Review your favorite Linux distribution.
Go Back > Blogs > kbscores
User Name


Rate this Entry

Authentication to OpenLDAP

Posted 07-13-2012 at 12:44 PM by kbscores

We finally got authentication on Solaris 10 client to work with Linux OpenLDAP Client. It is a little strange because for authentication to work the Solaris machine requires a user account to exist on that box. I believe the reason it is required is because we remove the native ldap, which in turn removes cache manager. The service nscd utilizes cache manager when ldap is in place. Since we no longer have cache manager nscd becomes worthless to authentication process. As one guide so eloquently put it “These are steps for authentication not authorization.” The authorization is handled by the client machine, thus the account has to exist in order for authentication to even take place.
So how did we achieve authentication?

Note: These settings are specific to our setup. Depending on the functionality you are looking for these settings will vary.

1.) Follow my guide for installation in previous blog.

2.) Create directory for cacert.pem - -

3.) Put cacert.pem from the server in newly created directory (via ftp or scp)

4.) Next edit /usr/local/etc/openldap/ldap.conf
Example: (/usr/local/etc/openldap/ldap.conf)
BASE dc=example,dc=com
URI ldap://
TLS_CACERT /newly/created/directory/cacert.pem
TLS_CACERTDIR /newly/created/directory

5.) Next edit /etc/ldap.conf
Example: (/etc /ldap.conf)
uri ldap://
base dc=example,dc=com
ldap_version 3
rootbinddn cn=RootUser, dc=example,dc=com
bind_policy soft
port: 389
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_password md5
pam_lookup_policy yes
pam_check_host_attr yes
pam_filter |(\*)
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_shadow ou=People,dc=example,dc=com?one
nss_base_group ou=group,dc=example,dc=com?one
ssl start_tls
tls_checkpeer yes
tls_cacertfile /newly/created/directory/cacert.pem
tls_cacertdir /newly/created/directory

6.) Next edit /etc/pam.conf
Example: (/etc/pam.conf)
login auth requisite
login auth required
login auth required
login auth sufficient
login auth required /usr/local/lib/security/ use_first_pass ignore_unknown_user ignore_authinfo_unavail

rlogin auth sufficient
rlogin auth required
rlogin auth required
rlogin auth sufficient
rlogin auth required /usr/local/lib/security/ use_first_pass ignore_unknown_user ignore_authinfo_unavail
other auth requisite
other auth required
other auth required
other auth sufficient
other auth required /usr/local/lib/security/ use_first_pass ignore_unknown_user ignore_authinfo_unavail
passwd auth sufficient
passwd auth required /usr/local/lib/security/ use_authtok
cron account required
other account sufficient /usr/local/lib/security/ ignore_unknown_user ignore_authinfo_unavail
other account requisite
other account required
other session required
other password required
other password requisite
other password requisite
other password required

7.) A couple notes - - about these configurations
a. This configuration utilizes ppolicy overlay
b. This configuration utilizes tls
c. This configuration file could very well have excessive entries - - not amazing at pam or ldap to know exactly what everything does yet. Working on cleaning it up now.

8.) Next create the user accounts of people who are allowed access to that client. MAKE SURE - - to match the information that is on the ldap server - -
Example: If SusieQ in ldap uses /home/QQ as her home directory when SusieQ is created on Solaris 10 client the home directory must be /home/QQ along with all of her cooresponding information. If they do not match the Solaris settings will trumph the ldap settings. So if on the Solaris machine SusieQ’s home directory is /home/sue and ldap’s home directory is /home/QQ then upon logging in you will be placed in /home/sue. If that directory does not exist then Susie will be unable to log into that client.

9.) Note: A user account on the local client may be locked to prevent confusion. The account authenticates to ldap and will allow the user in as long as their account is not locked on ldap.

This is all I have so far….more to come as I learn more.
Posted in Uncategorized
Views 925 Comments 0
« Prev     Main     Next »
Total Comments 0




All times are GMT -5. The time now is 05:00 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration