Configure Linux to Authenticate to eDirectory via LDAP

  • 10081706
  • NOVL88261
  • 31-Mar-2003
  • 07-Jul-2005

Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.


Configure Linux to Authenticate to eDirectory via LDAP


Novell eDirectory 8.6 for Solaris

Novell eDirectory 8.6 for Linux

Novell eDirectory 8.7 for Solaris

Novell eDirectory 8.7 for Linux

Novell eDirectory 8.7 for AIX


Linux PAM LDAP Authentication


This document describes the steps necessary to configure system authentication of a Linux host to Novell eDirectory over LDAP. The scope of this document includes the configuration of the Linux host (LDAP client), and  (LDAP  Server) Novell eDirectory.  This configuration provides authentication redirection via LDAP to Novell eDirectory.

Many Linux use an authentication architecture named Pluggable Authentication Modules (PAM).  This architecture provides a flexible authentication model for system and PAM aware applications. Many Linux systems ship with the PAM modules that allow the system to authenticate to a LDAP server such as Novell eDirectory.  These modules are provided by  PADL Software Pty Ltd at

There are two services that need to be configured for LDAP authentication to work correctly.  First, the system naming service needs to be configured to use LDAP to resolve resources such as user and group accounts.  For example, if  a directory is given the ownership to user 510 then the naming service needs to resolve uid 510 to a user name.  Generally this is done by finding all user accounts in the /etc/passwd file.  Since users will now be stored in eDirectory the system will need to be configured to resolve accounts in both the passwd file and in eDirectory.  This functionality is provided by the
/usr/lib/ library. The configuration outlined in this document will configure PAM to check the local /etc/passwd file for a user account such as root, and then check the LDAP server.

Authentication services is the service that actually authenticates users to LDAP.  As mentioned before, the PAM LDAP modules will be used to redirect authentication to Novell eDirectory. The  /lib/security/ PAM module provides LDAP  authentication. 

The tested configuration for the LDAP server was Novell eDirectory 8.7 running on Redhat 8.0 Linux. The tested Linux hosts used for LDAP authentication were Redhat 7.2 and Redhat 8.0.

Configuring Novell eDirectory for Linux System Authentication

The  schema defined for Linux account authentication is defined in RFC2307 (  Novell offers schema import files in traditional eDirectory schema format and Lightweight Data Interchange Format (LDIF) that can be used to extend the Novell eDirectory schema.  The following steps can used to extend the schema in your environment :

1.Login to the Linux host running Novell eDirectory as the root user.
2.Change to /usr/lib/nds-schema by typing: cd /usr/lib/nds-schema
3.The  “/usr/lib/nds-schema/rfc2307-usergroup.ldif” file contains the schema required for UNIX and Linux system authentication. Type the following to extend the schema:  ndssch -h localhost -t YOUR_TREE  ADMIN.FDN  rfc2307-usergroup.sch
4.Supply the password for the administrative acounnt provided.

Create a Proxy User for Anonymous Binds

1.Create a new user account and set the password to null.  Do not click cancel when prompted, but click OK so that Public/Private keys are generated.
2.Open the properties of the account and under Password Restrictions uncheck the box that says “Allow user to change password”.
3.On the tree root object right-click on the object and select “Trustees of this Object” and give the proxy user Browse entry rights, and read and compare property rights on the following attributes:

Object Class

4.Open the properties of the LDAP group object of your server and from the general page select this new user as the proxy user.
5.Open the properties .of the LDAP sever object and click “Refresh LDAP server” from the general page.

Configuring Novell eDirectory Accounts for Linux Authentication

This section shows how to added the posixAccount auxiliary class to a user account and set the required fields.

1.Highlight a User account and right-click on it.
2.Select “Extensions of this Object...”.
3.Click “Add Extension...” .
4.Select “posixAccount from the list and click OK.
5.Press OK on the dialog  “Generic Editing...” message  to continue.
6.Fill in the fields listed in the next dialog named “New posixAccount”:

        Field                   Purpose                                     Example
         Name:                    The name of this extension      posixAccount
         homeDirectory:     The user home directory          /home/ncurtis
         uniqueID:              The unique ID of the user       ncurtis
         Common Name:    Shown in Other name in         Nathan Curtis
          gidNumber:          The GID in Linux                    515
          uidNumber:          The UID in Linux                    515

Other attributes required, and that can be added under the “Other“ tab of the Object:

         Field                   Purpose                                     Example
         loginShell            Sets the user's shell                  /bin/bash

The loginShell  attribute is required by SuSE Linux for proper X login.

7.Click OK to save the changes.

Configuring a Redhat Linux Host (LDAP client)

The following  steps show the easiest way to configure a Redhat Linux host for LDAP redirection authentication.

1.Login as root.
2.From a terminal type: authconfig
3.On the “User Infor.mation Configuration”  screen select “Use LDAP”
4.Select “Use TLS”.
5.Add the LDAP server in the server field and the search base of where users are located. For example:
 Base DN: ou=users, dc=novell,dc=com

6.Select Next.
7.The information entered in the step above will be brought over for this screen.  Tab through this screen.  And select OK.
8.Restart the Linux system or completely kill X if testing graphical logins.  A CTL+DEL+BACKSPACE  will not work. Terminal logins should work without rebooting.
Configuring a SuSE Linux Host (LDAP client)
1.Start The YaST2 Control Center: /sbin/yast2 'menu'
2.Select  the “Network/Advanced” section and then “LDAP client.
3.Select “Use LDAP”.
4. Add the LDAP server in the server field and the search base of where users are located. For example:
 Base DN: ou=users, dc=novell,dc=com
 Addresses of LDAP Servers:
5.Select LDAP TLS/SSL.
6.Save your changes with by clicking  Finish.
Dynamically Creating User Home Directories

If user home directories are going to be created locally then PAM will need to dynamically create a user home directory.  You will just get an error in a text based login, and will not be allowed to login using an X session.
The following configures PAM to create user home directories if they do not exist during the login process.  For additional information see KB 10067700  “How to create homedirectories on Unix automatically”.

Redhat Linux 7.2 – 8.0
1.Open the /etc/pam.d/system-auth file and add the following line above the first session line:
    session      required      /lib/security/ skel=/etc/skel umask=0022

SuSE Linux 8.1
1.Open the /etc/pam.d/login  file and add the following line above the first session line:
    session      required      /lib/security/ skel=/etc/skel umask=0022

2.Open the /etc/pam.d/xdm  file and add the following line above the first session line:
    session      required      /lib/security/ skel=/etc/skel umask=0022


When you want SSL to be enabled, you need to configure the ldap.conf file. There has to be an entry "ssl on" and "sslpath /path/cert7.db"
For more information on the ldap.conf in regards to LDAP authentication from Linux to eDir, please have a look at the ldap.conf section at developer appnotes 2002

You will notice that you need to add the certificate to the cert7.db. TID# 10090049 give a step by step guide how to insert your certificate into the cert7.db