix/transport

/etc/postfix/ldap/relay_recipients.cf

bind             = yes
bind_dn          = cn=SMTP Lookup,dc=company,dc=com
bind_pw          = THISisABSOLUTLYsecret
server_host      = ldap://1.2.3.4
search_base      = ou=mail,o=datacenter,c=de,dc=company,dc=com
query_filter     = (&;(maildrop=%s)(destinationIndicator=external))
result_attribute = uid
version          = 3

Should be pretty easy to understand. The most important part is the query filter. I use a combination of maildrop and destinationIndicator. This makes in pretty easy to seperate innternl from external users. This makes it possible to protect internal mailgroups from external access. “%s” will be replaced by the recipients address.

Example LDAP entry:

dn: uid=admin,ou=mail,o=datacenter,c=de,dc=company,dc=com
cn: Admin
destinationIndicator: external
gidNumber: 505
givenName: admin
homeDirectory: /var/spool/mail/admin
mail: admin@company.com
mailbox: /var/spool/mail/admin/Maildir
maildrop: admin@company.com
maildrop: postmaster@company.com
maildrop: abuse@company.com
objectClass: CourierMailAlias
objectClass: CourierMailAccount
objectClass: inetOrgPerson
sn: admin
uid: admin
uidNumber: 505
userPassword: {CRYPT}AbCdEfGhIjKlMnOpQrStUvWxYz

The destinationIndicator declares if the user can receive external mails. All maildrop lines are aliases.