Welcome to Cool Solutions
Configuring Linux User Management on non-OES2, SLES 10 Servers
Configuring OES 2 Linux servers for Linux User Management in a normal eDirectory tree is pretty much a no brainer. Configure your Unix Workstation object, enable your groups and users to be LUM enabled and that's pretty much it. But, what about a SLES 10 server that is not running OES2? How can you provide a standard across all your SLES 10 servers to use the same eDirectory authentication for local access?
In this article, we will successfully configure LUM on a “non-OES2”, SLES 10 server to allow users in your eDirectory LUM enabled group, to authenticate to this server without having to create local accounts, using their eDirectory ID's and passwords.
These are the steps we will use to accomplish this process:
- Prerequisites
- Installing Linux User Management Packages
- Pluggable Access Modules (PAM) Configuration
- Name Service Switch (nsswitch) Configuration
- Configure Novell Account Management (namconfig)
- Unix Workstation Object
- Testing
- Conclusion
Prerequisites
The resources you will need to accomplish this, which isn't that difficult or drawn out, are:
Admin equivalent rights, preferably, admin in the eDirectory tree you wish to base your authentication from.
Note: I say “admin” because this is stored in the Novell Account Management (nam) configuration and if you use your account and that account gets disabled, Heaven forbid, it could break this process.
The Open Enterprise Server 2 CD.
Root access to the SLES 10 server.
Installing Linux User Management Packages
I know this is a non-OES2 server, but there are a couple of packages we will need from the CD.
On the SLES 10 server, Run YaST and scroll down to the Software section. Choose Add-On CD.
Select CD, and place the CD in the drive when prompted. Once the CD is read, select “I Agree” and choose next.
Do not select any packages. Click Details and choose Search. In the field, type “lum” and click Go.
Select the following packages and click next:
Novell-lum
Novell-lum-providers
Do not select YaST2-lum – That will require more eDirectory related packages and we will not be managing LUM through this server, that's done on an OES2 server.
When the packages are done installing, exit YaST, remove your CD and open a command prompt or Terminal console.
Pluggable Access Modules (PAM) Configuration
Now that we have our Linux User Management packages installed and ready for activation, let's configure the pam modules for LUM.
With your favorite VI editor, open and edit the file /etc/pam.d/login
Make the following changes and add the lines in Bold to this file:
#%PAM-1.0 auth required pam_securetty.so auth required pam_env.so # auth include common-auth auth required pam_nologin.so auth sufficient pam_nam.so auth required pam_unix2.so account include common-account account sufficient pam_nam.so password include common-password password sufficient pam_nam.so session include common-session session required pam_lastlog.so nowtmp session required pam_resmgr.so session optional pam_mail.so standard session optional pam_nam.so
Save the file and exit.
Make the same changes to the following files:
/etc/pam.d/gdm
/etc/pam.d/sshd
/etc/pam.d/su
/etc/pam.d/sudo
If you have other options available, like ftp, make these changes to these file also.
Name Service Switch (nsswitch) Configuration
Modify the file /etc/nsswitch.conf and make the following changes:
Scroll down to where you see the following lines.
passwd: compat
group: compat
Add nam to the end of each to where they appear as noted below:
passwd: compat nam
group: compat nam
Save the file and exit back to the bash shell.
Configure Novell Account Management (namconfig)
Now, we are ready to configure the nam. At the prompt, enter the following command, substituting your own parameters as noted. An example will be listed.
namconfig add -a [youradmin fdn] -r [yourbasedn] -w [CxyouwantyourUnixObject] -S [edirectoryldapserver]:389 -l 636
-a cn=admin,o=novell Fully Distinguished Admin account, in LDAP format
-r o=novell Your Base search container
-w o=novell Container you want the Unix Object created in
-S 192.168.10.2:389 Either the IP address, hostname, of your eDirectory server.
-l 636 Yes, that is a lowercase L
Using this, here's how it will appear:
namconfig add -a cn=admin,o=novell -r o=novell -w o=novell -S 192.168.10.2:389 -l 636
You will be prompted for the password to this account.
Check the output for errors. Common errors are not sufficient rights, unable to modify schema and unable to retrieve certificate. To avoid them, ensure the eDirectory LDAP server has the following:
Time is synchronized
At least a Read / Write replica of the root of the tree
When successful, review the file /etc/nam.conf for the above parameters. Make corrections and re-run namconfig.
Unix Workstation Object
We have to assign a LUM enabled group to the newly created Unix Workstation Object for this SLES server.
Launch iManager and login, with an admin equivalent account, to the tree.
Scroll down, on the left side, to Linux User Management, click it to expand. Find Modify Unix Workstation Object.
Browse the tree and select the Unix Workstation Object that has the SLES 10 server Host Name appended to it.
Click Add and browse the tree and locate the LUM group for your tree. Select it and add it. Click Apply and then OK, once your changes have been applied.
Exit iManager and return to the command prompt or terminal console on the SLES 10 server.
Now let's restart the namcd and test it.
At the prompt, type the following to restart namcd
rcnamcd restart
If you get an error regarding certificates, type this command to refresh the certificates.
namconfig -k
Testing
From another PC, you should be able to ssh to this SLES 10 server with your Novell eDirectory credentials. If not, restart the namcd and then check the /var/log/messages file using tail to see if there are any errors. Check your /etc/pam.d/* files to see if there are any stray characters or misspelled words.
Conclusion
Although most of our SLES 10 servers are OES2 and reside in our main eDirectory tree, there are servers, like ZENworks Linux Management and Novell Identity Management servers that are not and I would still like to have a way to administer them without trying to remember that many accounts and passwords. This solution satisfies this need.
Enjoy.
Print
Email
RSS
Digg
Slashdot- To leave a comment you need to Login or Register
- 2012 reads
Search
Act Now!
Shameless Plugs
Most Popular
Recent Comments
Quick Poll
- 1 comment
- 499 reads
- Older polls
License
Thought about licensing. Now that you added a OES component, although small, its now licensed as OES and not SLES
Disable Name Service Cache Daemon
We could only get this working by stopping the nscd service (rcnscd stop) which appeared to be on by default. Is this the correct thing to do??
nscd6
I double checked my sles boxes and they have it running. Perhaps a restart of nscd is what is needed. If you stop it, can you still logon as root?
nscd
Hi there,
I was working with slb985 (I prefer to call him Dave!) on the above. By default this didn't run even after restarting nscd. A little further digging and we discovered that we had to edit /etc/nscd.conf and make "enable-cache-passwd no" and "enable-cache-group no" then restart nscd (rcnscd restart) and all was good.
Thanks,
Thank for the tip!
Mike...