The next step is to configure Pluggable
Authentication Modules (PAM) to use LDAP
for authentication, account control, and other
user management functions. The file you
need to modify is /etc/pam.conf. Follow the
directions in the EXAMPLES section of the
pam_ldap(5) manual page to configure PAM to
use LDAP for user authentication and account
management. Web Listing 1 shows a sample
pam.conf file for Solaris.
Next, run the command ldapclient as root
to configure Solaris to use LDAP to authenticate
users. The command takes a lot of arguments,
so I recommend that you create an
executable shell script (e.g., /tmp/initldap.sh)
and populate it with the contents of Web Listing
2. You'll need to make some changes for
your environment. Change defaultServerList
on line 2 so that it contains the IP addresses of
your DCs that Solaris will use as LDAP servers.
You must use IP addresses because when the
ldapclient command runs, it temporarily disables
the DNS client and /etc/hosts file lookup.
On line 3, change defaultSearchBase to point to
the root of your domain. On line 4, change the
remainder of the line after passwd: to point to
the OU or container in your AD that contains
your user objects representing UNIX and Linux
user accounts. On line 5, change the remainder
of the line after group: to point to the OU or
container that contains your group objects representing
groups on UNIX and Linux clients.
On line 6, change domainName so that it's the
name of your domain in AD. On line 8, change
the remainder of the line after proxyDN= to
point to the account you created earlier, which
is used by UNIX and Linux clients when binding
to DCs so that they can search AD. On line
9, change the password to the password of the
proxy account. Then, run the shell script that
you just created. If the script works, you'll see
the system being configured and you'll receive
the message System successfully configured.
The proxy username and password specified
in the shell script as arguments to the ldapclient
command are written to files in the folder /var/
ldap. Only root needs access to this folder, so
you should use chown and chmod to set ownership
and permissions to the folder to restrict
access and thus prevent users from accessing
the files containing credentials.
The last step is to edit the file /etc/nsswitch
.conf, to reflect your specific environment.
When ldapclient runs, it overwrites this file,
on the assumption that you'll use LDAP for
all lookups, including hosts, services, and protocols.
Test your setup by running exec login
from the command line, or by logging in from
the GUI logon screen.
FreeBSD systems. FreeBSD doesn't come
with an LDAP client or the ability to use LDAP
for user and group lookups - although the
Ports collection includes the necessary software.
Download, build, and install nss_ldap,
which you can find in /usr/ports/net/nss_ldap,
and pam_ldap, which you can find in /usr/
ports/security/pam_ldap. For more information
about the Ports collection, go to the Free-
BSD Project Web site (www.freebsd.org).
After you've installed the prerequisite software,
you need to import the root CA certificate
of the public key infrastructure (PKI) that
issued the certificates for your DCs acting as
LDAP servers. To do so, place a copy of the
Base64-encoded root CA certificate into your
OpenSSL certificates directory (e.g., /usr/local/
ssl/certs) and run the following command,
replacing RootCAFile.cer with the name of the
file containing the root CA certificate:
ln -s RootCAFile.cer 'openssl x509 -hash
-noout -in RootCAFile.cer' .0
Next, configure your OpenLDAP client
global configuration file, which you can find at
/usr/local/etc/openldap/ldap.conf. Web Listing
3 contains the contents of a typical configuration
file. Change the BASE entry to point to
the base of your domain, tree, or forest. Change
the URI entry so that it lists your DCs. You can
use IP addresses, hosts in the /etc/hosts file, or DNS FQDNs. Make sure you prefix each with
ldaps://, to ensure that LDAPS is used. The TLS_
CACERTDIR entry should point to the location
of your OpenSSL root CA certificates directory
(e.g., /usr/local/ssl/certs). Make sure that the
ldap.conf file is world-readable. Test your
configuration by running the following command:
ldapsearch -D cn=administrator,cn=users,dc=
contoso,dc=com -W -s base
Replace dc=contoso,dc=com with your domain
information. You'll be prompted for the administrator
password. If everything is configured
correctly, you'll see information returned from
a DC acting as an LDAP server.
Then, configure the LDAP configuration
file used by PAM. This file is also named ldap
.conf; you can find it in /usr/local/etc/ldap
.conf. Make sure you don't confuse the two
LDAP configuration files. Web Listing 4 contains
a sample PAM ldap.conf file. Change
line 1, replacing the base in the sample with
your domain's base. Change line 2 so that
one or more of your DCs is listed. Remember
to prefix each with ldaps://. In line 3, change
the sample account name listed for the proxy
account you created to support UNIX and
Linux clients; specify its password in line 4.
In lines 5 and 6, specify the container or OU
that your user accounts are stored under. In
line 7, specify the container or OU that your
groups are stored in. In line 11, specify the
OpenSSL folder that your root CA's certificates
are stored in. Only root needs read access to
this file. Ordinary users shouldn't have access,
because the file contains the credentials of the
proxy account.
Next, configure PAM to use LDAP. Edit the
file /etc/pam.d/system so that it includes the
lines in Web Listing 5 in the appropriate sections
of the file.
Then, edit the file /etc/nsswitch.conf so
that the group and passwd entries look like
Web Figure 1. Finally, configure the file nss_
ldap.conf, which you can find in /usr/local/
etc/ldap.conf. The LDAP configuration information
in this file is used by the name service
lookup provider functions when looking for
users and groups using LDAP. In most cases
this file is exactly the same as the ldap.conf file
used by PAM, so you can use a symbolic link
to point to the PAM ldap.conf file. Create the
symbolic link by going to the command line
and entering the following command:
cd /usr/local/etc
ln -s ldap.conf nss_ldap.conf
You can test your configuration by using one of
FreeBSD's virtual consoles (obtained by pressing
Alt+F2 through F8) and trying to log on as
a user configured for use by UNIX and Linux
clients. If a configuration problem exists, errors
will be logged to the console (press Alt+F1 to
switch back to the console to check for errors),
as well as to /var/log/messages.
openSUSE systems. openSUSE, like most
modern versions of Linux, includes OpenSSL
and LDAP client software by default. What's
missing, however, is support for using LDAP
to authenticate users. The openSUSE distribution
CD-ROM contains the nss_ldap and
pam_ldap packages, which are necessary for
the solution to work. Install these packages
before proceeding.
The first step in configuring an openSUSE
system is to import the certificate of the root
CA of the PKI that issued the SSL certificates
to your DCs. Copy the Base64-format root CA
certificate to /etc/ssl/certs, and run the following
command:
ln -s RootCAFile.cer 'openssl x509 -hash
-noout -in RootCAFile.cer '.0
Next, you need to edit the file /etc/open
ldap/ldap.conf. This file has the same format
as the ldap.conf file used by FreeBSD, which
Web Listing 3 shows. Follow the previous
instructions for FreeBSD when customizing
this file. The only difference between FreeBSD
and openSUSE is the location of the directory
in which root certificates are stored. Update the
configuration file so that TLS_CACERTDIR is
configured as /etc/ssl/certs. Test the configuration
by running the following command:
ldapsearch -D cn=administrator,cn=users,dc=
contoso,dc=com -W -s base -x
The only difference between this command
and the command used with FreeBSD is the
addition of the -x flag, which directs ldapsearch
to use simple authentication to the LDAP
server(s) in the configuration file. This is necessary
because OpenLDAP on openSUSE is built
with Simple Authentication and Security Layer
(SASL). The -x option instructs the LDAP client
to use a simple bind, using the credentials
specified by the user.
The next step is to edit the ldap.conf file
used by PAM and used by the Name Service
Switch (NSS). On openSUSE and similar Linux
systems, the file is in the /etc directory. As with
the OpenLDAP configuration file, the format
is the same as that used by FreeBSD. Use the
file in Web Listing 4 as the basis for your open-
SUSE system, and follow the previous FreeBSD
instructions to customize the file. Add the following
line to the file:
sasl_secprops maxssf=0
As with FreeBSD, you need to update the
file /etc/nsswitch.conf. Add ldap to the group,
shadow, and passwd entries so they look like
Web Figure 2.
Next, configure PAM to use LDAP. Doing so
is simple on openSUSE; you don't even need to
edit files. Simply run the following command:
pam-config -a --ldap
Finally, if you use the Name Service Cache
Daemon (nscd) you need to stop and restart it
for the changes to take effect. Run the following
commands:
nscd -K
nscd
You can test your setup by running the command
exec login within a terminal window and
attempting to log on as a user who is configured
in AD with UNIX attributes using Identity Management
for UNIX. If everything is configured
correctly, you'll be able to log on as the user.
A New Standard
LDAP is quickly becoming the new standard for
user authentication, edging out NIS. (For information
about LDAP's limitations, see the Webexclusive
sidebar 'LDAP Limitations,'( www.windowsitpro.com, InstantDoc ID 97292.) LDAP
is more secure and is supported by most UNIX
and Linux systems, as well as by many enterprise
applications that run on these platforms. LDAP
can also be used for more than simply authentication.
An LDAP database can store information
about hosts, protocols, services, and applications.
Using LDAP will enable your enterprise to
grow securely.
John Howie
End of Article
)
)
)
dzoquier January 02, 2008 (Article Rating: