Linux Login Client Modules for NMAS

Novell Cool Solutions: Feature
By Gordon Mathis

Digg This - Slashdot This

Posted: 18 May 2005

Novell's eDirectory and NMAS have been running on a Linux server for years now. At least the NMAS server, and server side modules known as LSM's (Login Server Modules). However, recently the NMAS client has been ported to Linux and it is possible to run client side modules known as LCM's (Login Client Modules) on a Linux system. In addition you can extend the Linux Login security by creating a PAM module that will invoke your LCM for additional security. This article is going to walk you through the step of installing the NMAS client on Linux, and then creating a sample LCM and testing it with a SASL bind sample application. It is also going to walk you through the steps of creating a PAM module to invoke a LCM. Much of the information in this article is still very new and has not been released in a Novell Developer Kit (NDK) yet. However, I will have you download some sample code and additions to the current NMAS NDK from Novell Forge.

Installing eDirectory and NMAS

If you have not already installed Novell Linux Services (OES) or eDirectory on your Linux system you can download the latest version of eDirectory from http://download.novell.com/Download?buildid=G4YlRnymPtU and then follow the instructions below to complete the installation. Make sure you complete the step to configure NMAS to create the required NMAS objects in eDirectory.

Download eDir_873_linux_full.tar.gz

Uncompress eDirectory

tar –zxvf eDir_873_linux_full.tar.gz

Change directories to the install directory and install (Requires a license file .nfk)

cd Linux/setup
./nds–install –c server
ndsconfig new –t corp–tree –n o=novell –a cn=admin.o=novell

Create required NMAS objects in eDirectory

nmasinst –i admin.novell corp–tree

Install ConsoleOne

cd ../ConsoleOne
./c1–install

Download and Install the Novell NMAS NDK

The Novell NMAS product ships with a number of Novell supported methods. In addition NMAS has an NDK that third party developers can use to create new NMAS methods. Included in the NDK is a sample Clear Text Password method as well as other NMAS related samples. For the purpose of this document I would like to use the Clear Text Password sample method from the NDK. The NMAS NDK can be downloaded from http://developer.novell.com/ndk/nmas.htm. If you download and install the .rpm version of the NDK, by default it will be installed at /opt/novell/ndk/.

rpm –ivh novell–nmas–devel–<date>–1cross_platform.rpm

Update the Current NMAS NDK

The NMAS Client for Linux is not included with current NDK. It is scheduled to be released with the next update of the NDK in June of 2005. Until then I have provided a update (cpwdlcm.zip) for the current NDK that includes the Linux NMAS Client and several additional samples and fixes for current samples used by this article. This update can be downloaded from the Novell Forge at http://forge.novell.com/modules/xfref_library/detail.php?reference_id=2467. Extract the filecpwdlcm.zip to /opt/novell/ndk/<nmas ndk> before completing the exercises in this article.

unzip cpwdlcm.zip -d /opt/novell/ndk/<nmas ndk>

Installing the Clear Text Password LSM

You must use the debug version of NMAS to run the Clear Text Password sample method. The debug version of NMAS looks for the LSM on the file system as opposed to the release version which looks for the LSM in eDirectory stored as an Login Method Object (LMO). This is why we extend the directory structure in the following instructions. To create an LMO, the LSM executable (.so, .DLL, or .NLM) has to be signed using the signing tool kit included with the NMAS NDK. Because this is just a sample method we will not complete the additional steps to sign the method.

Compile the LSM by executing the Linux.mak from the debug directory

cd /opt/novell/ndk/<nmas ndk>/sample/methodExample/lsm/unix/Linux/debug make -f ../Linux.mak

Create the following directory structure required by the debug version of NMAS

/var/nds/nmas-methods/NMAS/LSM

Copy the LSM to the debug directory

cp /opt/novell/ndk/<nmas ndk>/sample/methodExample/lsm/unix/Linux/debug/lsmcpwdlin.so /var/nds/nmas-methods/NMAS/LSM

Create IDLIST.TXT required by the debug version of NMAS in the /var/nds/nmas-methods/NMAS/LSM directory with the following line:

1 lsmcpwdlin.so LSM00000001

Create a /opt/novell/ndk/<nmas ndk>/sample/methodExample/config.txt file used to install the method that contains the following

name=lsmcpwdlin
Vendor=Novell,Inc.
grade=Logged in
methodid =1

Install the Clear Text Password method using the following command or ConsoleOne

nmasinst -addmethod <admin.context> <treeName> configFile>

Example:

nmasinst -addmethod admin.novell corp-tree ./config.txt

Save the release version of NMAS and switch to the debug version

mv /usr/lib/nds-modules/libnmas.so /usr/lib/nds-modules/libnmas.so.rel
cp /opt/novell/ndk/<nmas ndk>/nmas/debug/unix/Linux/libnmas.so /usr/lib/nds-modules

Restart eDirectory

/etc/init.d/ndsd restart

Installing the Novell NMAS Client

Install the Linux NMAS Client located at /opt/novell/ndk/<nmas ndk>/linux by executing:

rpm ivh /opt/novell/ndk/<nmas ndk>/linux/bin/novell-nmasclient.i386.rpm

This will install the NMAS Client at /opt/novell/nmas/client/ and will modify the /etc/ld.so.conf file to include /opt/novell/nmas/client/lib in the ldconfig path.

Create the Clear Text Password Linux LCM

Compile the LCM by executing the Linux.mak from the debug directory.

cd /opt/novell/ndk/<nmas ndk>/sample/methodExample/lcm/linux/debug make -f ../Linux.mak

Copy the LCM shared object library to the /usr/libdirectory.

cp /opt/novell/ndk/<nmas ndk>/sample/methodExample/lcm/linux/debug/libcpwdlcm.so /usr/lib

Execute build.sh to create a GTK sharp password prompt window.

/opt/novell/ndk/<nmas ndk>/sample/methodExample/lcm/linux/cpwdgui/build.sh

Create following directory structure used by the Clear Text Password LCM for the popup window.

/opt/novell/nmas/methods/clrpwd

Copy the following files from /opt/novell/ndk/<nmas ndk>/sample/methodExample/lcm/linux/cpwdgui to /opt/novell/nmas/methods/clrpwd

cpwdgui
cpwdgui.glade
Nmas_simple.bmp

Install Clear Text Password Client method

Create an /etc/nmasclnt.conf file by executing the following commands:

/opt/novell/nmas/client/bin/ncc -c create
/opt/novell/nmas/client/bin/ncc -ma 1 module=libcpwdlcm.so network_func=LCM00000001

Compare your /etc/nmasclnt.conf with the following:

############################################################################
# Section:  Configuration File Information
##############################################################################
[config_info]
   version                             = 2
   modification_date                   = Apr 21, 2005
[/config_info]

##############################################################################
# Section:  NMAS Client Information
##############################################################################
[client_info]
   version                             = 3.1.0.4
   build_date                          = Apr  1, 2005
   description                         = NMAS Client, Linux
[/client_info]

##############################################################################
cd ..cpw# Section:  List of Methods
##############################################################################
[method_list]

[method]
   method_ID                           = 1
   module                              = libcpwdlcm.so
   network_func                        = LCM00000001
[/method]

[/method_list]

Assign a Clear Text Password to a user object

For a Linux solution you will have to run a Java application that takes advantage of the classes contained in the NMASToolkit.jar file. These classes require you to establish an SSL connection to eDirectory. The next few steps will instruct you on how to export a Trusted Root Certificate from eDirectory, store it in a Java key store, and then use the Sun KeyStore to establish an SSL connection to the server and assign the Clear Text password.

/usr/ConsoleOne/bin/ConsoleOne

Select the NDS object and then click on the tree in the tool bar and enter the following login credentials:

Login name: admin
Password: <admin's NDS password>
Tree: 127.0.0.1
Context: novell

Export the server's Trusted Root Certificate.
Select the organization object where the server object is located. Select the properties of the SSL CertificateDNS - linux object and click the Certificate tab. Make sure Trusted Root Certificate is selected on the tab's sub menu items and then click the Export button and take all the defaults. This will create a TrustedRootCert.der file in the user's home directory.

Set the server certificate to be used for an SSL connection.
Select the properties of the LDAP Server - linux object and click on the SSL/TLS Configuration tab. Click on the browse button for Server Certificate and select the SSL CertificateDNS object. Click Apply and OK buttons.

Create a new user in eDirectory.
Select the novell container object and then click the New User button on the tool bar. Enter the Name and Surname fields and click the OK button and enter the NDS password. Close ConsoleOne.

Add the Trusted Root Certificate to a Sun Keystore. Create a certs directory in your user's home directory.
From a Command Prompt Window execute the following:

java sun.security.tools.KeyTool -import -alias TrustedCert -file ~/TrustedRootCert.der -keystore ~/certs/sslkey.keystore

Use the SetClrPwdApp application to set the Clear Text Password on a user object and assign a different password than the user's NDS password.

Build the clear password utility by executing the build.sh

/opt/novell/ndk/<nmas ndk>/sample/methodExample/SetClrPwdApp/build.sh

Run the utility by executing the run.sh

/opt/novell/ndk/<nmas ndk>/sample/methodExample/SetClrPwdApp/run.sh

Create the SASL bind application

Change directories to the /opt/novell/ndk/<nmas ndk>/sample/saslbind/ directory and review the source code. Notice that this sample application uses the NMAS_ClientLoginEx API to establish an LDAP transport. It then uses the ldap_sasl_bind_s API from the Novell LDAP SDK to invoke and process the "NMAS_LOGIN" SASL mechanism.

Build the application by simply typing make to execute the makefile.

Test the Linux LCM

Execute /opt/novell/ndk/<nmas ndk>/sample/saslbind/saslbind application.

Example:

jdoe@linux:/opt/novell/ndk/nmas_2005.02.24/sample/saslbind> ./saslbind localhost 389 cn=jdoe,o=novell lsmcpwdlin

At this point the pop up window shown below will prompt the user for the Clear Text Password. Enter the password and click the OK button.

Back in the terminal Window you should see that the login was successful.

NMAS SASL Bind:

ldap host : localhost
ldap port : 389
ldap bind DN : cn=jdoe,o=novell
nmas sequence : lsmcpwdlin
password :

NMAS SASL Bind was successful

Writing a Linux PAM module for this method

There are two steps to implementing a Linux PAM module. The first step is to create a shared object that is the PAM module and exports the required PAM functions to be called by the Linux OS. Second is to modify the command files like login located at /etc/pam.d to invoke the new PAM. Basically we are going to take the source code for the saslbind sample application and put it in a PAM module.

When creating a PAM module you probably don't want the GUI password prompt window so replace the following lines in

/opt/novell/ndk/<nmas ndk>/sample/methodExample/lcm/linux/src/cpwdlcm.c

replace:

stream = popen("/opt/novell/nmas/methods/clrpwd/cpwdgui", "r");
fgets(pwd, 128, stream);
pclose(stream);

with:

strcpy(pwd, (char *) getpass("Enter the Clear Text password: "));

Recompile the libcpwdlcm.so and copy to /usr/lib

Compiling the PAM shared object

Build the PAM module by executing the build.sh

/opt/novell/<nmas ndk>/sample/saslbind/pam/build.sh

Notice the following PAM functions in the source code that get called by the Linux OS and become the entry points into this PAM module. These are just a few of the available functions for PAM modules.

int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, const char **argv)
int pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
int pam_sm_close_session (pam_handle_t *pamh, int flags, int argc, const char **argv)

Copy the pam_saslbind.so to /lib/security

A general configuration line of the /etc/pam.d/* files has the following form:

module-type control-flag module-path arguments

For detailed information on each of these fields see http://www.bb-zone.com/SLGFG/chapter25.html

Modify the /etc/pam.d/login to contain the pam_saslbind.so and the LDAP server's configuration. In the arguments section specify the host address, port, user context, and NMAS sequence.

auth required pam_saslbind.so <Server's Host Address> <Port> <user context> <NMAS Sequence>

Notice in the sample below that I am using the NDS method because I was having problems getting the Clear Text Password method (lsmcpwdlin) to work. Both of them should work, the only difference being is that the NDS method is built in to the NMAS Client where the Clear Password method is a separate shared object.

Example:

#%PAM-1.0 #auth	requisite	pam_unix2.so	nullok #set_secrpc
auth	required	pam_saslbind.so	137.65.136.17 389 o=novell NDS
auth	required	pam_securetty.so
auth	required	pam_nologin.so
#auth	required	pam_homecheck.so
auth	required	pam_env.so
auth	required	pam_mail.so
#account	required	pam_unix2.so
password	required	pam_pwcheck.so	nullok
#password	required	pam_unix2.so	nullok use_first_pass use_authtok
#session	required	pam_unix2.so	none # debug or trace
session	required	pam_limits.so
session	required	pam_resmgr.so

Test the PAM by switching to another terminal screen like tty2 by typing Ctrl-Alt-F2 and login in. Make sure the username you use to log-in is in eDirectory at the context specified in the /etc/pam.d/login file. If everything is set correctly you should successfully log in. View the system log for the results of the log in and output from the PAM by switching back to the Linux GUI Alt-F7 and listing the /var/log/messages file.

Conclusion

Obviously the information in this article is still very new and cutting edge, but as more and more companies look to Linux as a way of reducing costs, security on Linux and alternate methods of authentication are quickly becoming a hot topic.

References

http://www.bb-zone.com/SLGFG/chapter25.html

Like what you see?
Sign up for our weekly newsletter.