Users and passwords

LDAP authentication

This page applies to:

  • HAProxy ALOHA - all versions

System administrators can authenticate to HAProxy ALOHA with a user account defined in an external LDAP server, such as Active Directory Domain Services. You can give each user either administrative access (read/write access) or monitoring access (read-only).

ldap architecture

Caution

Before proceeding, connect to the HAProxy ALOHA appliance through SSH, or launch a terminal from the web UI’s Tools tab to avoid being locked out.

Set up the DNS Jump to heading

HAProxy ALOHA must be able to query the Active Directory DNS server.

  1. In the Services tab, click system setup.

    system setup

  2. Enter the name of your AD Domain, and the IP address of the corresponding DNS server.

    Option Description
    dns_domain Name of your AD Domain
    dns_servers IP address of the AD DNS
    haproxy
    service system
    hostname ALOHA1
    rtc utc
    dns_domain mydomain.com
    dns_servers 192.168.1.65
    haproxy
    service system
    hostname ALOHA1
    rtc utc
    dns_domain mydomain.com
    dns_servers 192.168.1.65

    You can also launch the following command from a terminal:

    nix
    sudo config set system dns_domain mydomain.com
    sudo config set system dns_servers 192.168.1.65
    nix
    sudo config set system dns_domain mydomain.com
    sudo config set system dns_servers 192.168.1.65
  3. Reload the system service.

  4. Launch a terminal from the web UI’s Tools tab or SSH to your HAProxy ALOHA appliance.

  5. Check that HAProxy ALOHA can communicate with the DNS server by querying for a DNS hostname within your domain.

    nix
    nslookup dc1.mydomain.com
    nix
    nslookup dc1.mydomain.com
    output
    text
    Server: 192.168.1.65
    Address: 192.168.1.65:53
    output
    text
    Server: 192.168.1.65
    Address: 192.168.1.65:53

Enable the LDAP authentication module Jump to heading

  1. In the Services tab, click pam setup.

    pam setup

  2. Add LDAP support to the PAM service.

    haproxy
    service pam
    autostart
    ldap_auth 1
    haproxy
    service pam
    autostart
    ldap_auth 1

    Tip

    To get more verbose logs for easier troubleshooting, specify debug 1 as well.

  3. Apply your changes to the PAM configuration.

    apply changes to PAM configuration

  4. Restart the PAM service.

    restart service pam

    You can also launch the following commands from a terminal:

    nix
    sudo config set pam ldap_auth 1
    sudo config set pam autostart
    sudo service pam restart
    nix
    sudo config set pam ldap_auth 1
    sudo config set pam autostart
    sudo service pam restart

Configure the local LDAP name service daemon Jump to heading

The HAProxy ALOHA nslcd daemon queries LDAP based on the nslcd.conf configuration file.

  1. Create a user account in Active Directory that HAProxy ALOHA will use to connect to the credentials store. This user should have a password that never expires. For example, you could create a user with the account name alohalogin.

  2. On the HAProxy ALOHA, from the Services tab, click nslcd setup.

    nslcd setup

  3. Allow the nslcd daemon to start automatically.

    haproxy
    service nslcd
    autostart
    haproxy
    service nslcd
    autostart

    You can also launch the following command from a terminal:

    nix
    sudo config set nslcd autostart
    nix
    sudo config set nslcd autostart
  4. In the Services tab, click the [advanced mode] link, then edit the nslcd service.

    nslcd edit

    The content of the /etc/nslcd.conf NTP configuration file displays.

  5. Adapt the nslcd configuration to your LDAP context.

    For example, below is an Active Directory with a schema level from 2008 to 2016.

    nslcd configuration
    text
    uid nobody
    gid nobody
    log syslog
    nss_initgroups_ignoreusers ALLLOCAL
    uri ldap://dc1.mydomain.com/
    base dc=mydomain,dc=com
    filter passwd (objectClass=posixAccount)
    filter group (objectClass=posixGroup)
    binddn cn=alohalogin,cn=Users,dc=mydomain,dc=com
    bindpw mypassword
    # To use LDAP over SSL (first, you have to import your CA file through the Web UI)
    # tls_cacertfile /etc/ssl/frontends/AD2008/crt.pem
    pagesize 1000
    referrals off
    idle_timelimit 800
    filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
    map passwd uid sAMAccountName
    map passwd uidNumber objectSid:S-1-5-21-1608350394-2850411632-306912843
    map passwd gidNumber objectSid:S-1-5-21-1608350394-2850411632-306912843
    map passwd homeDirectory "/home/$sAMAccountName"
    map passwd gecos displayName
    map passwd loginShell "/bin/bash"
    filter group (|(objectClass=group)(objectClass=person))
    map group gidNumber objectSid:S-1-5-21-1608350394-2850411632-306912843
    nslcd configuration
    text
    uid nobody
    gid nobody
    log syslog
    nss_initgroups_ignoreusers ALLLOCAL
    uri ldap://dc1.mydomain.com/
    base dc=mydomain,dc=com
    filter passwd (objectClass=posixAccount)
    filter group (objectClass=posixGroup)
    binddn cn=alohalogin,cn=Users,dc=mydomain,dc=com
    bindpw mypassword
    # To use LDAP over SSL (first, you have to import your CA file through the Web UI)
    # tls_cacertfile /etc/ssl/frontends/AD2008/crt.pem
    pagesize 1000
    referrals off
    idle_timelimit 800
    filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
    map passwd uid sAMAccountName
    map passwd uidNumber objectSid:S-1-5-21-1608350394-2850411632-306912843
    map passwd gidNumber objectSid:S-1-5-21-1608350394-2850411632-306912843
    map passwd homeDirectory "/home/$sAMAccountName"
    map passwd gecos displayName
    map passwd loginShell "/bin/bash"
    filter group (|(objectClass=group)(objectClass=person))
    map group gidNumber objectSid:S-1-5-21-1608350394-2850411632-306912843

    Important

    Enter a newline at the end of the configuration.

    Each LDAP context is specific. You can apply the following template for a standard LDAP deployment:

    • uri: URI referring to the LDAP server. Use the ldaps prefix for LDAP over SSL.

    • base: AD search base.

    • binddn: Distinguished Name used to bind to the LDAP directory. You do not need to escape the space character. On Windows Server, you can use the dquery command to get the value:

      powershell
      PS C:\Users\admin> dsquery user -samid 'alohalogin'
      powershell
      PS C:\Users\admin> dsquery user -samid 'alohalogin'
      output
      text
      "CN=alohalogin,CN=Users,DC=mydomain,DC=com"
      output
      text
      "CN=alohalogin,CN=Users,DC=mydomain,DC=com"

      You can also get this value by displaying the Distinguished Name of the account: turn on Advanced Features in the AD Users and Computers View menu, and display its attributes in the Attribute Editor tab.

      AD attribute editor

    Tip

    • To log nslcd actions to syslog, specify log syslog.
    • To ensure that nslcd does not fail at startup when the LDAP server is down, specify the AD search base (for example, base dc=mydomain,dc=com).
    • To minimize latency when a user uses sudo and the LDAP server is offline, specify nss_initgroups_ignoreusers root,admin,monitor.
  6. Restart the nslcd service.

    Tip

    Launch nslcd in debug mode in an HAProxy ALOHA terminal to view troubleshooting information:

    nix
    sudo service nslcd stop
    sudo nslcd -d -n
    nix
    sudo service nslcd stop
    sudo nslcd -d -n
  7. Verify that HAProxy ALOHA can connect to the LDAP server by testing the connection with the ldapsearch command. This command will prompt you to enter the user’s password.

    nix
    ldapsearch -x -H dc1.mydomain.com -D alohalogin@mydomain.com -W -b 'CN=Users,DC=mydomain,DC=com'
    nix
    ldapsearch -x -H dc1.mydomain.com -D alohalogin@mydomain.com -W -b 'CN=Users,DC=mydomain,DC=com'
    text
    # extended LDIF
    #
    # LDAPv3
    # base <dc=mydomain,dc=com> with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #
    # mydomain.com
    dn: DC=mydomain,DC=com
    objectClass: top
    objectClass: domain
    objectClass: domainDNS
    distinguishedName: DC=mydomain,DC=com
    instanceType: 5
    whenCreated: 20211202085814.0Z
    [...]
    text
    # extended LDIF
    #
    # LDAPv3
    # base <dc=mydomain,dc=com> with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #
    # mydomain.com
    dn: DC=mydomain,DC=com
    objectClass: top
    objectClass: domain
    objectClass: domainDNS
    distinguishedName: DC=mydomain,DC=com
    instanceType: 5
    whenCreated: 20211202085814.0Z
    [...]
    Option Description
    -x Use simple authentication.
    -h URI referring to the LDAP server.
    -D Distinguished Name used to bind to the LDAP directory.
    -W Prompt for password.
    -b AD search base.

    If the ldapsearch command fails, check your network configuration.

Enable login for LDAP users Jump to heading

You can, for example, implement the following list of access rights:

Alice Bob Carol Dave
Web interface admin admin admin monitor
SSH admin admin
Serial port admin

We assume that the four users in the table above have an account created on the AD domain.

  1. Launch a terminal from the web UI’s Tools tab or SSH to your HAProxy ALOHA appliance.

  2. Edit the file /etc/security/users.conf through the File Manager.

    Add users that have an account on the LDAP server, specifying the following for each:

    Option Description
    user The Active Directory user account name.
    auth_type ldap.
    service wui, sshd, or login. This restricts how a user can log in.
    allow or deny Enable or disable user’s login.
    map_to_user admin for read/write access, or monitor for read-only access.

    For example, these directives implement the example access rights listed earlier in this section.

    /etc/security/users.conf
    user=alice auth_type=ldap : allow map_to_user admin user=bob auth_type=ldap service=wui,sshd : allow map_to_user admin user=carol auth_type=ldap service=wui : allow map_to_user admin user=dave auth_type=ldap service=wui : allow map_to_user monitor :deny
    /etc/security/users.conf
    user=alice auth_type=ldap : allow map_to_user admin user=bob auth_type=ldap service=wui,sshd : allow map_to_user admin user=carol auth_type=ldap service=wui : allow map_to_user admin user=dave auth_type=ldap service=wui : allow map_to_user monitor :deny

    You can also allow access to all users in an AD group:

    text
    group=aloha-admins auth_type=ldap : allow map_to_user admin
    group=aloha-monitor auth_type=ldap : allow map_to_user monitor
    :deny
    text
    group=aloha-admins auth_type=ldap : allow map_to_user admin
    group=aloha-monitor auth_type=ldap : allow map_to_user monitor
    :deny

    Caution

    The :deny entry must be the last in the file.

    HAProxy ALOHA evaluates entries from top to bottom. All entries after :deny are ignored.

Save your configuration Jump to heading

To make your changes persistent after a reboot, click the Setup tab. Then click Save under Configuration.

The Configuration was successfully saved message displays.

configuration saved

You can also launch the following command from a terminal:

nix
sudo config save
nix
sudo config save

Test your configuration Jump to heading

Before you allow your LDAP users to log in, you should test a PAM configuration before you apply it.

  1. Check that your configuration is parsed correctly:

    nix
    sudo test_pam_user_map check_config -f /etc/security/users.conf
    nix
    sudo test_pam_user_map check_config -f /etc/security/users.conf
    output
    Checking config file /etc/security/users.conf Config file /etc/security/users.conf parsed successfully
    output
    Checking config file /etc/security/users.conf Config file /etc/security/users.conf parsed successfully
  2. Simulate a local user logging in through ssh:

    nix
    sudo test_pam_user_map check_pam_auth \
    -f /etc/security/users.conf check_config -u alice -s sshd -t ldap
    nix
    sudo test_pam_user_map check_pam_auth \
    -f /etc/security/users.conf check_config -u alice -s sshd -t ldap
    output
    text
    Checking PAM access for user alice
    Result: auth_type=ldap allow=1 matched=1 map_to_user=admin
    PAM: access granted
    output
    text
    Checking PAM access for user alice
    Result: auth_type=ldap allow=1 matched=1 map_to_user=admin
    PAM: access granted
  3. Test your LDAP configuration with a real user and a real password:

    nix
    sudo test_pam_user_map check_login_pass -f /etc/security/users.conf \
    -u alice -p Hello123Hello123 -s sshd -t ldap
    nix
    sudo test_pam_user_map check_login_pass -f /etc/security/users.conf \
    -u alice -p Hello123Hello123 -s sshd -t ldap
    output
    text
    Validating user=alice password=*** service=sshd
    PAM user has been set to admin
    user/password validated successfully
    output
    text
    Validating user=alice password=*** service=sshd
    PAM user has been set to admin
    user/password validated successfully

    Caution

    Clear your terminal history after running this command.

Limitations Jump to heading

  • When using SCP, user remapping does not work.
  • When using SSH keys, user remapping does not work (but key-based authentication does).
  • You cannot change the password of an LDAP user using HAProxy ALOHA. If you need to do so, use the tools provided with your LDAP server.

Troubleshooting Jump to heading

If the message # access denied using ssh, allowed when using login, displays, check the following:

  • The AllowGroups directive is commented out in /etc/ssh/sshd_config.

    nix
    sudo grep -i AllowGroups /etc/ssh/sshd_config
    nix
    sudo grep -i AllowGroups /etc/ssh/sshd_config
    output
    # AllowGroups adm users
    output
    # AllowGroups adm users

    If this directive is not commented out, check that your users’ groups are allowed:

    nix
    sudo getent group
    nix
    sudo getent group
  • Check that UsePAM is set to yes in /etc/ssh/sshd_config.

    nix
    sudo grep UsePAM /etc/ssh/sshd_config
    nix
    sudo grep UsePAM /etc/ssh/sshd_config
    output
    UsePAM yes
    output
    UsePAM yes

See also Jump to heading

Do you have any suggestions on how we can improve the content of this page?