How to enable LDAP authentication on SLES9 or SuSE Linux 10.x

This TID walks you through the configuration of all necessary components to enable LDAP authentication from a SLES 9 or SuSE Linux 10.x workstation to a SLES 9 server running eDirectory 8.7.3.x

1. Configuration of the LDAP Server

1. Verify that eDirectory is installed, running and current with: ndsstat

2. Verify that the box running eDirectory is a SLES9 server with: cat /etc/SuSE-release

3. Extend eDirectory with RFC2307 schema. Hint:By default eDirectory places the file at /usr/lib/nds-schema/rfc2307-usergroup.sch on the server when eDirectory is installed.

4. Creating a Proxy User for Anonymous Binds
   When the user authenticates to the Linux box a call is made of eDirectory to validate the existence of the user. This call must have rights to read the directory. There are many ways to facilitate this. The creation of a Proxy User which is allowed to connect without a password is the method shown here.
   

5. 1. 1. Create a new user account (for the examples of this document it is called ldapuser) and set the password to null. Do not click Cancel when prompted, but click OK so that Public/Private keys are generated.

      2. Modify the user and under under Password Restrictions uncheck the box that says"Allow user to change password".

      3. In iManager under the Rights Roll | Modify Trustees| select the container where your users reside (or the root of the tree if you wish) and give the proxy user Browse entry rights, and read and compare property rights on the following attributes:
         CN, Description, O, OU, Object Class, dc, gecos, gidNumber, homeDirectory, loginShell, memberUid, uidNumber, uniqueID

      4. Open the properties of the LDAP group object of your server and from the general page select this new user as the proxy user.

      5. Open the properties of. the LDAP sever object and click "Refresh LDAP server" from the general page.

Prepare the user objects for use as accounts on Linux

1. Determine available UIDs and GIDs from the passwrd file on the SLES9 server.

   1. At the SLES9 server, type: less /etc/passwd

   2. Scan through all users and find the largest UID in the file. Hint:The passwd file has the format: account:password:UID:GID:GECOS:directory:shell

2. Add the posixAccount, uidNumber, gidNumber, loginShell and homeDirectory for each user by doing the following:

   1. Manually add in iManager.

      1. Add the posixAccount auxiliary class to each user by doing the following:

         • Schema | Object Extensions task

         • Type in the user to modify or use the browser to locate them.

         • "Add” | posixAccount | OK

      2. Add a distinctive UID and GID attribute value to each user. (The ID must be unique).

         • You will be presented with a screen to add the uidNumber and gidNumber. Add a value in these fields and press"Ok”

0. The value you put into the uidNumber field must be unique. Start with the number found in step 1.3 and increment it for each user. For the gidNumber, use the number found in step 1.3.

#This LDIF file was generated by Novell's ICE and the LDIF destination handler.

version: 1

dn: cn=user2,o=users

changetype: modify

add: objectclass

objectclass: posixAccount

add: gidNumber

gidNumber: 100

add: uidNumber

uidNumber: 10002

add: homeDirectory

homeDirectory: /home/user1

add: loginShell

loginShell: loginshell=/bin/bash

#This LDIF file was generated by Novell's ICE and the LDIF destination handler.

version: 1

dn: cn=user3,o=Users

changetype: add

loginShell: /bin/bash

homeDirectory: /home/user3

gecos: User Three

gidNumber: 100

uidNumber: 10003

uid: user3

givenName: user3

fullName: User Three

sn: Three

objectClass: inetOrgPerson

objectClass: organizationalPerson

objectClass: Person

objectClass: ndsLoginProperties

objectClass: Top

objectClass: homeInfo

objectClass: posixAccount

cn: user3

Prepare the SuSE Linux Workstations and/or Servers that will allow authentication via LDAP.

1. Insure the OpenLDAP client is installed.

0. This procedure was tested using openldap2-client-2.2.27-6 on SuSE Linux 10.x, and openldap2-client-2.2.24-4.12 on SLES 9.

1. 1. Check to see with: rpm -qa | grep openldap2-client

2. Insure the LDAP pam module is installed.

0. This procedure was tested using pam_ldap-178-3 package on SuSE Linux 10.x and pam_ldap-169-28.4 package. on SLES 9.

1. 1. Check to see with: rpm -qa | grep pam_ldap

2. Insure the LDAP nss module is installed

0. This procedure was tested using the nss_ldap-238-2.2 package on SuSE Linux 10.x and nss_ldap-215-59.10 package on SLES 9.

1. 1. Check to see with: rpm -qa | grep nss_ldap

2. Configure the ldap.conf file (note some or all of these configurations may be performed by YAST under LDAP client).

   1. Add the eDirectory LDAP server (host), the base DN (base), the LDAP port (port), the bind DN (binddn) and the Bind PWD (bindpw)to the /etc/ldap.conf file.

host 10.1.1.71

base o=users

ldap_version 3

binddn cn=ldapuser,o=users

bindpw novell

port 389

pam_password nds

ssl no

nss_map_attribute uniqueMember member

pam_filter objectclass=posixAccount

nss_base_passwd o=users

nss_base_shadow o=users

nss_base_group o=users

5. Configure the nsswitch.conf file.

   1. Modify the /etc/nsswitch.conf file to point the "passwd” and "group” options to "compat” and the "passwd_compat” and the "group_compat” to"ldap”.

0. Listed below is a sample /etc/nsswitch.conf file after being modified as specified in step 5, bold added for clarity.

passwd: compat

shadow: files nis

group: compat

hosts: files dns

networks: files dns

services: files

protocols: files

rpc: files

ethers: files

netmasks: files

netgroup: files

publickey: files

bootparams: files

automount: files nis

aliases: files

passwd_compat: ldap

group_compat: ldap

6. Optional: Use YaST to configure the LDAP client

   1. Launch YaST | Network Services|LDAP Client

   2. Mark"Use Ldap” under User Authentication

   3. Under LDAP client

      1. Add LDAP base DN which is the uppermost container where users will be located for searches to begin

      2. Add Address of LDAP Servers. This should be the ipaddresses of eDirectory LDAP servers that are going to be communicated with for LDAP authentication. This can be a list of ipaddresses separated by a space.

      3. Tab to Finish and press enter

         • The nsswitch.conf and ldap.conf will automatically be modified and the nscd process restarted.

   4. NOTE: Your mileage May Very with this approach. SLES 9 and SuSE Linux 10.x provide a different interface within YaST for the configuration of the LDAP Client. The Author suggests using the interface and then manually verifying the correct additions were made to the /etc/ldap.conf and the /etc/nsswitch.conf files.

Dynamically Creating User Home Directories

If user home directories are going to be created locally then PAM will need to dynamically create a user home directory. You will just get an error in a text based login, and will not be allowed to login using an X session

1. Edit /etc/pam.d/login

session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022

1. Open the /etc/pam.d/xdm file.

   Add the following line above the first session line:

session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022

Note: If you don't want LUM enabled users to be able to read other users' home directories, perform

the following:

1) Edit the file /etc/login.defs

2) Change the value "UMASK 022" to"UMASK 077"

Verify the SLES server speaks LDAP :

ldapconfig get -a [eDirectory user to bind as] -w [password] | grep "TCP Port”

example ldapconfig get -a cn=admin.o=novell -w novell | grep "TCP Port"

You should see something like: LDAP TCP Port: 389

If you like, you can just type ldapconfig get and you will be prompted for everything else

Verify LDAP port 389 is available:

Type netstat -an | grep [port found in step 1.1.a]

example. netstat -an | grep 389

You should see something like: tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN

Verify the SLES eDirectory server is being queried for name service

There is a simple way to verify that your name service subsystem is using your LDAP server as instructed. Assign a file to be owned by a user that exists only in the LDAP database, not in /etc/passwd. If an ls -l correctly shows the username, then the name service subsystem is consulting the LDAP database; if it just shows the user number, something is wrong. For example, if the user john, with user number 1001, exists only in LDAP, we can try

# touch /tmp/test

# chown 1001 /tmp/test

# ls -l /tmp/test

-rw-r----- 1 john users 0 Jan 1 12:00 test

to determine whether the the name service is using LDAP.

Use ndstrace or trace in iMonitor for troubleshooting

Enabling LDAP and Authentication will show you more than enough information to resolve the vast majority of issues with LDAP authentication to eDirectory.