HAProxy ALOHA Documentation 13.5

LDAP Authentication

System administrators can authenticate to HAProxy ALOHA with a user account defined in an external LDAP server, such as Active Directory Domain Services. You can give each user either administrative access (read/write access) or monitoring access (read-only).

https://cdn.haproxy.com/documentation/aloha/13-5/assets/ldap-architecture-a7a1a0551d79eeceff0725928c1039c8e3a6dd54af3928d77650b5791653b55a.png

Set up the DNS

HAProxy ALOHA must be able to query the Active Directory DNS server.

  1. In the Services tab, click system setup.

    https://cdn.haproxy.com/documentation/aloha/13-5/assets/system-setup-844b4640a7db7a72ada3d494a5852149ad96bd31c7121c91461c2762d576dc91.png
  2. Enter the name of your AD Domain, and the IP address of the corresponding DNS server.

    Option

    Description

    dns_domain

    Name of your AD Domain

    dns_servers

    IP address of the AD DNS

    service system
        hostname ALOHA1
        rtc utc
        dns_domain mydomain.com
        dns_servers 192.168.1.65
  3. Reload the system service.

  4. Launch a terminal from the web UI's Tools tab or SSH to your HAProxy ALOHA appliance.

  5. Check that HAProxy ALOHA can communicate with the DNS server by querying for a DNS hostname within your domain.

    $ nslookup dc1.mydomain.com
    
    Server:  192.168.1.65
    Address: 192.168.1.65:53

Enable the LDAP authentication module

  1. In the Services tab, click pam setup setup_icon.

    https://cdn.haproxy.com/documentation/aloha/13-5/assets/pam_setup-21dd8b5e0b9ebc2d60eba4f01a9e140f5869756bd01f8a726d6b054a94a4cd45.png
  2. Add LDAP support to the PAM service.

    service pam
      autostart
      ldap_auth 1
  3. Apply your changes to the PAM configuration.

    https://cdn.haproxy.com/documentation/aloha/13-5/assets/apply-service-pam-255550c4f282f165909d0f8e24371cf29e57e6e2ed0bba2cd281ff41504cb5ec.png
  4. Restart the PAM service.

    https://cdn.haproxy.com/documentation/aloha/13-5/assets/restart-service-pam-01319de9b0ea6be010eedb52847410a6a27edc7ed7a9030b36ecc9d1fd42c62e.png

Configure the local LDAP name service daemon

The HAProxy ALOHA nslcd daemon queries LDAP based on the nslcd.conf configuration file.

  1. Create a user account in Active Directory that HAProxy ALOHA will use to connect to the credentials store. This user should have a password that never expires. For example, you could create a user with the account name alohalogin.

  2. On the HAProxy ALOHA, from the Services tab, click nslcd setup setup_icon.

    https://cdn.haproxy.com/documentation/aloha/13-5/assets/nslcd_setup-30a0ccf53051da45b39579f021b1bc4eb0602259a44550b58fb1a48fd057cbb8.png
  3. Allow the nslcd daemon to start automatically.

    service nslcd
        autostart
  4. In the Services tab, click the [advanced mode] link, then edit the nslcd service.

    https://cdn.haproxy.com/documentation/aloha/13-5/assets/nslcd_edit-9ac465b8089ae50c08a20811b0186cef04a9691333b12b1fa8c8e2ed98970f6b.png

    The content of the /etc/nslcd.conf NTP configuration file displays.

  5. Adapt the nslcd configuration to your LDAP context.

    Example of an Active Directory with a schema level from 2008 to 2016.

    uid nobody
    gid nobody
    log syslog
    
    nss_initgroups_ignoreusers ALLLOCAL
    
    uri ldap://dc1.mydomain.com/
    
    base dc=mydomain,dc=com
    
    filter passwd (objectClass=posixAccount)
    filter group (objectClass=posixGroup)
    
    binddn cn=alohalogin,cn=Users,dc=mydomain,dc=com
    
    bindpw mypassword
    
    # To use LDAP over SSL (first, you have to import your CA file through the Web UI)
    # tls_cacertfile /etc/ssl/frontends/AD2008/crt.pem
    
    pagesize 1000
    referrals off
    idle_timelimit 800
    filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
    map passwd uid sAMAccountName
    map passwd uidNumber objectSid:S-1-5-21-1608350394-2850411632-306912843
    map passwd gidNumber objectSid:S-1-5-21-1608350394-2850411632-306912843
    map passwd homeDirectory "/home/$sAMAccountName"
    map passwd gecos displayName
    map passwd loginShell "/bin/bash"
    filter group (|(objectClass=group)(objectClass=person))
    map group gidNumber objectSid:S-1-5-21-1608350394-2850411632-306912843

    Each LDAP context is specific. You can apply the following template for a standard LDAP deployment.

    Option

    Description

    uri

    URI referring to the LDAP server. Use the ldaps prefix for LDAP over SSL.

    base

    AD search base

    binddn

    Distinguished Name used to bind to the LDAP directory. You do not need to escape the space character.

    On Windows Server, you can use the dquery command to get the value:

    PS C:\Users\admin> dsquery user -samid 'alohalogin'
    
    "CN=alohalogin,CN=Users,DC=mydomain,DC=com"

    You can also get this value by displaying the Distinguished Name of the account: turn on Advanced Features in the AD Users and Computers View menu, and display its attributes in the Attribute Editor tab.

    https://cdn.haproxy.com/documentation/aloha/13-5/assets/ad-attribute-editor-c149755c8cab3eed819d2c49cbc30f99fc6e4776a7ba7384b9ce6d6b5e8065ec.png

    bindpw

    The AD user account password used to bind to the LDAP directory.

    objectSid

    AD domain's Domain SID.

    You can display this value by running the following command in a PowerShell terminal on your Domain Controler:

    PS C:\Users\admin> Get-ADDomain | findstr DomainSID
    DomainSID                          : S-1-5-21-1608350394-2850411632-306912843
  6. Restart the nslcd service.

  7. Verify that HAProxy ALOHA can connect to the LDAP server by testing the connection with the ldapsearch command. This command will prompt you to enter the user's password.

    $ ldapsearch -x -h dc1.mydomain.com -D alohalogin@mydomain.com -W -b 'CN=Users,DC=mydomain,DC=com'
    
    # extended LDIF
    #
    # LDAPv3
    # base <dc=mydomain,dc=com> with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #
    
    # mydomain.com
    dn: DC=mydomain,DC=com
    objectClass: top
    objectClass: domain
    objectClass: domainDNS
    distinguishedName: DC=mydomain,DC=com
    instanceType: 5
    whenCreated: 20211202085814.0Z
    [...]

    Option

    Description

    -x

    Use simple authentication.

    -h

    URI referring to the LDAP server.

    -D

    Distinguished Name used to bind to the LDAP directory.

    -W

    Prompt for password.

    -b

    AD search base

    If the ldapsearch command fails, check your network configuration.

See also

nslcd - local LDAP name service daemon

Enable login for LDAP users

We assume that the four users in the table above have an account created on the AD domain.

You can, for example, implement the following list of access rights:

Alice

Bob

Carol

Dave

Web interface

Administration

Administration

Administration

monitor

SSH

Administration

Administration

Serial port

Administration

Administration Administration | Monitoring monitor

  1. Launch a terminal from the web UI's Tools tab or SSH to your HAProxy ALOHA appliance.

  2. Edit the file /etc/security/users.conf through the File Manager.

    Add users that have an account on the LDAP server, specifying the following for each:

    Option

    Description

    user

    The Active Directory user account name.

    auth_type

    ldap

    service

    wui, sshd, or login. This restricts how a user can log in.

    allow or deny

    Enable or disable user's login.

    map_to_user

    • admin for read/write access, or

    • monitor for read-only access.

    These directives implement the example access rights listed at the top of this page.

    user=alice  auth_type=ldap                  : allow map_to_user admin
    user=bob    auth_type=ldap service=wui,sshd : allow map_to_user admin
    user=carol  auth_type=ldap service=wui      : allow map_to_user admin
    user=dave   auth_type=ldap service=wui      : allow map_to_user monitor
    
    :deny

    You can also allow access to all users in an AD group:

    group=aloha-admins   auth_type=ldap : allow map_to_user admin
    group=aloha-monitor  auth_type=ldap  : allow map_to_user monitor
    
    :deny

Save your configuration

Save your configuration from the Setup tab.

https://cdn.haproxy.com/documentation/aloha/13-5/assets/aloha-wui-config-save-b44324f486725737fac81297931eaba33ced548168872be7993cbebbdee9172b.png

The Configuration was successfully saved message displays.

https://cdn.haproxy.com/documentation/aloha/13-5/assets/configuration-saved-9631106b20a7b21dac5993c744de0fe13c6b9a66c65fc4a09038db6bd6cc76ed.png

Test your configuration

Before you allow your LDAP users to log in, you should test a PAM configuration before you apply it.

  1. Check that your configuration is parsed correctly:

    $ sudo test_pam_user_map check_config -f /etc/security/users.conf
    
    Checking config file /etc/security/users.conf
    Config file /etc/security/users.conf parsed successfully
  2. Simulate a local user logging in through ssh:

    $ sudo test_pam_user_map check_pam_auth \
       -f /etc/security/users.conf check_config -u alice -s sshd -t ldap
    
    Checking PAM access for user alice
    Result: auth_type=ldap allow=1 matched=1 map_to_user=admin
    PAM: access granted
  3. Test your LDAP configuration with a real user and a real password:

    $ sudo test_pam_user_map check_login_pass -f /etc/security/users.conf \
       -u alice -p Hello123Hello123 -s sshd -t ldap
    
    Validating user=alice password=*** service=sshd
    PAM user has been set to admin
    user/password validated successfully

Limitations

  • When using SCP, user remapping does not work.

  • When using SSH keys, user remapping does not work (but key-based authentication does).

  • You cannot change the password of an LDAP user using HAProxy ALOHA. If you need to do so, use the tools provided with your LDAP server.

Troubleshooting

If the message # access denied using ssh, allowed when using login, displays, check the following:

  • The AllowGroups directive is commented out in /etc/ssh/sshd_config.

    $ sudo grep -i AllowGroups /etc/ssh/sshd_config
    # AllowGroups adm users

    If this directive is not commented out, check that your users' groups are allowed:

    $ sudo getent group
  • Check that UsePAM is set to yes in /etc/ssh/sshd_config/.

    $ sudo grep UsePAM /etc/ssh/sshd_config
    UsePAM yes

Next up

RADIUS Authentication
HAProxyConf 2022 - Call for papers