Novell Home

Configure Linux to Authenticate to eDirectory via LDAP

Novell Cool Solutions: Feature

Rate This Page

Reader Rating  stars  from 15 ratings

Digg This - Slashdot This

Posted: 27 Aug 2004 		 

This document describes the steps necessary to configure system authentication of a Linux host to Novell eDirectory over LDAP. The scope of this document includes the configuration of the Linux host (LDAP client), and (LDAP Server) Novell eDirectory. This configuration provides authentication redirection via LDAP to Novell eDirectory.

Many Linux systems use an authentication architecture named Pluggable Authentication Modules (PAM). This architecture provides a flexible authentication model for system and PAM aware applications. Many Linux systems ship with the PAM modules that allow the system to authenticate to a LDAP server such as Novell eDirectory. These modules are provided by PADL Software Pty Ltd.

There are two services that need to be configured for LDAP authentication to work correctly. First, the system naming service needs to be configured to use LDAP to resolve resources such as user and group accounts. For example, if a directory is given the ownership to user 510 then the naming service needs to resolve uid 510 to a user name. Generally this is done by finding all user accounts in the /etc/passwd file. Since users will now be stored in eDirectory the system will need to be configured to resolve accounts in both the passwd file and in eDirectory. This functionality is provided by the /usr/lib/libnss_ldap.so library. The configuration outlined in this document will configure PAM to check the local /etc/passwd file for a user account such as root, and then check the LDAP server.

Authentication services is the service that actually authenticates users to LDAP. As mentioned before, the PAM LDAP modules will be used to redirect authentication to Novell eDirectory. The /lib/security/pam_ldap.so PAM module provides LDAP authentication.

The tested configuration for the LDAP server was Novell eDirectory 8.7 running on Redhat 8.0 Linux. The tested Linux hosts used for LDAP authentication were Redhat 7.2 and Redhat 8.0.

Configuring Novell eDirectory for Linux System Authentication

The schema defined for Linux account authentication is defined in RFC2307 (http://www.faqs.org/rfcs/rfc2307.html).

Novell offers schema import files in traditional eDirectory schema format and Lightweight Data Interchange Format (LDIF) that can be used to extend the Novell eDirectory schema. The following steps can used to extend the schema in your environment:

  1. Login to the Linux host running Novell eDirectory as the root user.
  2. Change to /usr/lib/nds-schema by typing: cd /usr/lib/nds-schema
  3. The "/usr/lib/nds-schema/rfc2307-usergroup.ldif" file contains the schema required for UNIX and Linux system authentication. Type the following to extend the schema:
    ndssch -h localhost -t YOUR_TREE ADMIN.FDN rfc2307-usergroup.sch
  4. Supply the password for the administrative account provided.

Create a Proxy User for Anonymous Binds

  1. Create a new user account and set the password to null. Do not click cancel when prompted, but click OK so that Public/Private keys are generated.
  2. Open the properties of the account and under Password Restrictions uncheck the box that says "Allow user to change password".
  3. On the tree root object right-click on the object and select "Trustees of this Object" and give the proxy user Browse entry rights, and read and compare property rights on the following attributes:

    CN
    Description
    O
    OU
    Object Class
    dc
    gecos
    gidNumber
    homeDirectory
    loginShell
    memberUid
    uidNumber
    uniqueID
  4. Open the properties of the LDAP group object of your server and from the general page select this new user as the proxy user.
  5. Open the properties .of the LDAP sever object and click "Refresh LDAP server" from the general page.

Configuring Novell eDirectory Accounts for Linux Authentication

This section shows how to added the posixAccount auxiliary class to a user account and set the required fields.

1. Highlight a User account and right-click on it.

2. Select "Extensions of this Object...".

3. Click "Add Extension..." .

4. Select "posixAccount" from the list and click OK.

5. Press OK on the dialog "Generic Editing..." message to continue.

6. Fill in the fields listed in the next dialog named "New posixAccount":

Field Purpose Example
Name: The name of this extension posixAccount
homeDirectory: The user home directory /home/ncurtis
uniqueID: The unique ID of the user ncurtis
Common Name: Shown in Other name in ConsoleOne Nathan Curtis
gidNumber: The GID in Linux 515
uidNumber: The UID in Linux 515

Other attributes required, and that can be added under the "Other" tab of the Object:

Field Purpose Example
loginShell Sets the user's shell /bin/bash

The loginShell attribute is required by SUSE Linux for proper X login.

7. Click OK to save the changes.

Configuring a Redhat Linux Host (LDAP client)

The following steps show the easiest way to configure a Redhat Linux host for LDAP redirection authentication.

  1. Login as root.
  2. From a terminal type: authconfig
  3. On the "User Information Configuration" screen select "Use LDAP"
  4. Select "Use TLS".
  5. Add the LDAP server in the server field and the search base of where users are located. For example:

    Server: ldap.novell.com
    Base DN: ou=users, dc=novell,dc=com
  6. Select Next.
  7. The information entered in the step above will be brought over for this screen. Tab through this screen and select OK.
  8. Restart the Linux system or completely kill X if testing graphical logins. A CTL+DEL+BACKSPACE will not work. Terminal logins should work without rebooting.

Configuring a SUSE Linux Host (LDAP client)

  1. Start the YaST2 Control Center: /sbin/yast2 'menu'
  2. Select the "Network/Advanced" section and then "LDAP client".
  3. Select "Use LDAP".
  4. Add the LDAP server in the server field and the search base of where users are located. For example:
    • Base DN: ou=users, dc=novell,dc=com
    • Addresses of LDAP Servers: ldap.novell.com
  5. Select LDAP TLS/SSL.
  6. Save your changes by clicking Finish.

Dynamically Creating User Home Directories

If user home directories are going to be created locally then PAM will need to dynamically create a user home directory. You will just get an error in a text based login, and will not be allowed to login using an X session. The following configures PAM to create user home directories if they do not exist during the login process. For additional information see TID 10067700 "How to create homedirectories on Unix automatically".

SUSE Linux 8.1

1.Open the /etc/pam.d/login file and add the following line above the first session line:
session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022

2.Open the /etc/pam.d/xdm file and add the following line above the first session line:
session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022

When you want SSL to be enabled, you need to configure the ldap.conf file. There has to be an entry "ssl on" and "sslpath /path/cert7.db"

Redhat Linux 7.2 " 8.0

1.Open the /etc/pam.d/system-auth file and add the following line above the first session line:
session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022

Note: You need to add the certificate to the cert7.db. TID# 10090049 gives a step-by-step guide how to insert your certificate into the cert7.db

Comments and Suggestions

Anonymous

This is virtually useless without a way to put the user's home directory on a NetWare server. I suppose it might be morbidly amusing to know that users leave their files stranded on whichever station they last used, but we generally try to be *nice* to our users.

Reader Comments

  • Gee, it'd be handy if the home directory could be ON THE NETWARE SERVER, you dolts. Is this supposed to be for playing on my home network? That's all it's good for.
  • Agreeing with the previous commenter. Without a sane and secure way of automounting the users homedirs this is useless
  • Actually, this is a great way to authenticate users against eDirectory, and if you've got your /home directory nfs mounted, then you can share your home directory just like windows users can in their profiles.
  • Good overview, in spite of the comments above, In addition to nfs, ncpfs and samba can be used to mount home directories as well. This is also a good way to manage accounts for a group of system administrators all accessing various Linux servers.
  • Useless as it does not work with SLES and eDirectory 3.8
  • This doesn't work at all with SuSE Enterprise Server. I've set up LDAP on several other platforms - there's steps missing here. For instance you create the bind proxy user but where in this document does it show you using it anywhere?
  • I almost got it working, but the homedirectory-string is empty when I check with 'getent password $username'. So I get an error that the home-directory can't be created, and I end up logged in in the root-directory.
  • I agree that it's a good overview. I don't need every server someone logs into to map a home directory - just need a way to authorize users for disparate systems.
  • "A CTL+DEL+BACKSPACE will not work." -- I guess you mean CTL+ALT+BACKSPACE

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

Novell® Making IT Work As One

© 2009 Novell, Inc. All Rights Reserved.