[Network Administration] : OpenLDAP and SASL Passthrough

I needed to get the SASL passthrough working since I have some things that need to bind to the LDAP server. Specifically, I need to be able to authenticate to my Synology NAS with my LDAP account. Till now, I’ve just used NFS permissions to mount the shares to the system (mainly using the automounter getting the information from the LDAP server). If I need to allow clients to bind to the LDAP server as authentication, then I’ll need to have access to the password. I store my passwords in the Kerberos KDC, but I can have LDAP pass the authentication through to a SASL backend instead of storing the passwords locally in the directory.
Continue reading “[Network Administration] : OpenLDAP and SASL Passthrough”

Advertisements

[Network Administration]: OS X and Mobile Accounts

I have both Ubuntu and Linux machines. One of the goals is to have access to all of the same information regardless of where I log in, and to have it transparent to the machine that I’m actually using. Continue reading “[Network Administration]: OS X and Mobile Accounts”

[Network Administration]: No Littering!

I’m beginning to get annoyed about all of the hidden/system files and directories that have begun to litter through my NFS server. In particular, there are two.

The first is the .DS_Store files. These come from OS X Finder and are written every time a directory is accessed. I find them all over my NFS directories on my NAS. Apple has a KB note about how to turn these off over network connections. You can actually go one step further and disable the file creation globally.

defaults write /Library/Preferences/com.apple.desktopservices DSDontWriteNetworkStores true

This will write the plist for the system wide preferences.

I’ve also seen a post that this should also work on USB or local drives with the key DSDontWriteUSBStores and DSDontWriteLocalStores. I haven’t tried any of this though — just a warning.

The other directories that litter my NAS are the @eaDir directories. These are created on my Synology DS212 NAS. There is a post that details how to prevent the creation of these directories. Basically, these are created by a bunch of indexing daemons.

To find all of the files on the command line you can use:
find . -name .DS_Store -type f to search down from the current directory and optionally remove it with the pipe | xargs rm -rf
or
find . -name @eadir -type d

[Network Administration]: Synology DS212 Performance

I’m just going to put this here as some performance numbers that I’ve collected for the DS212 that I have running.
The NAS is connected via a CAT6 cable to a Netgear GS105 5-port gigabit switch. I also have this connected to a Mac Mini via a CAT6 cable. The switch is also connected to a wifi access point and the gateway/modem. With this, I should be able to route traffic between the NAS and the Mac Mini at gigabit speeds allowing me to stream audio and more importantly HD video. These numbers are over nfs directory mounts.

I’ve tested this using three different read and write operations (6 total, averaged over 20 iterations).

  • Copy an entire MP3 album to the NAS – total of 98,140KB
  • Copy an MP4 Video to the NAS – 679,692KB
  • Dump 1GB of data to the NAS from /dev/zero (no disk access on the source side) – 1,048,576KB
  • Copy an entire MP3 album from the NAS – total of 98,140KB
  • Copy an MP4 video from the NAS – 679,692KB
  • Read 1GB of data from the NAS to /dev/null (no disk access on the destination side) – 1,048,576KB

For dumping the 1GB over the wired network to the NAS, I’ve been able to get an average rate of about 27MB/s writing to the NAS. On the read side, I can get over 80MB/s read from the NAS. Enough to stream HD video. Of course, as the filesizes go down, the rate also drops off. For the transfer of the video it was more along the lines of under 60MB per second, and around 50MB/s for the audio files. Also, to note, I have my NAS setup for RAID1. For the wifi accesses, it’s slower of course. It peaks out at almost 7MB/s reading and about 5.5MB/s writing. That’s getting me almost 49Mb/s over the the wifi link.

The read is pretty close to what Synology is advertising (DS212j). They are saying that the DS212j can get 92MB/s read and about 50MB/s on the write. I’m not getting close to 50MB/s on the write. There may be some thing to it, or the protocol that they are using for their tests, which is Windows upload/download – probably SMB. At least as far as writes are concerned, the writes using AFP over NFS are faster, so I would expect that it could be closer to the numbers that they are giving.

One thing that I did notice is that I’m getting better throughput over the wifi link with my NFS buffers increased to 32K on both the read and the write side. My NFS mount options look like resvport,atime,rsize=32768,wsize=32768. The resvport is so that OSX will connect to the standard NFS ports. You can also add the insecure option to the exports file to allow it to accept connections from higher ports. It’s not really insecure, but that’s what the option implies.

network performance numbers

[Network Administration]: Automount maps in LDAP

I’ve got my LDAP server up and running based on the previous post. I’ve got my home directories that I’ve placed on the Synology NAS. What I would like to do is automount them when needed. I’m going to load these from the LDAP server so that I can have just one location for the automount maps.
I’m using the rfc2307bis schema for my LDAP server, so it’s already got all of the automount objectclasses already defined in there. I’m going to use those.
I’m going to be starting with the Ubuntu autofsLDAP doc with some changes for using the objectsclasses automountMap and automount in rfc2307bis. The class automountMap is essentially the map file that would reside on the machine (with automountMapName being the filename), and automount is the entry in the map (automountKey is the key from the map file, and automountInformation is remainder – options and location from the map). Couple of quick notes, the /home map is an indirect map since we’re going to be using wildcards, and in the LDAP entries, the wildcard for the key is “/” and not “*” like the filethe wildcard for the linux autofs can be either “/” or “*”. It appears to handle either character, whereas the OS X autofs supports just the “*” as the wildcard. Also, I’m going to be loading the OS specific home directory from the NAS. So for linux machines, I’m going to mount /Linux off the NAS, and for OS X, I’m going to mount /Darwin off of the NAS. This way the two don’t get overly cluttered with the OS files for both. This is determined using the ${OSNAME} variable in the last DN.
[Update: 1/25/2013]: You can mount the OS specific home directory if you want using the ${OSNAME} variable. I’m using a single directory for linux and OS X and am going to merge the desktops and the shell initialization scripts for both. Also, I’m going to convert to using the Sun names for the maps as auto_master instead of auto.master.
Here is my LDAP tree for the autofs:

## This is the branch for automounter
dn: ou=autofs,ou=daemon,dc=ldap,dc=server,dc=tld
ou: autofs
objectClass: top
objectClass: organizationalUnit

## This defines the auto_master
dn: automountMapName=auto_master,ou=autofs,ou=daemon,dc=ldap,dc=server,dc=tld
objectClass: top
objectClass: automountMap
automountMapName: auto_master
description: master table for automounter

## This is the entry in the master map (auto_master)
dn: automountKey=/home,automountMapName=auto+master,ou=autofs,ou=daemon,dc=ldap,dc=server,dc=tld
objectClass: top
objectClass: automount
automountKey: /home
automountInformation: auto_home
description: indirect map auto_home for account homes

## This defines auto_home
dn: automountMapName=auto_home,ou=autofs,ou=daemon,dc=ldap,dc=server,dc=tld
objectClass: top
objectClass: automountMap
automountMapName: auto_home
description: home directories table for automounter

dn: automountKey=*,automountMapName=auto_home,ou=autofs,ou=daemon,dc=ldap,dc=server,dc=tld
objectClass: top
objectClass: automount
automountKey: *
automountInformation: -fstype=nfs,rw,atime,sync filer-01:/volume1/accounts/&
description: mapping for nfs mount of home dirs

On one machine, I want to have access to all of the exports off of my synology NAS, so for the auto.master map table, I’m not going to use the LDAP entries for that. Also, I have some local mounts that I want to use autofs for. I’m going to be using the file in the filesystem for that instead of the directory map. I’ve modified the auto.master file from

+auto.master

to look like

# Don’t look for the table in the directory server
#+auto_master
#use the builtin map to load all the exports from the nfs hosts.
/net -hosts
#direct maps on local device
/- auto.direct
#indirect maps for home directories
/home auto.home

[Update: 2/16/2014]: You don’t actually have to do this. If the automounter is properly setup to be well behaved (for example in /etc/nsswitch we have the automount order as “files ldap”), then it will automatically look for a local /etc/auto_home file first, and then in the LDAP directory. In this case, since my auto_master map already has an entry that is “/home auto_home” in it, I don’t actually have to call out the /home indirect map in my /etc/auto_master file. I can just query the ldap entry, which will return “auto_home” as the location of the /home indirect map location, and the system will look in the local filesystem first. My local /etc/auto_home file still needs to make the call to lookup the auto_home map from the directory however.

This will load the local /etc/auto.home file for the home dirs. This is what I have for the auto.home

# Load from auto.home map in directory
+auto_home
# Local host directories mounted
* :/export/home/&

What this file does is first look in the ldap directory for the auto_home table,and then loads any local home mounts from /export/home. You have to enable ldap in /etc/nsswitch.conf

automount: files ldap

Note, the order. It first looks in the filesystem, and then in the directory. I want to read the local auto.master file instead of the directory server entry. The MASTER_MAP_NAME in the /etc/default/autofs file shouldn’t contain the DN of the auto_master table but rather point at the file

MASTER_MAP_NAME="/etc/auto.master"

The remainder of the LDAP variables in /etc/default/autofs should be configured properly with the server information, the search base, and the following to define the schema that we’re using

MAP_OBJECT_CLASS=”automountMap”
ENTRY_OBJECT_CLASS=”automount”
MAP_ATTRIBUTE=”automountMapName”
ENTRY_ATTRIBUTE=”automountKey”
VALUE_ATTRIBUTE=”automountInformation”

[Network Administration]: Network directory with LDAP

Your humble blogger here at punctuated noise has a number of machines at home and a number of services that run on them. There’s a laptop that I usually work on, a mac connected to the television, and linux server with mail, web server, and a MySQL database. I wanted to also get a local WordPress site setup on it. The linux machine is more horsepower than I really need, so ideally I would even replace that with a smaller box that just sips power. The administration overhead is beginning to get overwhelming. I also got one of these, a Synology NAS for network storage. Yet another machine with users and logins.

Luckily this thing has an LDAP server that can be downloaded onto it. I could also load this thing up on the linux box if need be. I’m going to try to unify everything through this directory server. Both the linux box and the Macs should be able to do LDAP lookups for authentication, at least from what I can tell by first looking through it. (Ideally, I could get Kerberos running for single sign-on but, I have a feeling that the NAS is not going to support that.) The NAS LDAP server looks to be a forked openldap implementation specifically for Synology DSM. This is the manual. The manual is pretty straightforward I got this setup pretty quickly. It even has an option to encrypt over TLS or an SSL socket using ldaps://. I even got the local LDAP client to connect to it. So far, so good.

[Update 11/29/2012]: SSL certificates
OK, well, this appears to be not so straight forward. It looks like this Synology box uses a self-signed certificate for SSL on the server side. Not a big deal, but irritating. It spits out an error like:

additional info: TLS: hostname does not match CN in peer certificate

To get around it, you can create new certificates for the NAS, or you can have the clients not verify the server certificate with the openldap variable

TLS_REQCERT never

[Update 11/29/2012]: CIFS caveat
What is this?? From the directory server manual:

Note: If you bind your DiskStation to an LDAP server that is not Synology Directory Server, enabling LDAP’s
CIFS support will enforce the PAM authorization mechanism, which requires client computers to transfer
plaintext password (instead of encrypted one) during account authentication. LDAP users will need to modify
their computer’s settings to enable plaintext support before they can access DiskStation files via CIFS. For
detailed instructions, click the Help button at the top-right corner, and then refer to the “About CIFS
Support and Client Computer’s Settings” section.
On the other hand, if you bind your DiskStation to Synology Directory Server, enabling LDAP’s CIFS support
will adopt the NTLM (or NTLMv2) authorization mechanism, which allows LDAP users to authorize with their
user credentials without making any changes to their computer settings.

This is basically saying that if I bind to a non-synology server and enable SMB shares, that user access will have to authenticate with plaintext. Well, that’s not good at all.

[Update 12/1/2012]: Linux Login
Well, I got my linux box (ubuntu) to authenticate through pam_ldap. This was pretty straight forward.

Install packages:

apt-get install libpam_ldap libnss_ldap

You can reconfig the ldap package after install with:

sudo dpkg-reconfigure ldap-auth-config

Edit /etc/nsswitch.conf to add ldap to passwd/group/shadow

passwd: compat ldap
group: compat ldap
shadow: compat ldap

Add to init.d startup

sudo update-rc.d nscd enable

Enable TLS over LDAP connection with the following in /etc/ldap.conf

ssl start_tls
ssl on

But, now here’s where I ran into a pretty big problem. It turns out that PAM over LDAP for SSL connections, either with a URI to ldaps:// or ldap:// over TLS, completely breaks “su”. See Debian bug 423252. It will spit out an error such as:

setgid: Operation not permitted

There’s a bug in the libgcrypt11 (the encryption library) that will pretty much prevent you from using encryption. Pretty ironic. It turns out that you’ll need the release 1.5 or higher of the library.

Once I got that straightened out, I got logins to my linux box authenticating against the LDAP server.

[Update 12/5/2012]: Export Home Folders
The Synology box will create and export home folders if you try to authenticate against a user that it is aware of, and user homes are enabled. If you enable user home directories for LDAP users, it’s also going to create them for local users. Basically, what happens is that if I login to the box, or try to mount the home directory, then it’s going to create home directories as needed for the user that I’m authenticating as. The main issue that I have is that it creates directory names like:

@LH-<LDAP_HOSTNAME>/<SOME_NUMBER>/<USERNAME>-<UID>/

It’s not that I have a problem with this structure, but I would need to mount this to /home/<USERNAME> on my linux machine. Normally, I don’t think that this is an issue as long as the naming is fully deterministic, but it doesn’t appear to be. That is the fact that makes it difficult to create the automount map for the user if I wanted this mapped to /home/<USERNAME>

Basically, after all this, I’m going to skip this and just set this LDAP directory up on my linux server, and just use the client on the NAS. Later on, I can move this to single sign-on with kerberos as it’s more flexible anyway.

OH, yeah, and the server is not compiled with logging. Yet one more frustration.