Configure Linux to Authenticate to eDirectory via LDAP
(Last modified: 07Jul2005)
This document (10081706) is provided subject to the disclaimer at the end of this document.
goal
Configure Linux to Authenticate to eDirectory via LDAP
fact
Novell eDirectory 8.6 for Solaris
Novell eDirectory 8.6 for Linux
Novell eDirectory 8.7 for Solaris
Novell eDirectory 8.7 for Linux
Novell eDirectory 8.7 for AIX
symptom
Linux PAM LDAP Authentication
fix
This document describes the steps necessary to configure system authentication of a Linux host to Novell eDirectory over LDAP. The scope of this document includes the configuration of the Linux host (LDAP client), and (LDAP Server) Novell eDirectory. This configuration provides authentication redirection via LDAP to Novell eDirectory.
Many Linux use an authentication architecture named Pluggable Authentication Modules (PAM). This architecture provides a flexible authentication model for system and PAM aware applications. Many Linux systems ship with the PAM modules that allow the system to authenticate to a LDAP server such as Novell eDirectory. These modules are provided by PADL Software Pty Ltd at http://www.padl.com.
There are two services that need to be configured for LDAP authentication to work correctly. First, the system naming service needs to be configured to use LDAP to resolve resources such as user and group accounts. For example, if a directory is given the ownership to user 510 then the naming service needs to resolve uid 510 to a user name. Generally this is done by finding all user accounts in the /etc/passwd file. Since users will now be stored in eDirectory the system will need to be configured to resolve accounts in both the passwd file and in eDirectory. This functionality is provided by the
/usr/lib/libnss_ldap.so library. The configuration outlined in this document will configure PAM to check the local /etc/passwd file for a user account such as root, and then check the LDAP server.
Authentication services is the service that actually authenticates users to LDAP. As mentioned before, the PAM LDAP modules will be used to redirect authentication to Novell eDirectory. The /lib/security/pam_ldap.so PAM module provides LDAP authentication.
The tested configuration for the LDAP server was Novell eDirectory 8.7 running on Redhat 8.0 Linux. The tested Linux hosts used for LDAP authentication were Redhat 7.2 and Redhat 8.0.
Configuring Novell eDirectory for Linux System Authentication
The schema defined for Linux account authentication is defined in RFC2307 (http://www.faqs.org/rfcs/rfc2307.html). Novell offers schema import files in traditional eDirectory schema format and Lightweight Data Interchange Format (LDIF) that can be used to extend the Novell eDirectory schema. The following steps can used to extend the schema in your environment :
1.Login to the Linux host running Novell eDirectory as the root user.
2.Change to /usr/lib/nds-schema by typing: cd /usr/lib/nds-schema
3.The /usr/lib/nds-schema/rfc2307-usergroup.ldif file contains the schema required for UNIX and Linux system authentication. Type the following to extend the schema: ndssch -h localhost -t YOUR_TREE ADMIN.FDN rfc2307-usergroup.sch
4.Supply the password for the administrative acounnt provided.
Create a Proxy User for Anonymous Binds
1.Create a new user account and set the password to null. Do not click cancel when prompted, but click OK so that Public/Private keys are generated.
2.Open the properties of the account and under Password Restrictions uncheck the box that says Allow user to change password.
3.On the tree root object right-click on the object and select Trustees of this Object and give the proxy user Browse entry rights, and read and compare property rights on the following attributes:
CN
Description
O
OU
Object Class
dc
gecos
gidNumber
homeDirectory
loginShell
memberUid
uidNumber
uniqueID
4.Open the properties of the LDAP group object of your server and from the general page select this new user as the proxy user.
5.Open the properties .of the LDAP sever object and click Refresh LDAP server from the general page.
Configuring Novell eDirectory Accounts for Linux Authentication
This section shows how to added the posixAccount auxiliary class to a user account and set the required fields.
1.Highlight a User account and right-click on it.
2.Select Extensions of this Object....
3.Click Add Extension... .
4.Select posixAccount from the list and click OK.
5.Press OK on the dialog Generic Editing... message to continue.
6.Fill in the fields listed in the next dialog named New posixAccount:
Field Purpose Example
-----------------------------------------------------------------------------
Name: The name of this extension posixAccount
homeDirectory: The user home directory /home/ncurtis
uniqueID: The unique ID of the user ncurtis
Common Name: Shown in Other name in Nathan Curtis
ConsoleOne
gidNumber: The GID in Linux 515
uidNumber: The UID in Linux 515
Other attributes required, and that can be added under the Other tab of the Object:
Field Purpose Example
-----------------------------------------------------------------------------
loginShell Sets the user's shell /bin/bash
The loginShell attribute is required by SuSE Linux for proper X login.
7.Click OK to save the changes.
Configuring a Redhat Linux Host (LDAP client)
The following steps show the easiest way to configure a Redhat Linux host for LDAP redirection authentication.
1.Login as root.
2.From a terminal type: authconfig
3.On the User Infor.mation Configuration screen select Use LDAP
4.Select Use TLS.
5.Add the LDAP server in the server field and the search base of where users are located. For example:
Server: ldap.novell.com
Base DN: ou=users, dc=novell,dc=com
6.Select Next.
7.The information entered in the step above will be brought over for this screen. Tab through this screen. And select OK.
8.Restart the Linux system or completely kill X if testing graphical logins. A CTL+DEL+BACKSPACE will not work. Terminal logins should work without rebooting.
Configuring a SuSE Linux Host (LDAP client)
1.Start The YaST2 Control Center: /sbin/yast2 'menu'
2.Select the Network/Advanced section and then LDAP client.
3.Select Use LDAP.
4. Add the LDAP server in the server field and the search base of where users are located. For example:
Base DN: ou=users, dc=novell,dc=com
Addresses of LDAP Servers: ldap.novell.com
5.Select LDAP TLS/SSL.
6.Save your changes with by clicking Finish.
Dynamically Creating User Home Directories
If user home directories are going to be created locally then PAM will need to dynamically create a user home directory. You will just get an error in a text based login, and will not be allowed to login using an X session.
The following configures PAM to create user home directories if they do not exist during the login process. For additional information see TID10067700 How to create homedirectories on Unix automatically.
Redhat Linux 7.2 8.0
1.Open the /etc/pam.d/system-auth file and add the following line above the first session line:
session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022
SuSE Linux 8.1
1.Open the /etc/pam.d/login file and add the following line above the first session line:
session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022
2.Open the /etc/pam.d/xdm file and add the following line above the first session line:
session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022
When you want SSL to be enabled, you need to configure the ldap.conf file. There has to be an entry "ssl on" and "sslpath /path/cert7.db" You will notice that you need to add the certificate to the cert7.db. TID# 10090049 give a step by step guide how to insert your certificate into the cert7.db
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
document
Document Title: Configure Linux to Authenticate to eDirectory via LDAP Document ID: 10081706 Solution ID: NOVL88261 Creation Date: 31Mar2003 Modified Date: 07Jul2005 Novell Product Class: Connectivity Products
Groupware
NetWare
Novell eDirectorydisclaimer
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.