LDAP authentication

System administrators can authenticate to HAProxy ALOHA with a user account defined in an external LDAP server, such as Active Directory Domain Services. You can give each user either administrative access (read/write access) or monitoring access (read-only).

Set up the DNS Jump to heading #

HAProxy ALOHA must be able to query the Active Directory DNS server.

1. In the Services tab, click system setup.

   

2. Enter the name of your AD Domain, and the IP address of the corresponding DNS server.

   Option	Description
   dns_domain	Name of your AD Domain
   dns_servers	IP address of the AD DNS

   haproxy
      service system
     hostname ALOHA1
     rtc utc
     dns_domain mydomain.com
     dns_servers 192.168.1.65

   haproxy
      service system
     hostname ALOHA1
     rtc utc
     dns_domain mydomain.com
     dns_servers 192.168.1.65

   You can also launch the following command from a terminal:

   nix
   sudo config set system dns_domain mydomain.com
      sudo config set system dns_servers 192.168.1.65

   nix
   sudo config set system dns_domain mydomain.com
      sudo config set system dns_servers 192.168.1.65

3. Reload the system service.

4. Launch a terminal from the web UI’s Tools tab or SSH to your HAProxy ALOHA appliance.

5. Check that HAProxy ALOHA can communicate with the DNS server by querying for a DNS hostname within your domain.

   nix
   nslookup dc1.mydomain.com

   nix
   nslookup dc1.mydomain.com

   output
   text
   Server:  192.168.1.65
   Address: 192.168.1.65:53

   output
   text
   Server:  192.168.1.65
   Address: 192.168.1.65:53

Enable the LDAP authentication module Jump to heading #

1. In the Services tab, click pam setup.

   

2. Add LDAP support to the PAM service.

   haproxy
   service pam
     autostart
     ldap_auth 1

   haproxy
   service pam
     autostart
     ldap_auth 1

   Tip

   To get more verbose logs for easier troubleshooting, specify debug 1 as well.

3. Apply your changes to the PAM configuration.

   

4. Restart the PAM service.

   

   You can also launch the following commands from a terminal:

   nix
   sudo config set pam ldap_auth 1
   sudo config set pam autostart
   sudo service pam restart

   nix
   sudo config set pam ldap_auth 1
   sudo config set pam autostart
   sudo service pam restart

Configure the local LDAP name service daemon Jump to heading #

The HAProxy ALOHA nslcd daemon queries LDAP based on the nslcd.conf configuration file.

1. Create a user account in Active Directory that HAProxy ALOHA will use to connect to the credentials store. This user should have a password that never expires. For example, you could create a user with the account name alohalogin.

2. On the HAProxy ALOHA, from the Services tab, click nslcd setup.

   

3. Allow the nslcd daemon to start automatically.

   haproxy
   service nslcd
     autostart

   haproxy
   service nslcd
     autostart

   You can also launch the following command from a terminal:

   nix
   sudo config set nslcd autostart

   nix
   sudo config set nslcd autostart

4. In the Services tab, click the [advanced mode] link, then edit the nslcd service.

   

   The content of the /etc/nslcd.conf NTP configuration file displays.

5. Adapt the nslcd configuration to your LDAP context.

   For example, below is an Active Directory with a schema level from 2008 to 2016.

   nslcd configuration
   text
   uid nobody
   gid nobody
   log syslog
   nss_initgroups_ignoreusers ALLLOCAL
   uri ldap://dc1.mydomain.com/
   base dc=mydomain,dc=com
   filter passwd (objectClass=posixAccount)
   filter group (objectClass=posixGroup)
   binddn cn=alohalogin,cn=Users,dc=mydomain,dc=com
   bindpw mypassword
   # To use LDAP over SSL (first, you have to import your CA file through the Web UI)
   # tls_cacertfile /etc/ssl/frontends/AD2008/crt.pem
   pagesize 1000
   referrals off
   idle_timelimit 800
   filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
   map passwd uid sAMAccountName
   map passwd uidNumber objectSid:S-1-5-21-1608350394-2850411632-306912843
   map passwd gidNumber objectSid:S-1-5-21-1608350394-2850411632-306912843
   map passwd homeDirectory "/home/$sAMAccountName"
   map passwd gecos displayName
   map passwd loginShell "/bin/bash"
   filter group (|(objectClass=group)(objectClass=person))
   map group gidNumber objectSid:S-1-5-21-1608350394-2850411632-306912843

   nslcd configuration
   text
   uid nobody
   gid nobody
   log syslog
   nss_initgroups_ignoreusers ALLLOCAL
   uri ldap://dc1.mydomain.com/
   base dc=mydomain,dc=com
   filter passwd (objectClass=posixAccount)
   filter group (objectClass=posixGroup)
   binddn cn=alohalogin,cn=Users,dc=mydomain,dc=com
   bindpw mypassword
   # To use LDAP over SSL (first, you have to import your CA file through the Web UI)
   # tls_cacertfile /etc/ssl/frontends/AD2008/crt.pem
   pagesize 1000
   referrals off
   idle_timelimit 800
   filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
   map passwd uid sAMAccountName
   map passwd uidNumber objectSid:S-1-5-21-1608350394-2850411632-306912843
   map passwd gidNumber objectSid:S-1-5-21-1608350394-2850411632-306912843
   map passwd homeDirectory "/home/$sAMAccountName"
   map passwd gecos displayName
   map passwd loginShell "/bin/bash"
   filter group (|(objectClass=group)(objectClass=person))
   map group gidNumber objectSid:S-1-5-21-1608350394-2850411632-306912843

   Important

   Enter a newline at the end of the configuration.

   Each LDAP context is specific. You can apply the following template for a standard LDAP deployment:

   • uri: URI referring to the LDAP server. Use the ldaps prefix for LDAP over SSL.

   • base: AD search base.

   • binddn: Distinguished Name used to bind to the LDAP directory. You do not need to escape the space character. On Windows Server, you can use the dquery command to get the value:

     powershell
     PS C:\Users\admin> dsquery user -samid 'alohalogin'

     powershell
     PS C:\Users\admin> dsquery user -samid 'alohalogin'

     output
     text
     "CN=alohalogin,CN=Users,DC=mydomain,DC=com"

     output
     text
     "CN=alohalogin,CN=Users,DC=mydomain,DC=com"

     You can also get this value by displaying the Distinguished Name of the account: turn on Advanced Features in the AD Users and Computers View menu, and display its attributes in the Attribute Editor tab.

     

   Tip

   • To log nslcd actions to syslog, specify log syslog.
   • To ensure that nslcd does not fail at startup when the LDAP server is down, specify the AD search base (for example, base dc=mydomain,dc=com).
   • To minimize latency when a user uses sudo and the LDAP server is offline, specify nss_initgroups_ignoreusers root,admin,monitor.

6. Restart the nslcd service.

   Tip

   Launch nslcd in debug mode in an HAProxy ALOHA terminal to view troubleshooting information:

   nix
   sudo service nslcd stop
   sudo nslcd -d -n   

   nix
   sudo service nslcd stop
   sudo nslcd -d -n   

7. Verify that HAProxy ALOHA can connect to the LDAP server by testing the connection with the ldapsearch command. This command will prompt you to enter the user’s password.

   nix
   ldapsearch -x -H dc1.mydomain.com -D alohalogin@mydomain.com -W -b 'CN=Users,DC=mydomain,DC=com'

   nix
   ldapsearch -x -H dc1.mydomain.com -D alohalogin@mydomain.com -W -b 'CN=Users,DC=mydomain,DC=com'

   text
   # extended LDIF
   #
   # LDAPv3
   # base <dc=mydomain,dc=com> with scope subtree
   # filter: (objectclass=*)
   # requesting: ALL
   #
   # mydomain.com
   dn: DC=mydomain,DC=com
   objectClass: top
   objectClass: domain
   objectClass: domainDNS
   distinguishedName: DC=mydomain,DC=com
   instanceType: 5
   whenCreated: 20211202085814.0Z
   [...]

   text
   # extended LDIF
   #
   # LDAPv3
   # base <dc=mydomain,dc=com> with scope subtree
   # filter: (objectclass=*)
   # requesting: ALL
   #
   # mydomain.com
   dn: DC=mydomain,DC=com
   objectClass: top
   objectClass: domain
   objectClass: domainDNS
   distinguishedName: DC=mydomain,DC=com
   instanceType: 5
   whenCreated: 20211202085814.0Z
   [...]

   Option	Description
   -x	Use simple authentication.
   -h	URI referring to the LDAP server.
   -D	Distinguished Name used to bind to the LDAP directory.
   -W	Prompt for password.
   -b	AD search base.

   If the ldapsearch command fails, check your network configuration.

Enable login for LDAP users Jump to heading #

You can, for example, implement the following list of access rights:

We assume that the four users in the table above have an account created on the AD domain.

1. Launch a terminal from the web UI’s Tools tab or SSH to your HAProxy ALOHA appliance.

2. Edit the file /etc/security/users.conf through the File Manager.

   Add users that have an account on the LDAP server, specifying the following for each:

   Option	Description
   user	The Active Directory user account name.
   auth_type	ldap.
   service	wui, sshd, or login. This restricts how a user can log in.
   allow or deny	Enable or disable user’s login.
   map_to_user	admin for read/write access, or monitor for read-only access.

   For example, these directives implement the example access rights listed earlier in this section.

   /etc/security/users.conf
   user=alice  auth_type=ldap                  : allow map_to_user admin
   user=bob    auth_type=ldap service=wui,sshd : allow map_to_user admin
   user=carol  auth_type=ldap service=wui      : allow map_to_user admin
   user=dave   auth_type=ldap service=wui      : allow map_to_user monitor
   
   :deny

   /etc/security/users.conf
   user=alice  auth_type=ldap                  : allow map_to_user admin
   user=bob    auth_type=ldap service=wui,sshd : allow map_to_user admin
   user=carol  auth_type=ldap service=wui      : allow map_to_user admin
   user=dave   auth_type=ldap service=wui      : allow map_to_user monitor
   
   :deny

   You can also allow access to all users in an AD group:

   text
   group=aloha-admins   auth_type=ldap : allow map_to_user admin
   group=aloha-monitor  auth_type=ldap  : allow map_to_user monitor
   :deny

   text
   group=aloha-admins   auth_type=ldap : allow map_to_user admin
   group=aloha-monitor  auth_type=ldap  : allow map_to_user monitor
   :deny

   Caution

   The :deny entry must be the last in the file.

   HAProxy ALOHA evaluates entries from top to bottom. All entries after :deny are ignored.

Save your configuration Jump to heading #

To make your changes persistent after a reboot, click the Setup tab. Then click Save under Configuration.

The Configuration was successfully saved message displays.

You can also launch the following command from a terminal:

nix
sudo config save

nix
sudo config save

Test your configuration Jump to heading #

Before you allow your LDAP users to log in, you should test a PAM configuration before you apply it.

1. Check that your configuration is parsed correctly:

   nix
   sudo test_pam_user_map check_config -f /etc/security/users.conf

   nix
   sudo test_pam_user_map check_config -f /etc/security/users.conf

   output
   Checking config file /etc/security/users.conf
   Config file /etc/security/users.conf parsed successfully

   output
   Checking config file /etc/security/users.conf
   Config file /etc/security/users.conf parsed successfully

2. Simulate a local user logging in through ssh:

   nix
   sudo test_pam_user_map check_pam_auth \
            -f /etc/security/users.conf check_config -u alice -s sshd -t ldap

   nix
   sudo test_pam_user_map check_pam_auth \
            -f /etc/security/users.conf check_config -u alice -s sshd -t ldap

   output
   text
   Checking PAM access for user alice
   Result: auth_type=ldap allow=1 matched=1 map_to_user=admin
   PAM: access granted

   output
   text
   Checking PAM access for user alice
   Result: auth_type=ldap allow=1 matched=1 map_to_user=admin
   PAM: access granted

3. Test your LDAP configuration with a real user and a real password:

   nix
   sudo test_pam_user_map check_login_pass -f /etc/security/users.conf \
            -u alice -p Hello123Hello123 -s sshd -t ldap

   nix
   sudo test_pam_user_map check_login_pass -f /etc/security/users.conf \
            -u alice -p Hello123Hello123 -s sshd -t ldap

   output
   text
   Validating user=alice password=*** service=sshd
   PAM user has been set to admin
   user/password validated successfully

   output
   text
   Validating user=alice password=*** service=sshd
   PAM user has been set to admin
   user/password validated successfully

   Caution

   Clear your terminal history after running this command.

Limitations Jump to heading #

• When using SCP, user remapping does not work.
• When using SSH keys, user remapping does not work (but key-based authentication does).
• You cannot change the password of an LDAP user using HAProxy ALOHA. If you need to do so, use the tools provided with your LDAP server.

Troubleshooting Jump to heading #

If the message # access denied using ssh, allowed when using login, displays, check the following:

• The AllowGroups directive is commented out in /etc/ssh/sshd_config.

  nix
  sudo grep -i AllowGroups /etc/ssh/sshd_config

  nix
  sudo grep -i AllowGroups /etc/ssh/sshd_config

  output
  # AllowGroups adm users

  output
  # AllowGroups adm users

  If this directive is not commented out, check that your users’ groups are allowed:

  nix
  sudo getent group

  nix
  sudo getent group

• Check that UsePAM is set to yes in /etc/ssh/sshd_config.

  nix
  sudo grep UsePAM /etc/ssh/sshd_config 

  nix
  sudo grep UsePAM /etc/ssh/sshd_config 

  output
  UsePAM yes

  output
  UsePAM yes

See also Jump to heading #

• nslcd - local LDAP name service daemon