LDAP Authentication
System administrators can authenticate to HAProxy ALOHA with a user account defined in an external LDAP server, such as Active Directory Domain Services. You can give each user either administrative access (read/write access) or monitoring access (read-only).
Set up the DNS
HAProxy ALOHA must be able to query the Active Directory DNS server.
-
In the Services tab, click system setup.
-
Enter the name of your AD Domain, and the IP address of the corresponding DNS server.
Option
Description
dns_domain
Name of your AD Domain
dns_servers
IP address of the AD DNS
service system hostname ALOHA1 rtc utc dns_domain mydomain.com dns_servers 192.168.1.65 Reload the system service.
Launch a terminal from the web UI's Tools tab or SSH to your HAProxy ALOHA appliance.
-
Check that HAProxy ALOHA can communicate with the DNS server by querying for a DNS hostname within your domain.
$ nslookup dc1.mydomain.com Server: 192.168.1.65 Address: 192.168.1.65:53
Enable the LDAP authentication module
-
In the Services tab, click pam setup
.
-
Add LDAP support to the PAM service.
service pam autostart ldap_auth 1 -
Apply your changes to the PAM configuration.
-
Restart the PAM service.
Configure the local LDAP name service daemon
The HAProxy ALOHA nslcd daemon queries LDAP based on the nslcd.conf configuration file.
Create a user account in Active Directory that HAProxy ALOHA will use to connect to the credentials store. This user should have a password that never expires. For example, you could create a user with the account name alohalogin.
-
On the HAProxy ALOHA, from the Services tab, click nslcd setup
.
-
Allow the nslcd daemon to start automatically.
service nslcd autostart -
In the Services tab, click the
[advanced mode]link, then edit the nslcd service.
The content of the /etc/nslcd.conf NTP configuration file displays.
-
Adapt the nslcd configuration to your LDAP context.
Example of an Active Directory with a schema level from 2008 to 2016.
uid nobody gid nobody log syslog nss_initgroups_ignoreusers ALLLOCAL uri ldap://dc1.mydomain.com/ base dc=mydomain,dc=com filter passwd (objectClass=posixAccount) filter group (objectClass=posixGroup) binddn cn=alohalogin,cn=Users,dc=mydomain,dc=com bindpw mypassword # To use LDAP over SSL (first, you have to import your CA file through the Web UI) # tls_cacertfile /etc/ssl/frontends/AD2008/crt.pem pagesize 1000 referrals off idle_timelimit 800 filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer))) map passwd uid sAMAccountName map passwd uidNumber objectSid:S-1-5-21-1608350394-2850411632-306912843 map passwd gidNumber objectSid:S-1-5-21-1608350394-2850411632-306912843 map passwd homeDirectory "/home/$sAMAccountName" map passwd gecos displayName map passwd loginShell "/bin/bash" filter group (|(objectClass=group)(objectClass=person)) map group gidNumber objectSid:S-1-5-21-1608350394-2850411632-306912843Each LDAP context is specific. You can apply the following template for a standard LDAP deployment.
Option
Description
uri
URI referring to the LDAP server. Use the
ldapsprefix for LDAP over SSL.base
AD search base
binddn
Distinguished Name used to bind to the LDAP directory. You do not need to escape the space character.
On Windows Server, you can use the
dquerycommand to get the value:PS C:\Users\admin> dsquery user -samid 'alohalogin' "CN=alohalogin,CN=Users,DC=mydomain,DC=com"You can also get this value by displaying the Distinguished Name of the account: turn on Advanced Features in the AD Users and Computers View menu, and display its attributes in the Attribute Editor tab.
bindpw
The AD user account password used to bind to the LDAP directory.
objectSid
AD domain's Domain SID.
You can display this value by running the following command in a PowerShell terminal on your Domain Controler:
PS C:\Users\admin> Get-ADDomain | findstr DomainSID DomainSID : S-1-5-21-1608350394-2850411632-306912843 -
Restart the nslcd service.
-
Verify that HAProxy ALOHA can connect to the LDAP server by testing the connection with the
ldapsearchcommand. This command will prompt you to enter the user's password.$ ldapsearch -x -H dc1.mydomain.com -D alohalogin@mydomain.com -W -b 'CN=Users,DC=mydomain,DC=com' # extended LDIF # # LDAPv3 # base <dc=mydomain,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # mydomain.com dn: DC=mydomain,DC=com objectClass: top objectClass: domain objectClass: domainDNS distinguishedName: DC=mydomain,DC=com instanceType: 5 whenCreated: 20211202085814.0Z [...]Option
Description
-x
Use simple authentication.
-h
URI referring to the LDAP server.
-D
Distinguished Name used to bind to the LDAP directory.
-W
Prompt for password.
-b
AD search base
If the
ldapsearchcommand fails, check your network configuration.
See also
Enable login for LDAP users
We assume that the four users in the table above have an account created on the AD domain.
You can, for example, implement the following list of access rights:
Alice | Bob | Carol | Dave | |
|---|---|---|---|---|
Web interface |
|
|
|
|
SSH |
|
| ||
Serial port |
|
Administration 
| Monitoring 
Launch a terminal from the web UI's Tools tab or SSH to your HAProxy ALOHA appliance.
-
Edit the file /etc/security/users.conf through the File Manager.
Add users that have an account on the LDAP server, specifying the following for each:
Option
Description
userThe Active Directory user account name.
auth_typeldap
servicewui, sshd, or login. This restricts how a user can log in.
allowordenyEnable or disable user's login.
map_to_useradmin for read/write access, or
monitor for read-only access.
These directives implement the example access rights listed at the top of this page.
user=alice auth_type=ldap : allow map_to_user admin user=bob auth_type=ldap service=wui,sshd : allow map_to_user admin user=carol auth_type=ldap service=wui : allow map_to_user admin user=dave auth_type=ldap service=wui : allow map_to_user monitor :denyYou can also allow access to all users in an AD group:
group=aloha-admins auth_type=ldap : allow map_to_user admin group=aloha-monitor auth_type=ldap : allow map_to_user monitor :deny
Save your configuration
Save your configuration from the Setup tab.
The Configuration was successfully saved message displays.
Test your configuration
Before you allow your LDAP users to log in, you should test a PAM configuration before you apply it.
-
Check that your configuration is parsed correctly:
$ sudo test_pam_user_map check_config -f /etc/security/users.conf Checking config file /etc/security/users.conf Config file /etc/security/users.conf parsed successfully -
Simulate a local user logging in through
ssh:$ sudo test_pam_user_map check_pam_auth \ -f /etc/security/users.conf check_config -u alice -s sshd -t ldap Checking PAM access for user alice Result: auth_type=ldap allow=1 matched=1 map_to_user=admin PAM: access granted -
Test your LDAP configuration with a real user and a real password:
$ sudo test_pam_user_map check_login_pass -f /etc/security/users.conf \ -u alice -p Hello123Hello123 -s sshd -t ldap Validating user=alice password=*** service=sshd PAM user has been set to admin user/password validated successfully
Limitations
When using SCP, user remapping does not work.
When using SSH keys, user remapping does not work (but key-based authentication does).
You cannot change the password of an LDAP user using HAProxy ALOHA. If you need to do so, use the tools provided with your LDAP server.
Troubleshooting
If the message # access denied using ssh, allowed when using login, displays, check the following:
-
The
AllowGroupsdirective is commented out in /etc/ssh/sshd_config.$ sudo grep -i AllowGroups /etc/ssh/sshd_config # AllowGroups adm usersIf this directive is not commented out, check that your users' groups are allowed:
$ sudo getent group -
Check that
UsePAMis set to yes in /etc/ssh/sshd_config/.$ sudo grep UsePAM /etc/ssh/sshd_config UsePAM yes
Next up
RADIUS Authentication