LDAP

From London Hackspace Wiki
Revision as of 20:53, 5 August 2018 by JasperWallace (talk | contribs) (cross out almost certainly dead cert)

LDAP

Historically, the Hackspace did not not have any kind of connection between the membership db on Turing and user logins, but with the advent of LDAP, it has allowed us to extend functionality that helps to manage the space. Additionally there are loads of neat things we could be doing if we had a membership db we could get at in software, like spacefed.

You can setup your LDAP account at https://london.hackspace.org.uk/members/ldap.php

This page documents our attempts to make LDAP work, and how to use it.

FAQ

I don't care about spacefed and just want to use the workshops at the hackspace, can I ignore this LDAP thing?

Yes.

What can I use my LDAP account for?

Why do we have to have an NTLMv2 hash?

It's needed for EAP-MSCHAPv2 for spacenet, apparently only that and EAP-TLS work with windows.

We may also need it if we want per user samba shares.

Adding client certificate support would be good for a number of reasons, patches welcome.

Why is the NTLMv2 hash so bad?

The hash it uses is not very good: MD4, and just hashes the password (i.e., no salt), this means that if someone hacks the LDAP server and gets a list of hashes then it's trivial to use an offline dictionary of hashed password (aka a rainbow table) to find peoples passwords.

I use the same password everywhere, should I use it for the SSHA and NTLM hash's?

No!

Please look into getting a password manager (keepassx works for me), and use the password managers 'generate' function to generate a random password.

Can I choose any username I like?

Yes, but please be considerate of others - If you use one name on the mailing list, another in real life and yet another in IRC expect a lot of confused people who don't know who you are. Please try to keep things simple by having consistent names.

Additionally attempting to impersonate someone else will get you in to trouble very quickly...

Can I change the LDAP username after I've chosen it?

At the moment, no. Choose carefully!

Any spacenet config hints?

yes:

  • Always configure the anonymous identity as anonymous@london.hackspace.org.uk, this prevents others from seeing the real username and thus tracking.
  • Always install the server certificate as CA on your client(s) or specify the server name and the CA that signed the certificate.
  • Our server name is: spacefed.london.hackspace.org.uk
  • Cert details here are almost certainly wrong now!
    • The root cert is: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority
    • with fingerprint: SHA1 Fingerprint=3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F
    • our certificate has this fingerprint: SHA1 Fingerprint=0F:71:77:D2:A2:0B:46:B2:22:C3:AB:50:98:66:DD:5D:41:91:9B:45
    • Startcom's root ca is here: https://www.startssl.com/certs/ca.pem

Any hints on the sshfp thing?

Sure, add this to your .ssh/config:

VerifyHostKeyDNS yes
CanonicalizeHostname yes
CanonicalDomains lan.london.hackspace.org.uk london.hackspace.org.uk
CanonicalizeFallbackLocal yes

(you'll need to be on Debian release jessie, or something else with a fairly modern version of ssh).