Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add LDAP feature support #16969

Merged
merged 4 commits into from
May 7, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 15 additions & 2 deletions files/build_templates/sonic_debian_extension.j2
Original file line number Diff line number Diff line change
Expand Up @@ -272,6 +272,19 @@ sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/sonic-device-data_*.deb || \
# package for supporting password hardening
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install libpam-pwquality

# Install pam-ldap, nss-ldap, ldap-utils
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Install

Suggest to add build time config, so deployers not using LDAP could reduce image size, and reduce the security concerns.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why should this be different than radius/tacacs? Why show different approaches for a feature in the same domain?

sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install \
libnss-ldapd \
libpam-ldapd \
ldap-utils

# add networking.service dependancy to nslcd
sudo LANG=C chroot $FILESYSTEM_ROOT sed -i '/# Required-Start:/ s/$/ networking.service/' /etc/init.d/nslcd

# nslcd disable default
sudo LANG=C chroot $FILESYSTEM_ROOT systemctl stop nslcd.service
sudo LANG=C chroot $FILESYSTEM_ROOT systemctl mask nslcd.service

# Install pam-tacplus and nss-tacplus
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libtac2_*.deb || \
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
Expand All @@ -285,14 +298,14 @@ sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/bash-tacplus_*.deb || \
# Install audisp-tacplus
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/audisp-tacplus_*.deb || \
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
# Disable tacplus by default
# Disable tacplus and LDAP by default
## NOTE: this syntax of pam-auth-update is meant to be used when the package gets removed, not for specifying
## some local configuration of a PAM module. Currently, there's no clean way of noninteractively specifying
## whether some PAM module needs to be enabled or disabled on a system (there are hacky ways, though).
##
## If there is some PAM module that's installed/removed after this point, then this setting will end up having
## no impact, and there may be errors/test failures related to authentication.
sudo LANG=C chroot $FILESYSTEM_ROOT pam-auth-update --remove tacplus
sudo LANG=C chroot $FILESYSTEM_ROOT pam-auth-update --remove tacplus ldap
sudo sed -i -e '/^passwd/s/ tacplus//' $FILESYSTEM_ROOT/etc/nsswitch.conf

# Install pam-radius-auth and nss-radius
Expand Down
1 change: 1 addition & 0 deletions src/sonic-yang-models/setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,7 @@ def run(self):
'./yang-models/sonic-system-aaa.yang',
'./yang-models/sonic-system-tacacs.yang',
'./yang-models/sonic-system-radius.yang',
'./yang-models/sonic-system-ldap.yang',
'./yang-models/sonic-telemetry.yang',
'./yang-models/sonic-telemetry_client.yang',
'./yang-models/sonic-gnmi.yang',
Expand Down
16 changes: 16 additions & 0 deletions src/sonic-yang-models/tests/files/sample_config_db.json
Original file line number Diff line number Diff line change
Expand Up @@ -1612,6 +1612,22 @@
"timeout": "5"
}
},
"LDAP": {
"global": {
"bind_dn": "test_bind",
"bind_password": "secret",
"bind_timeout": "5",
"version": "3",
"base_dn": "test_base",
"port": "389",
"timeout": "5"
}
},
"LDAP_SERVER": {
"192.168.1.1": {
"priority": "5"
}
},
"NAT_BINDINGS": {
"bind1": {
"nat_pool": "pool1",
Expand Down
16 changes: 16 additions & 0 deletions src/sonic-yang-models/tests/yang_model_tests/tests/ldap.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{
"LDAP_TABLE": {
"desc": "Configure LDAP global fields."
},
"LDAP_INVALID_TIMEOUT_TEST": {
"desc": "LDAP global configuration with invalid timeout value in LDAP table.",
"eStr": "LDAP timeout must be 1..60"
},
"LDAP_SERVER_TEST" : {
"desc": "LDAP server configuration in LDAP_SERVER table."
},
"LDAP_SERVER_INVALID_PRIORITY_TEST": {
"desc": "LDAP server configuration with invalid priority value in LDAP_SERVER table.",
"eStr": "LDAP server priority must be 1..8"
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
{
"LDAP_TABLE": {
"sonic-system-ldap:sonic-system-ldap": {
"sonic-system-ldap:LDAP": {
"global":{
"bind_dn": "test_bind",
"bind_password": "secret",
"bind_timeout": "5",
"version": "3",
"base_dn": "test_base",
"port": "389",
"timeout": "5"
}
}
}
},
"LDAP_INVALID_TIMEOUT_TEST": {
"sonic-system-ldap:sonic-system-ldap": {
"sonic-system-ldap:LDAP": {
"global": {
"bind_dn": "test_bind",
"bind_password": "secret",
"bind_timeout": "5",
"version": "3",
"base_dn": "test_base",
"port": "389",
"timeout": 150
}
}
}
},
"LDAP_SERVER_TEST": {
"sonic-system-ldap:sonic-system-ldap": {
"sonic-system-ldap:LDAP_SERVER": {
"LDAP_SERVER_LIST": [
{
"hostname": "192.168.1.1",
"priority": 1
},
{
"hostname": "ldap_server_1",
"priority": 2
}
]
}
}
},

"LDAP_SERVER_INVALID_PRIORITY_TEST": {
"sonic-system-ldap:sonic-system-ldap": {
"sonic-system-ldap:LDAP_SERVER": {
"LDAP_SERVER_LIST": [
{
"hostname": "192.168.1.1",
"priority": 70
}
]
}
}
}
}
4 changes: 2 additions & 2 deletions src/sonic-yang-models/yang-models/sonic-system-aaa.yang
Original file line number Diff line number Diff line change
Expand Up @@ -35,11 +35,11 @@ module sonic-system-aaa {

leaf login {
type string {
pattern '((tacacs\+|local|radius|default),)*(tacacs\+|local|radius|default)' {
pattern '((ldap|tacacs\+|local|radius|default),)*(ldap|tacacs\+|local|radius|default)' {
error-message "Invalid login choice";
}
}
description "AAA authentication/authorization/accounting methods - radius/tacacs+/local/default";
description "AAA authentication/authorization/accounting methods - radius/tacacs+/ldap|local/default";
default "local";
}

Expand Down
108 changes: 108 additions & 0 deletions src/sonic-yang-models/yang-models/sonic-system-ldap.yang
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
module sonic-system-ldap {
yang-version 1.1;
namespace "http://github.com/Azure/sonic-system-ldap";
prefix ssys-ldap;

import ietf-inet-types {
prefix inet;
davidpil2002 marked this conversation as resolved.
Show resolved Hide resolved
}

description "LDAP YANG Module for SONiC OS";

revision 2023-10-01 {
description "First Revision";
}

davidpil2002 marked this conversation as resolved.
Show resolved Hide resolved
container sonic-system-ldap {

container LDAP_SERVER {
list LDAP_SERVER_LIST {
max-elements 8;
key "hostname";

leaf hostname {
type inet:host;
description
"LDAP server's Domain name or IP address (IPv4 or IPv6)";
}

leaf priority {
default 1;
type uint8 {
range "1..8" {
error-message "LDAP server priority must be 1..8";
}
}
description "Server priority";
}
}
}

container LDAP {

container global {


leaf bind_dn {
davidpil2002 marked this conversation as resolved.
Show resolved Hide resolved
type string {
length "1..65";
}
description
'LDAP global bind dn';
}

davidpil2002 marked this conversation as resolved.
Show resolved Hide resolved
leaf bind_password {
type string {
length "1..65";
pattern "[^ #,]*" {
error-message 'LDAP shared secret (Valid chars are ASCII printable except SPACE, "#", and ",")';
}
davidpil2002 marked this conversation as resolved.
Show resolved Hide resolved
}
description "Shared secret used for encrypting the communication";
}

leaf bind_timeout {
davidpil2002 marked this conversation as resolved.
Show resolved Hide resolved
default 5;
type uint16 {
range "1..120" {
error-message "Ldap bind timeout must be 1..120";
}
}
description "Ldap bind timeout";
}

leaf version {
default 3;
type uint16 {
range "1..3" {
error-message "Ldap version must be 1..3";
}
davidpil2002 marked this conversation as resolved.
Show resolved Hide resolved
}
description "Ldap version";
}

leaf base_dn {
type string {
length "1..65";
}
description "Ldap user base dn";
}

leaf port {
type inet:port-number;
default 389;
description "TCP port to communicate with LDAP server";
}

leaf timeout {
davidpil2002 marked this conversation as resolved.
Show resolved Hide resolved
description "Ldap timeout duration in sec";
type uint16 {
range "1..60" {
error-message "LDAP timeout must be 1..60";
}
}
}
} /* container global */
} /* container LDAP */
}/* container sonic-system-ldap */
}/* end of module sonic-system-ldap */
Loading