Authentication to OpenLDAP
Posted 07-13-2012 at 12:44 PM by kbscores
We finally got authentication on Solaris 10 client to work with Linux OpenLDAP Client. It is a little strange because for authentication to work the Solaris machine requires a user account to exist on that box. I believe the reason it is required is because we remove the native ldap, which in turn removes cache manager. The service nscd utilizes cache manager when ldap is in place. Since we no longer have cache manager nscd becomes worthless to authentication process. As one guide so eloquently put it “These are steps for authentication not authorization.” The authorization is handled by the client machine, thus the account has to exist in order for authentication to even take place.
So how did we achieve authentication?
Note: These settings are specific to our setup. Depending on the functionality you are looking for these settings will vary.
1.) Follow my guide for installation in previous blog.
2.) Create directory for cacert.pem - -
3.) Put cacert.pem from the server in newly created directory (via ftp or scp)
4.) Next edit /usr/local/etc/openldap/ldap.conf
Example: (/usr/local/etc/openldap/ldap.conf)
SSL ON
BASE dc=example,dc=com
URI ldap://example.com
TLS_CACERT /newly/created/directory/cacert.pem
TLS_CACERTDIR /newly/created/directory
TLS_REQCACERT demand
5.) Next edit /etc/ldap.conf
Example: (/etc /ldap.conf)
uri ldap://example.com
base dc=example,dc=com
ldap_version 3
rootbinddn cn=RootUser, dc=example,dc=com
bind_policy soft
port: 389
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_password md5
pam_lookup_policy yes
pam_check_host_attr yes
pam_filter |(host=example.com)(host=\*)
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_shadow ou=People,dc=example,dc=com?one
nss_base_group ou=group,dc=example,dc=com?one
ssl start_tls
tls_checkpeer yes
tls_cacertfile /newly/created/directory/cacert.pem
tls_cacertdir /newly/created/directory
6.) Next edit /etc/pam.conf
Example: (/etc/pam.conf)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_unix_auth.so.1
login auth required /usr/local/lib/security/pam_ldap.so.1 use_first_pass ignore_unknown_user ignore_authinfo_unavail
rlogin auth sufficient pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth sufficient pam_unix_auth.so.1
rlogin auth required /usr/local/lib/security/pam_ldap.so.1 use_first_pass ignore_unknown_user ignore_authinfo_unavail
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_unix_auth.so.1
other auth required /usr/local/lib/security/pam_ldap.so.1 use_first_pass ignore_unknown_user ignore_authinfo_unavail
passwd auth sufficient pam_passwd_auth.so.1
passwd auth required /usr/local/lib/security/pam_ldap.so.1 use_authtok
cron account required pam_unix_account.so.1
other account sufficient /usr/local/lib/security/pam_ldap.so.1 ignore_unknown_user ignore_authinfo_unavail
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
7.) A couple notes - - about these configurations
a. This configuration utilizes ppolicy overlay
b. This configuration utilizes tls
c. This configuration file could very well have excessive entries - - not amazing at pam or ldap to know exactly what everything does yet. Working on cleaning it up now.
8.) Next create the user accounts of people who are allowed access to that client. MAKE SURE - - to match the information that is on the ldap server - -
Example: If SusieQ in ldap uses /home/QQ as her home directory when SusieQ is created on Solaris 10 client the home directory must be /home/QQ along with all of her cooresponding information. If they do not match the Solaris settings will trumph the ldap settings. So if on the Solaris machine SusieQ’s home directory is /home/sue and ldap’s home directory is /home/QQ then upon logging in you will be placed in /home/sue. If that directory does not exist then Susie will be unable to log into that client.
9.) Note: A user account on the local client may be locked to prevent confusion. The account authenticates to ldap and will allow the user in as long as their account is not locked on ldap.
This is all I have so far….more to come as I learn more.
So how did we achieve authentication?
Note: These settings are specific to our setup. Depending on the functionality you are looking for these settings will vary.
1.) Follow my guide for installation in previous blog.
2.) Create directory for cacert.pem - -
3.) Put cacert.pem from the server in newly created directory (via ftp or scp)
4.) Next edit /usr/local/etc/openldap/ldap.conf
Example: (/usr/local/etc/openldap/ldap.conf)
SSL ON
BASE dc=example,dc=com
URI ldap://example.com
TLS_CACERT /newly/created/directory/cacert.pem
TLS_CACERTDIR /newly/created/directory
TLS_REQCACERT demand
5.) Next edit /etc/ldap.conf
Example: (/etc /ldap.conf)
uri ldap://example.com
base dc=example,dc=com
ldap_version 3
rootbinddn cn=RootUser, dc=example,dc=com
bind_policy soft
port: 389
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_password md5
pam_lookup_policy yes
pam_check_host_attr yes
pam_filter |(host=example.com)(host=\*)
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_shadow ou=People,dc=example,dc=com?one
nss_base_group ou=group,dc=example,dc=com?one
ssl start_tls
tls_checkpeer yes
tls_cacertfile /newly/created/directory/cacert.pem
tls_cacertdir /newly/created/directory
6.) Next edit /etc/pam.conf
Example: (/etc/pam.conf)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_unix_auth.so.1
login auth required /usr/local/lib/security/pam_ldap.so.1 use_first_pass ignore_unknown_user ignore_authinfo_unavail
rlogin auth sufficient pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth sufficient pam_unix_auth.so.1
rlogin auth required /usr/local/lib/security/pam_ldap.so.1 use_first_pass ignore_unknown_user ignore_authinfo_unavail
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_unix_auth.so.1
other auth required /usr/local/lib/security/pam_ldap.so.1 use_first_pass ignore_unknown_user ignore_authinfo_unavail
passwd auth sufficient pam_passwd_auth.so.1
passwd auth required /usr/local/lib/security/pam_ldap.so.1 use_authtok
cron account required pam_unix_account.so.1
other account sufficient /usr/local/lib/security/pam_ldap.so.1 ignore_unknown_user ignore_authinfo_unavail
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
7.) A couple notes - - about these configurations
a. This configuration utilizes ppolicy overlay
b. This configuration utilizes tls
c. This configuration file could very well have excessive entries - - not amazing at pam or ldap to know exactly what everything does yet. Working on cleaning it up now.
8.) Next create the user accounts of people who are allowed access to that client. MAKE SURE - - to match the information that is on the ldap server - -
Example: If SusieQ in ldap uses /home/QQ as her home directory when SusieQ is created on Solaris 10 client the home directory must be /home/QQ along with all of her cooresponding information. If they do not match the Solaris settings will trumph the ldap settings. So if on the Solaris machine SusieQ’s home directory is /home/sue and ldap’s home directory is /home/QQ then upon logging in you will be placed in /home/sue. If that directory does not exist then Susie will be unable to log into that client.
9.) Note: A user account on the local client may be locked to prevent confusion. The account authenticates to ldap and will allow the user in as long as their account is not locked on ldap.
This is all I have so far….more to come as I learn more.
Total Comments 0
