-
Notifications
You must be signed in to change notification settings - Fork 0
Tutorial: Install and Configure NAC‐Service‐Portal and LDAP on Ubuntu 24.04
This tutorial describes the complete setup process of an ldap server and the NAC-Service-Portal (NSSP) service on a single ubuntu 24.04 system.
- Server must have a fixed IP-address: IP_SERVER
- Server must have a unique hostname and FQDN: HOSTNAME_SERVER FQDN_SERVER
- A valid TLS certificate and private Key: CERT_SERVER PRIVATE_KEY_SERVER
- DNS Domain Name for ldap: EXAMPLE.ORG
Set FQDN: sudo hostnamectl set-hostname SERVER_FQDN
add the following line to /etc/fstab
IP_SERVER HOSTNAME_SERVER FQDN_SERVER
You can check if the hostname is set correctly by using:
hostname -f
sudo apt update
sudo apt upgrade
sudo apt install slapd ldap-utils gnutls-bin ssl-cert schema2ldif
sudo dpkg-reconfigure slapd
When asked set as follows: Omit OpenLDAP server configuriation? -> NO DNS domain name -> EXAMPLE.ORG
Set BASE and URI in /etc/ldap/ldap.conf as follows:
BASE dc=EXAMPLE,dc=ORG
URI ldaps://FQDN_SERVER
Restart slapd
sudo systemctl restart slapd
sudo systemctl status slapd
Check if ldap service is running
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:///
Copy certificate of your ROOT CA to /usr/share/ca-certificates/ and update certificate storage sudo update-ca-certificates
If you have an intermediate CA copy root certificate and intermidiate into one file and save it to /etc/ldap/CA.pam. Root CA must be placed at the beginning of the file.
Copy your server certificate to /etc/ldap/nac-ldap_crt.pem.
Copy your private key to /etc/ldap/nac-ldap_key.pem
Change owner and permission of the file. (least privilege princicple)
sudo chgrp openldap /etc/ldap/nac-ldap_key.pem
sudo chmod 0640 /etc/ldap/nac-ldap_key.pem
Create a file certinfo.ldif:
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ukbonnCA.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/nac-ldap_crt.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/nac-ldap_key.pem
Execute the following command to add the tls config to your ldap server.
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
Open /etc/default/slapd and modify ldap:/// to ldaps:///. This enables encrypted connections and disables unencrypted connections.
Restart openLDAP:
sudo systemctl restart slapd
Check if encryption works as expected:
ldapwhoami -x -H ldaps://FQDN_SERVER
At first we create some Groups:
- People -> Read Only Users
- DeviceAdmin -> Users who can add, modify and delete members of Group devices
- Devices -> All devices are members of this group
Create a file base-groups.ldif and add the following lines:
dn: ou=People,dc=EXAMPLE,dc=ORG
objectClass: organizationalUnit
ou: People
dn: ou=DeviceAdmin,ou=People,dc=EXAMPLE,dc=ORG
objectClass: organizationalUnit
ou: DeviceAdmin
dn: ou=Devices,dc=EXAMPLE,dc=ORG
objectClass: organizationalUnit
ou: Devices
Add the groups to your ldap server:
ldapadd -x -D cn=admin,dc=EXAMPLE,dc=ORG -W -f base-groups.ldif
You need to create some Password Hashes, before you can add users:
slappasswd
Create a user definition file users.ldif.
dn: uid=nssp,ou=DeviceAdmin,ou=People,dc=EXAMPLE,dc=ORG
objectClass: inetOrgPerson
objectClass: shadowAccount
uid: nssp
sn: NSSP
cn: NAC Portal
userPassword: {SSHA}PASSWORT
dn: uid=NetworkAuthorisationSystem,ou=People,dc=EXAMPLE,dc=ORG
objectClass: inetOrgPerson
objectClass: shadowAccount
uid: NetworkAuthorisationSystem
sn: NetworkAuthorisationSystem
cn: NetworkAuthorisationSystem
userPassword: {SSHA}PASSWORT
nssp is used by NSSP to add modify devices. NetworkAuthorizationSystem is a read only user for whatever you use to manage NAC on your switches (e.g. Cisco ISE). Use the following command to add these users.
ldapadd -x -D cn=admin,dc=EXAMPLE,dc=ORG -W -f users.ldif
Check if users can log in:
ldapsearch -x -D uid=nssp,ou=DeviceAdmin,ou=People,dc=EXAMPLE,dc=ORG -W
ldapsearch -x -D uid=NetworkAuthorisationSystem,ou=People,dc=EXAMPLE,dc=ORG -W
Finall you must modify the ACL to allow users of group DeviceAdmin to add, modify and delte devices. Create a file acl.ldif:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {2}to * by * read
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {2}to dn.subtree="ou=Devices,dc=EXAMPLE,dc=ORG" by dn.subtree="ou=DeviceAdmin,ou=People,dc=EXAMPLE,dc=ORG" write by users read break
olcAccess: {3}to * by users read
Change ACL with the following command.
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f acl.ldif
Download /resources/appl-NAC.schema from nssp git repo. Convert it to ldif format and add it to your ldap server:
schema2ldif appl-NAC.schema > appl-NAC.ldif
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f appl-NAC.ldif
Check if schema was added.
sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config | grep appl-NAC
sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn={4}appl-NAC,cn=schema,cn=config
sudo apt install apache2 libapache2-mod-wsgi-py3 mariadb-server python3-venv pkg-config python3-dev libmysqlclient-dev build-essential
sudo mkdir -m 0777 /opt/nssp
sudo mkdir /etc/nssp
git clone https://github.com/UKB-IT-Sec/NAC-Service-Portal.git /opt/nssp
sudo ln -s /opt/nssp/src/NAC_Service_Portal/settings.py /etc/nssp/django_config.py
cd /opt/nssp/src
python3 -m venv venv
source venv/bin/activate
pip3 install -r requirements.txt
pip3 install mysqlclient
Edit configuration file /etc/nssp/django_config.py.
DEBUG = False
ALLOWED_HOSTS = [
'HOSTNAME_SERVER',
'FQDN_SERVER',
]
SECRET_KEY = 'SOME_RANDOM_STRING'
DATABASES = {
"default": {
"ENGINE": "django.db.backends.mysql",
"OPTIONS": {
"read_default_file": "/etc/nssp/mysql.cnf",
},
}
}
STATIC_ROOT = '/opt/nssp/static_root'
Do not forget to change SOME_RANDOM_STRING to something random.
Create file /etc/nssp/mysql.cnf and add following content:
[client]
database = nssp
user = nssp_write
password = NSSP_WRITE_PASSWORD
default-character-set = utf8
Do not forget to change NSSP_WRITE_PASSWORD to some secure password.
sudo mysql -u root
MariaDB [(none)]> SET PASSWORD FOR root@localhost = PASSWORD('ROOT_PASSWORD');
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> CREATE DATABASE nssp CHARACTER SET utf8;
MariaDB [(none)]> CREATE USER 'nssp_write'@'localhost' IDENTIFIED BY 'NSSP_WRITE_PASSWORD';
MariaDB [(none)]> GRANT CREATE, ALTER, DROP, INSERT, INDEX, UPDATE, DELETE, SELECT, REFERENCES on nssp.* TO 'nssp_write'@'localhost';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit;
Do not forget to change ROOT_PASSWORD to some secure password. NSSP_WRITE_PASSWORD must be the same as set in /etc/nssp/mysql.cnf.
Create /etc/apache2/sites-available/nssp.conf and add the following content:
WSGIScriptAlias / /opt/nssp/src/NAC_Service_Portal/wsgi.py
WSGIPythonHome /opt/nssp/src/venv
WSGIPythonPath /opt/nssp/src
<VirtualHost *:443>
ServerName FQDN_SERVER
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCertificateFile /etc/ldap/nac-ldap_crt.pem
SSLCertificateKeyFile /etc/ldap/nac-ldap_key.pem
Alias /static/ /opt/nssp/static_root/
<Directory /opt/nssp/static_root/>
Options FollowSymLinks
Require all granted
</Directory>
<Directory /opt/nssp/src/NAC_Service_Portal>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
</VirtualHost>
Active site
sudo a2dissite 000-default.conf
sudo a2ensite nssp.conf
sudo a2enmod ssl
sudo systemctl reload apache2
sudo ln -s /etc/apache2/sites-available/nssp.conf /etc/nssp/apache2.conf
cd /opt/nssp/src
source venv/bin/activate
#Init Database
python3 manage.py makemigrations
python3 manage.py migrate
#Create initial superuser
python3 manage.py createsuperuser
#link static files so that the webserver can find them.
mkdir /opt/nssp/static_root
python manage.py collectstatic -l
You can continue to setup users and stuff at https://SERVER_FQDN/admin.
sudo ln -s /opt/nssp/config/export.cnf /etc/nssp/ldap.cfg
Edit /etc/nssp/ldap.cfg:
address = localhost
port = 636
tls = yes
user = uid=nssp,ou=DeviceAdmin,ou=People,dc=EXAMPLE,dc=ORG
password = USERPASSWORD
Do not forget to change USERPASSWORD to the real password of your nssp LDAP user.
You can test your config by triggering a sync manually:
cd /opt/nssp/src
source venv/bin/activate
python3 manage.py export_to_ldap -v 2
Edit /opt/nssp/resources/ldap_push_example.cron to suit your needs. Afterwards add the cronjob:
crontab /opt/nssp/resources/ldap_push_example.cron