LDAP: Difference between revisions

From London Hackspace Wiki
(some more spacenet info)
No edit summary
 
(12 intermediate revisions by 5 users not shown)
Line 2: Line 2:
= LDAP =
= LDAP =


Although the hackspace has had [[babbage]] for ages we've not had any kind of connection between the membership db on [[turing]] and babbage, or anything else. Additionally there are loads of neat things we could be doing if we had a membership db we could get at in software, like [http://spacefed.net spacefed].
Historically, the Hackspace did not not have any kind of connection between the membership db on [[Turing]] and user logins, but with the advent of LDAP, it has allowed us to extend functionality that helps to manage the space. Additionally there are loads of neat things we could be doing if we had a membership db we could get at in software, like [http://spacefed.net spacefed].
 
You can setup your LDAP account at [https://london.hackspace.org.uk/members/ldap.php https://london.hackspace.org.uk/members/ldap.php]


This page documents our attempts to make LDAP work, and how to use it.
This page documents our attempts to make LDAP work, and how to use it.
Line 8: Line 10:
== FAQ ==
== FAQ ==


=== I don't care about babbage or spacefed and just want to use the workshops at the hackspace, can I ignore this LDAP thing? ===
=== I don't care about spacefed and just want to use the workshops at the hackspace, can I ignore this LDAP thing? ===


Yes.
Yes.
=== What can I use my LDAP account for? ===
* logging into [[Equipment/Landin#Chomsky|chomsky]] (the multi-user shared Linux environment), [[Equipment/Landin#Services|Services]] (for things we care a bit about), [[Equipment/Landin#Adminstuff|Adminstuff]] (for things we care more about)
* You can spin up vm's on [[Equipment/Landin|Landin]] via Proxmox VE administration.
* spacenet/spacefed authenticated wifi access at London Hackspace and other participating hackerspaces/makerspaces. (also see below)
* Login to the CNC Suite of machines


=== Why do we have to have an NTLMv2 hash? ===
=== Why do we have to have an NTLMv2 hash? ===
Line 22: Line 31:
=== Why is the NTLMv2 hash so bad? ===
=== Why is the NTLMv2 hash so bad? ===


The hash it uses is not very good: [https://en.wikipedia.org/wiki/MD4 MD4], and just hashes the password (i.e., no [https://en.wikipedia.org/wiki/Salt_%28cryptography%29 salt]), this means that if someone hacks the ldap server and gets a list of hashes then it's trivial to use an offline dictionary of hashed password (aka a rainbow table) to find peoples passwords.
The hash it uses is not very good: [https://en.wikipedia.org/wiki/MD4 MD4], and just hashes the password (i.e., no [https://en.wikipedia.org/wiki/Salt_%28cryptography%29 salt]), this means that if someone hacks the LDAP server and gets a list of hashes then it's trivial to use an offline dictionary of hashed password (aka a rainbow table) to find peoples passwords.


=== I use the same password everywhere, should I use it for the SSHA and NTLM hash's? ===
=== I use the same password everywhere, should I use it for the SSHA and NTLM hash's? ===
Line 48: Line 57:


* Our server name is: spacefed.london.hackspace.org.uk
* Our server name is: spacefed.london.hackspace.org.uk
* The root cert is: <nowiki>C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority</nowiki>
* The certificate will be issued by LetsEncrypt and will validate correctly
* with fingerprint: SHA1 Fingerprint=3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F
 
=== Any hints on the sshfp thing? ===
 
Sure, add this to your .ssh/config:
 
<nowiki>
VerifyHostKeyDNS yes
CanonicalizeHostname yes
CanonicalDomains lan.london.hackspace.org.uk london.hackspace.org.uk
CanonicalizeFallbackLocal yes
</nowiki>
 
(you'll need to be on Debian release jessie, or something else with a fairly modern version of ssh).
 
=== Example configuration ===
 
Tested by esotericnonsense on 2018-11-17 at Ujima House.
 
Add the following to wpa_supplicant.conf:
 
<nowiki>
network={
    ssid="spacenet"
    identity="$YOUR_LDAP_USERNAME@london.hackspace.org.uk"           
    anonymous_identity="anonymous@london.hackspace.org.uk" 
    domain_match="spacefed.london.hackspace.org.uk"
    password="$YOUR_LDAP_NTLM_PASSWORD"
    eap=TTLS
    key_mgmt=WPA-EAP
    phase2="auth=PAP"
}</nowiki>
 
Note that the domain_match option is _important_. Without it, someone could spoof a RADIUS server and your password could be acquired by them.

Latest revision as of 16:31, 17 November 2018

LDAP

Historically, the Hackspace did not not have any kind of connection between the membership db on Turing and user logins, but with the advent of LDAP, it has allowed us to extend functionality that helps to manage the space. Additionally there are loads of neat things we could be doing if we had a membership db we could get at in software, like spacefed.

You can setup your LDAP account at https://london.hackspace.org.uk/members/ldap.php

This page documents our attempts to make LDAP work, and how to use it.

FAQ

I don't care about spacefed and just want to use the workshops at the hackspace, can I ignore this LDAP thing?

Yes.

What can I use my LDAP account for?

  • logging into chomsky (the multi-user shared Linux environment), Services (for things we care a bit about), Adminstuff (for things we care more about)
  • You can spin up vm's on Landin via Proxmox VE administration.
  • spacenet/spacefed authenticated wifi access at London Hackspace and other participating hackerspaces/makerspaces. (also see below)
  • Login to the CNC Suite of machines

Why do we have to have an NTLMv2 hash?

It's needed for EAP-MSCHAPv2 for spacenet, apparently only that and EAP-TLS work with windows.

We may also need it if we want per user samba shares.

Adding client certificate support would be good for a number of reasons, patches welcome.

Why is the NTLMv2 hash so bad?

The hash it uses is not very good: MD4, and just hashes the password (i.e., no salt), this means that if someone hacks the LDAP server and gets a list of hashes then it's trivial to use an offline dictionary of hashed password (aka a rainbow table) to find peoples passwords.

I use the same password everywhere, should I use it for the SSHA and NTLM hash's?

No!

Please look into getting a password manager (keepassx works for me), and use the password managers 'generate' function to generate a random password.

Can I choose any username I like?

Yes, but please be considerate of others - If you use one name on the mailing list, another in real life and yet another in IRC expect a lot of confused people who don't know who you are. Please try to keep things simple by having consistent names.

Additionally attempting to impersonate someone else will get you in to trouble very quickly...

Can I change the LDAP username after I've chosen it?

At the moment, no. Choose carefully!

Any spacenet config hints?

yes:

  • Always configure the anonymous identity as anonymous@london.hackspace.org.uk, this prevents others from seeing the real username and thus tracking.
  • Always install the server certificate as CA on your client(s) or specify the server name and the CA that signed the certificate.
  • Our server name is: spacefed.london.hackspace.org.uk
  • The certificate will be issued by LetsEncrypt and will validate correctly

Any hints on the sshfp thing?

Sure, add this to your .ssh/config:

VerifyHostKeyDNS yes
CanonicalizeHostname yes
CanonicalDomains lan.london.hackspace.org.uk london.hackspace.org.uk
CanonicalizeFallbackLocal yes

(you'll need to be on Debian release jessie, or something else with a fairly modern version of ssh).

Example configuration

Tested by esotericnonsense on 2018-11-17 at Ujima House.

Add the following to wpa_supplicant.conf:

network={
    ssid="spacenet"
    identity="$YOUR_LDAP_USERNAME@london.hackspace.org.uk"             
    anonymous_identity="anonymous@london.hackspace.org.uk"   
    domain_match="spacefed.london.hackspace.org.uk"
    password="$YOUR_LDAP_NTLM_PASSWORD"
    eap=TTLS
    key_mgmt=WPA-EAP
    phase2="auth=PAP"
}

Note that the domain_match option is _important_. Without it, someone could spoof a RADIUS server and your password could be acquired by them.