Categories
Network Engineering

Using OpenLDAP to Authenticate to Dokuwiki Part 2

This was a school assignment

This will be a continuation of the last report so this will look at LDAP (Lightweight Directory Access Protocol) software that will be compatible with DokuWiki. DokuWiki is not an enormously popular wiki but it does indeed have support for LDAP authentication. [1] It requires the LDAP Authentication plugin to be installed into the application. The webpage [1] has examples of many different types of LDAP servers that it can communicate with including OpenLDAP, Active Directory, TinyLDAP and Apache Directory amongst others.

As this is a Linux project Active Directory while arguably the most feature rich will not be chosen as being a Microsoft product will require more dependencies such as a Windows Server virtual machine and more complicated licensing issues. So, the focus will be on LDAP servers that can be installed for free on Ubuntu that support SSL/TLS security.

The reason OpenLDAP was chosen for this assignment was because it appeared that there was a lot more documentation available for it compared to the other options besides Active Directory which was not chosen for above reasons. OpenLDAP uses “The OpenLDAP public License” which can be found here [2].

Part 1: Installing OpenLDAP and filling with data.

This website was mostly followed. [3] On VM2 or whichever one has the Dokuwiki Webserver running.

sudo apt install slapd ldap-utils
sudo apt-get install php-ldap
sudo a2enmod authnz_ldap 
sudo systemctl restart apache2 

These commands firstly download the LDAP Server and secondly a PHP library that allows LDAP to interface with Dokuwiki/Php then restarts the apache2 application.

 sudo apt dpkg-reconfigure slapd 
  • Choose No
  • Create a domain name: example.com
  • Organisation: example
  • Enter a password: ‘yourpassword’
  • Choose MDB
  • Choose No
  • Choose Yes
create a file add_entries.ldif
nano add_entried.ldif

Use the content of the one demonstrated on this website which is what this solution used [3].
In this file add the data from the Ubuntu website or edit your own from workshop 2.

Now access the Dokuwiki website if unchanged from last time will be on 127.0.0.1:8080.

Login at the top right use the account created from the last report Go to Admin Panel extension manager Enable LDAP Auth Plugin Click Admin again this time go to Configuration Manager
Under the Authentication Section change authtype to ‘authldap’ Go to the Authldap section

Figure 1: Admin settings configuration panel.

If you are using the LDAP example from the website the settings in the figure above will work otherwise configure them to do this the hostname and port should be the same on either configuration. After filling the form out click save. The main issues here to take away is that the third and fourth option need to be able to find the OU that contain the users and groups.

This will now lock you out of your admin account as it doesn’t now allow local accounts but only LDAP accounts. You will now be able to log on using one of your LDAP accounts.

There are still a few settings that need to be configured these can be done from. /var/www/dokuwiki/dokuwiki-2018-04-22b/conf There are still a few settings that need to be configured these can be done from.

/var/www/dokuwiki/dokuwiki-2018-04-22b/conf 

This website here [4] shows different possible configurations for making LDAP work with DokuWiki. This is the working configuration in Figure 2. All the above configurations from Figure 1 can also be done here or changed if needed.
Figure

This website here [4] shows different possible configurations for making LDAP work with DokuWiki. This is the working configuration in Figure 2. All the above configurations from Figure 1 can also be done here or changed if needed.
Figure

Figure 2: /var/www/dokuwiki/dokuwiki-2018-04-22b/conf/local.php

To fix the admin account problem [5] in the $conf[‘superuser’] = ‘’; you can enter an LDAP user of your choice or a superuser group by using the @symbol separated by commas.

Part 2: Configuring SSL/TLS LDAP

sudo apt-get install tcpdump tcpdump -w file_name.pcap -i {interface-name}

By using this command it will record all traffic on the specified adapter interface and save it to a file I chose the loopback address as the traffic was moving on the same VM. I logged in and out a few times on the wiki and then turned it off. Searching for the password gave us 16 matches.

Figure 3: Unencrypted Loopback traffic showing ldap/website authentication password.

This is not to concerning because if the website was in actual use the loopback address would not be tcpdumped from the outside unless someone broke into the system at which point, they would have access anyway.

Figure 4: Websites unencrypted HTTP traffic over Network

With the client accessing over the network we can see that it contains loads of unencrypted traffic including the password token which is not good as anyone on the network could snoop this connection.

This website [6] was used to understand how to add HTTPS to a website. This is necessary to encrypt the above information in figures 3 and 4 to make it more difficult for attackers to steal login credentials. All the default options were followed from [6] besides the Firewall section which was left out as it was not necessary.

Figure 5: HTTPS Enabled Wiki.

Final Configuration settings shown below.

Figure 6: Dokuwiki.conf file in apache.
Figure 7: apache ports file
Figure 8: 000-default apache file. This will redirect http to https disable unencrypted access.
Figure 9: After Enabling HTTPS on the website traffic searches for the user and password no longer visible.

In Figure 9 It is shown that unlike the previous tcpdumps now that the website in running HTTPS there are 0 results for the user account or the password at the least protecting an attacker from readily reading the traffic.

References

[1] “LDAP Authentication Plugin,” [Online]. Available: https://www.dokuwiki.org/plugin:authldap. [Accessed 12 6 2019].
[2] “Public License for 2.4.47,” [Online]. Available: https://www.openldap.org/software/release/license.html. [Accessed 17 6 2019].
[3] “OpenLDAP Server,” Ubuntu, [Online]. Available: https://help.ubuntu.com/lts/serverguide/openldap-server.html.en. [Accessed 16 6 2019].
[4] “Open:Ldap,” [Online]. Available: https://www.dokuwiki.org/auth:ldap_openldap. [Accessed 15 6 2019].
[5] “SuperUser,” [Online]. Available: https://www.dokuwiki.org/config:superuser. [Accessed 15 6 2019].
[6] “How To Create a Self-Signed SSL Certificate for Apache in Ubuntu 16.04,” [Online]. Available: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificatefor-apache-in-ubuntu-16-04. [Accessed 17 6 2019].
[7] “Setting up OpenLDAP Server in Ubuntu 18.04 LTS,” [Online]. Available: https://www.youtube.com/watch?v=2r1VVJzY2Rw. [Accessed 13 6 2019].

Categories
Network Engineering

Create A DokuWiki Installation On Ubuntu 18.04 Part 1

Example of finished network.

As it is a virtualized network it is a bit more complicated but essentially the host computer or the client will interface with only the NGINX VM. NGINX then sends the request on to the backend Apache server to serve the DokuWiki installation but as far as the client/host is concerned it is only accessing the NGINX server.

Installation steps.

Instructions were found here [16] but have been verified and slightly changed with errors/overlooked steps found in the original instructions.
The current version of Ubuntu was used 18.04 that had all the updates as of 18/4/2019 Installed. This will also require 2 VM’s and the host computer all connected using a VirtualBox Host only adapter and a bridged adapter to allow the VM’s to install software.

sudo apt-get install apache2 This command installs the apache2 webserver.

To Install PHP7 and the modules for apache. This was one of the steps in the documentation that didn’t seem to work as described but these commands worked.

sudo apt-get install php libapache2-mod-php

This should have installed all the dependencies needed for DokuWiki now we will begin the installation of DokuWiki.
Create the directories for the program.
sudo mkdir -p /var/www/dokuwiki
cd /var/www/dokuwiki

Wget is a command that downloads the program from the website via the terminal.
sudo wget http://download.dokuwiki.org/src/dokuwiki/dokuwiki-stable.tgz

Next thing we must unpack the file.
sudo tar xvf dokuwiki-stable.tgz
Change the file permissions of the folder.

chmod -R 707 /var/www/dokuwiki
NOTE: The full file structure should be this – /var/www/dokuwiki/dokuwiki-2018-04-22b If it is different to this it will need to be specified in the VirtualHost section on the directory path so that Apache can find the application.

Configure Apache for DokuWiki.

sudo touch /etc/apache2/sites-available/dokuwiki.conf

sudo ln -s /etc/apache2/sites-available/dokuwiki.conf /etc/apache2/sitesenabled/dokuwiki.conf

NOTE: This creates the dokuwiki.conf file in the sites-available folder and then creates an identically linked file in the enabled folder. Only the files in the enabled folder will be hosted by Apache but the sites-available is used for a sort of backup.
sudo nano /etc/apache2/sites-available/dokuwiki.conf
Next the dokuwiki.conf file needs to be edited.

File permissions may need to be added to the .conf files.

 

As mentioned previously the root of your Dokuwiki installation should be put in Document Root and may be different.

Next step is to restart the apache service. 

systemctl restart apache2.service

If this command doesn’t work you have done something wrong probably in the conf file.

systemctl status apache2 may help.
Now navigate to the hosts file. cd /etc/hosts use nano to edit the file  sudo etc nano

Add like shown in the picture below. 127.0.0.1 wiki.neteng2.com  127.0.0.1 www.wiki.neteng2.com

These need to be added so the computer knows where to find these host names this gets messy later with the reverse proxy because we don’t have a DNS server so will be easier to just stick with IP addresses.


Navigate in your web browser to your new site which will be wiki.neteng2.com/install.php  or the IP address but make sure to access /install.php. After the website can be accessed without install.php. Enter the installation details.

You will now have a working DokuWiki install!

Implement NGINX Reverse Proxy

This is where things start to get a bit confusing. Open a new Ubuntu Virtual machine. Make sure it is using a host only adapter and is on the same network as the host computer and the Apache server. In my case this happened to be. • Host Computer:   192.168.56.1 • Apache Server VM:   192.168.56.109 • NGINX Reverse-Proxy VM:  192.168.56.110  
Most of the Instructions for the reverse proxy were taken from here. [17]
Network Engineering, I give permission for this assignment to be shared NETENG ASSIGNMENT 1

8

Sudo apt-get install nginx
This should create all the basic directory structures to keep things simple we will just use the default files. Nginx is installed into /etc/nginx

cd /etc/nginx/sites-available
Now edit the default file i.e. nano /etc/nginx/sites-available/default and uncomment everything (#).  

At the bottom of the file add.

server {
    listen 80;
    server_name wiki.neteng2.com wiki.neteng.com 192.168.56.109 www.foobar.net foobar.net;
     location / {
        proxy_pass http://192.168.56.109:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

This creates a very basic proxy configuration. Server name is slightly redundant as we won’t be using DNS names because we don’t have a DNS server however if you added DNS names in the hosts file for every computer it may work. Instead use the Ip address OF YOUR APACHE WEBSERVER.

Change back to your Apache VM
Some of the settings entered earlier will need to be changed to allow it to interact with the proxy server.

Edit the /etc/apache2/sites-available/dokuwiki.conf file from before.

Change <VirtualHost 127.0.0.1:80> To <VirtualHost *:8080>

This will make Apache listen to any request on port 8080 which our reverse-proxy will send to Apache. This is quite a simple reverse proxy.

The file /etc/apache2/ports.conf Needs to be edited
Network Engineering, I give permission for this assignment to be shared NETENG ASSIGNMENT 1

9

Change the Listen section to Listen *:8080

Reload Apache systemctl restart apache2 Reload NGINX systemctl restart nginx
Verify that Apache is listening on port 8080.

sudo netstat -tlpn

If everything is correct from your host computer enter the IP address of your NGINX server not your Apache server. Ie 192.168.56.110/doku.php you should receive the Dokuwiki page even though you used the IP address of your NGINX server. This is how a reverse proxy works. You could then add more servers and have them all accessed on your NGINX IP address.  

Host accessing the NGINX IP and receiving the webpage from Apache.

Future Considerations/Conclusion The dokuwiki configuration went well. Maybe some sort of DNS server could be implemented in the future to allow the hostnames to work properly with the reverse proxy. The host computer can also access the wiki directly which is not really the point of a reverseproxy, but this could be due to the Virtual networking but could also be fixed with simple firewall rules.

Categories
Network Engineering

Authenticate to Ubuntu using OpenLDAP

What is PAM?

PAM [1] (Pluggable Authentication Module) is a way for authentication to be separate from the system. This means that you can have one database containing user login information such as OpenLDAP and use this databases information to allow access to different parts of a system such as the system itself, SSH, A website or other applications. This is opposed to every application containing its own logon information and is an excellent way to improve security.

System Settings

Network 192.168.56.0/24 – Host only adapter for the 2 VM’s to communicate.

Bridged Adapter for internet access.

Ubuntu 18.04 VM 1.

Ubuntu 18.04 VM 2.

Diagram of the network. The OpenLDAP server authenticates LDAP users onto VM1. SSH LDAP authentication can also be performed from the windows computer or the server into the client machine using LDAP users.

Part 1: Installing OpenLDAP and Populating the database

These websites were referenced and followed for the following setup [2] [4].

Server (VM2)

  • sudo apt-get update
  • sudo apt-get upgrade
  • sudo apt-get install slapd ldap-utils
  • Set Admin Password
  • Sudo dpkg-reconfigure slapd
  • No
  • DNS domain name – example.com
  • Organization name – nodomain
  • Enter Password
  • MDB
  • No
  • Yes

This will have installed OPENLDAP with the example.com domain i.e.

‘dc=example,dc=com’

Create a file called add_content.ldif example data will be supplied in the appendices. This will be different from the previous labs as the user will want to have a home directory and other luxuries when they log into the system. The users need a uidNumber and a gidNumber. Every account needs to be unique these numbers are used for keeping track of the user and groups on a system and what folders and files they can access [3]. 

Example user John. Example Ldif data can be found at the bottom of the report.

Add the content to the database:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_content.ldif

Assuming the ldif file is correct it will add the content to the database. If you ever want to modify the ldif file at some point it can easily be changed and then updated to the working system by adding the -c switch which skips exiting if a duplicate is found in the database and writes over. ldapadd -x -x -D cn=admin,dc=example,dc=com -W -f add_content.ldif

Part 2: Enable Logging on OPENLDAP

This can be used to verify issues with ldap authentication on the system.

sudo nano logging.ldif Add to the file below. dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: stats

Implement it to the system: sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif They recommend changing the settings, so your system doesn’t get swamped with logging messages. Edit /etc/rsyslog.conf and add to the file below. 

# Disable rate limiting

# (default is 200 messages in 5 seconds; below we make the 5 become 0)

$SystemLogRateLimitInterval 0

Then do a sudo systemctl restart syslog.service.

Part 3: Configure Client to Authenticate Against LDAP Client: (VM1)

sudo apt install libnss-ldap
ldap://192.168.56.117/IP of your server.
Choose the default options changing the accounts to be in the correct domain.
The results can be seen in /etc/ldap.conf other settings may be changed here to.
Configure NSS for LDAP sudo auth-client-config -t nss -p lac_ldap This command changes
the way information from a file such as LDAP is used to login to a system.
Configure the system to use PAM Authentication.
sudo pam-auth-update

Choose every option in the list any less seems to crash the system. (use the spacebar). This should make it possible to log into the system using LDAP accounts as well as possible to log in through the regular way if needed. This will also create the users home directory on log in. 

Edit the file /etc/pam.d/common-session as the pam and add the second line to allow home directories to be made upon logon.

Problem 1

Authenticating via the GUI does not work at all. It authenticates the user then shows the background for a long time then loads back up to the login screen. A Possible solution was installing a different Desktop Environment after installing xfce4 it still didn’t work so the problem was not the Desktop Environment. 

Authenticating via terminal and SSH does work. (sudo apt-get install ssh)

Access through SSH via PowerShell from the windows machine connected by the host only adapter does allow our LDAP user John and Fiona to authenticate into the system. Access while logged in from Student and changing user to john works as well.

Solution for Problem 1

After reading many more tutorial such as [4] [5]. All that was needed was found here [6]. sudo systemctl restart systemd-logind. This then allowed login via the GUI using LDAP accounts. 

Fiona Smith LDAP logged in.

John Doe logged in via GUI.

So the problem was systemd which is part of the core components to Linux. I thought that services got restarted on reboot but obviously not all of them then from what this situation has taught me. This then concludes this report on how to enable LDAP PAM user authentication for a client/server system using Ubuntu.

References

  • “User Authentication HOWTO,” [Online]. Available: http://tldp.org/HOWTO/UserAuthentication-HOWTO/x115.html. [Accessed 21 6 2019].
  • “OpenLDAP Server,” [Online]. Available: https://help.ubuntu.com/lts/serverguide/openldap-server.html. [Accessed 19 6 2019].
  • [Online]. Available: https://geek-university.com/linux/uid-user-identifier-gid-groupidentifier/. [Accessed 19 6 2019].
  • “Configre Linux clients to authenticate using openldap,” [Online]. Available:
  • https://www.unixmen.com/configure-linux-clients-to-authenticate-using-openldap/. [Accessed 21 6 2019].
  • “How to Setup OpenLDAP Server and Authenticate Client Workstation,” [Online]. Available: https://linoxide.com/linux-how-to/setup-openldap-server-authenticate-clientworkstation/. [Accessed 21 6 2019].
    “After an update, locking and logging in puts me back at login screen,” [Online]. Available: https://askubuntu.com/questions/747876/after-an-update-locking-andlogging-in-puts-me-back-at-login-screen/747877. [Accessed 21 6 2019].

Appendices

Example LDIF data

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: cn=miners,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: miners
gidNumber: 5000
dn: uid=john,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword: johnldap
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
dn: uid=Magnus,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: magnus
sn: Smith
givenName: Magnus
cn: Magnus Smith
displayName: Magnus Smith
uidNumber: 11000
gidNumber: 5100
userPassword: Password1
gecos: Magnus Smith
loginShell: /bin/bash
homeDirectory: /home/Magnus
dn: uid=Fiona,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: fiona
sn: Smith
givenName: Fiona
cn: Magnus Smith
displayName: Fiona smith
uidNumber: 11100
gidNumber: 5110
userPassword: Password1
gecos: Fiona Smith
loginShell: /bin/bash
homeDirectory: /home/Fiona
dn: uid=Fiona,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: fiona
Network Engineering Major Assignment
LDAP PAM Authentication
I give permission for this assignment to be shared.
sn: Smith
givenName: Fiona
cn: Magnus Smith
displayName: Fiona smith
uidNumber: 11100
gidNumber: 5110
userPassword: Password1
gecos: Fiona Smith
loginShell: /bin/bash
homeDirectory: /home/Fiona
dn: uid=Freya,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: freya
sn: Taylor
givenName: Freya
cn: Magnus Taylor
displayName: Freya Taylor
uidNumber: 11110
gidNumber: 5111
userPassword: Password1
gecos: Freya Taylor
loginShell: /bin/bash
homeDirectory: /home/Freya
dn: uid=Murphey,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: murphey
sn: Jones
givenName: Murphey
cn: Magnus Jones
displayName: Murphey Jones
uidNumber: 11111
gidNumber: 5221
userPassword: Password1
gecos: Murphey Jones
loginShell: /bin/bash
homeDirectory: /home/Murphey

Categories
Network Engineering

Shell Scripting

Shell Scripting is a useful way to automate processes on a Linux machine. Don’t let the word scripting or the use of the CLI scare you away it is actually quite simple.

Categories
Cyber Security

DNS Enumeration

DNS Enumeration is an attack or a way to gather information on a system or a network. Using DNS instead of just say nmap can give other types of information that nmap may not find.

Types of tools
– dnsenum

Categories
Cyber Security

Tools – NMAP

Nmap is one of the oldest and best network enumeration software. It is located on Kali Linux and can be used on any other system. It is used for security auditing of 1 or a thousand or more systems and is a great way to detect vulnerabilities.

Their website https://nmap.org/

Ubuntu distros
sudo apt-get install nmap
Redhat
sudo dnf install nmap

Nmap works by attempting to poke a host or many hosts on a network for open ports. The simplest version of the command is.
nmap <host ip address or dns address>

To scan for a range of Ip addresses you can do
namp <host>-<host amount> Ie nmap 192.168.1.10-100

To scan for a specific port you can do (This will scan for open http ports)
nmap -p 80 192.168.1.10
To scan a range of ports can be done with
nmap -p 1-200 192.168.1.10
You could also scan for a range such as (This will scan port 800 on all ip addresses from 10-200)
nmap -p 80 192.168.1.10-200
nmap can also be used to detect Operating systems this isin’t the most accurate but does give a good indication.
nmap -O 192.168.1.10