LDAP: Difference between revisions
(username details) |
No edit summary |
||
(15 intermediate revisions by 5 users not shown) | |||
Line 2: | Line 2: | ||
= LDAP = | = LDAP = | ||
Historically, the Hackspace did not not have any kind of connection between the membership db on [[Turing]] and user logins, but with the advent of LDAP, it has allowed us to extend functionality that helps to manage the space. Additionally there are loads of neat things we could be doing if we had a membership db we could get at in software, like [http://spacefed.net spacefed]. | |||
You can setup your LDAP account at [https://london.hackspace.org.uk/members/ldap.php https://london.hackspace.org.uk/members/ldap.php] | |||
This page documents our attempts to make LDAP work, and how to use it. | This page documents our attempts to make LDAP work, and how to use it. | ||
== FAQ == | == FAQ == | ||
=== I don't care about | === I don't care about spacefed and just want to use the workshops at the hackspace, can I ignore this LDAP thing? === | ||
Yes. | Yes. | ||
=== What can I use my LDAP account for? === | |||
* logging into [[Equipment/Landin#Chomsky|chomsky]] (the multi-user shared Linux environment), [[Equipment/Landin#Services|Services]] (for things we care a bit about), [[Equipment/Landin#Adminstuff|Adminstuff]] (for things we care more about) | |||
* You can spin up vm's on [[Equipment/Landin|Landin]] via Proxmox VE administration. | |||
* spacenet/spacefed authenticated wifi access at London Hackspace and other participating hackerspaces/makerspaces. (also see below) | |||
* Login to the CNC Suite of machines | |||
=== Why do we have to have an NTLMv2 hash? === | === Why do we have to have an NTLMv2 hash? === | ||
Line 24: | Line 31: | ||
=== Why is the NTLMv2 hash so bad? === | === Why is the NTLMv2 hash so bad? === | ||
The hash it uses is not very good: [https://en.wikipedia.org/wiki/MD4 MD4], and just hashes the password (i.e., no [https://en.wikipedia.org/wiki/Salt_%28cryptography%29 salt]), this means that if someone hacks the | The hash it uses is not very good: [https://en.wikipedia.org/wiki/MD4 MD4], and just hashes the password (i.e., no [https://en.wikipedia.org/wiki/Salt_%28cryptography%29 salt]), this means that if someone hacks the LDAP server and gets a list of hashes then it's trivial to use an offline dictionary of hashed password (aka a rainbow table) to find peoples passwords. | ||
=== I use the same password everywhere should I use it for the SSHA and NTLM hash's? === | === I use the same password everywhere, should I use it for the SSHA and NTLM hash's? === | ||
No! | No! | ||
Line 34: | Line 41: | ||
=== Can I choose any username I like? === | === Can I choose any username I like? === | ||
Yes, but please be considerate of others - | Yes, but please be considerate of others - If you use one name on the mailing list, another in real life and yet another in IRC expect a lot of confused people who don't know who you are. Please try to keep things simple by having consistent names. | ||
Additionally attempting to impersonate someone else will get you in to trouble very quickly... | Additionally attempting to impersonate someone else will get you in to trouble very quickly... | ||
Line 41: | Line 48: | ||
At the moment, no. Choose carefully! | At the moment, no. Choose carefully! | ||
=== Any spacenet config hints? === | |||
yes: | |||
* Always configure the anonymous identity as anonymous@london.hackspace.org.uk, this prevents others from seeing the real username and thus tracking. | |||
* Always install the server certificate as CA on your client(s) or specify the server name and the CA that signed the certificate. | |||
* Our server name is: spacefed.london.hackspace.org.uk | |||
* The certificate will be issued by LetsEncrypt and will validate correctly | |||
=== Any hints on the sshfp thing? === | |||
Sure, add this to your .ssh/config: | |||
<nowiki> | |||
VerifyHostKeyDNS yes | |||
CanonicalizeHostname yes | |||
CanonicalDomains lan.london.hackspace.org.uk london.hackspace.org.uk | |||
CanonicalizeFallbackLocal yes | |||
</nowiki> | |||
(you'll need to be on Debian release jessie, or something else with a fairly modern version of ssh). | |||
=== Example configuration === | |||
Tested by esotericnonsense on 2018-11-17 at Ujima House. | |||
Add the following to wpa_supplicant.conf: | |||
<nowiki> | |||
network={ | |||
ssid="spacenet" | |||
identity="$YOUR_LDAP_USERNAME@london.hackspace.org.uk" | |||
anonymous_identity="anonymous@london.hackspace.org.uk" | |||
domain_match="spacefed.london.hackspace.org.uk" | |||
password="$YOUR_LDAP_NTLM_PASSWORD" | |||
eap=TTLS | |||
key_mgmt=WPA-EAP | |||
phase2="auth=PAP" | |||
}</nowiki> | |||
Note that the domain_match option is _important_. Without it, someone could spoof a RADIUS server and your password could be acquired by them. |
Latest revision as of 16:31, 17 November 2018
LDAP
Historically, the Hackspace did not not have any kind of connection between the membership db on Turing and user logins, but with the advent of LDAP, it has allowed us to extend functionality that helps to manage the space. Additionally there are loads of neat things we could be doing if we had a membership db we could get at in software, like spacefed.
You can setup your LDAP account at https://london.hackspace.org.uk/members/ldap.php
This page documents our attempts to make LDAP work, and how to use it.
FAQ
I don't care about spacefed and just want to use the workshops at the hackspace, can I ignore this LDAP thing?
Yes.
What can I use my LDAP account for?
- logging into chomsky (the multi-user shared Linux environment), Services (for things we care a bit about), Adminstuff (for things we care more about)
- You can spin up vm's on Landin via Proxmox VE administration.
- spacenet/spacefed authenticated wifi access at London Hackspace and other participating hackerspaces/makerspaces. (also see below)
- Login to the CNC Suite of machines
Why do we have to have an NTLMv2 hash?
It's needed for EAP-MSCHAPv2 for spacenet, apparently only that and EAP-TLS work with windows.
We may also need it if we want per user samba shares.
Adding client certificate support would be good for a number of reasons, patches welcome.
Why is the NTLMv2 hash so bad?
The hash it uses is not very good: MD4, and just hashes the password (i.e., no salt), this means that if someone hacks the LDAP server and gets a list of hashes then it's trivial to use an offline dictionary of hashed password (aka a rainbow table) to find peoples passwords.
I use the same password everywhere, should I use it for the SSHA and NTLM hash's?
No!
Please look into getting a password manager (keepassx works for me), and use the password managers 'generate' function to generate a random password.
Can I choose any username I like?
Yes, but please be considerate of others - If you use one name on the mailing list, another in real life and yet another in IRC expect a lot of confused people who don't know who you are. Please try to keep things simple by having consistent names.
Additionally attempting to impersonate someone else will get you in to trouble very quickly...
Can I change the LDAP username after I've chosen it?
At the moment, no. Choose carefully!
Any spacenet config hints?
yes:
- Always configure the anonymous identity as anonymous@london.hackspace.org.uk, this prevents others from seeing the real username and thus tracking.
- Always install the server certificate as CA on your client(s) or specify the server name and the CA that signed the certificate.
- Our server name is: spacefed.london.hackspace.org.uk
- The certificate will be issued by LetsEncrypt and will validate correctly
Any hints on the sshfp thing?
Sure, add this to your .ssh/config:
VerifyHostKeyDNS yes CanonicalizeHostname yes CanonicalDomains lan.london.hackspace.org.uk london.hackspace.org.uk CanonicalizeFallbackLocal yes
(you'll need to be on Debian release jessie, or something else with a fairly modern version of ssh).
Example configuration
Tested by esotericnonsense on 2018-11-17 at Ujima House.
Add the following to wpa_supplicant.conf:
network={ ssid="spacenet" identity="$YOUR_LDAP_USERNAME@london.hackspace.org.uk" anonymous_identity="anonymous@london.hackspace.org.uk" domain_match="spacefed.london.hackspace.org.uk" password="$YOUR_LDAP_NTLM_PASSWORD" eap=TTLS key_mgmt=WPA-EAP phase2="auth=PAP" }
Note that the domain_match option is _important_. Without it, someone could spoof a RADIUS server and your password could be acquired by them.