How to configure LUM on a new SUSE workstation

Novell Cool Solutions: Feature
By Edward van der Maas

Digg This - Slashdot This

Posted: 17 Nov 2005

Software being used:

SUSE Open Enterprise Server Sp1
Novell Linux Desktop 9

First, we'll need a SUSE Open Enterprise Server and a Novell Linux Desktop. How to install this server and workstation is out of the scope of this document. Refer to the installation instructions in the documentation. After both machines are set up, you are ready to install the Linux User Management (LUM) components onto the workstation.

From the Open Enterprise Server (OES) CD 3, install NLDAPsdk and NLDAPbase.
Use the following command:

rpm –Uvh NLDAPsdk-8.7.3.4-2.i386.rpm NLDAPbase-8.7.3.4-2.i386.rpm

Click for larger view of image.

Now that we have the required RPM's installed we can install the LUM component.
From OES CD2, install novell-lum-2.2.0-55.1.i586.rpm
Use the following command:

rpm –Uvh novell-lum-2.2.0-55.1.i586.rpm

All the required components are now installed and we can import the workstation into eDirectory using namconfig.

In order to be able to login to the workstation we need to assign users to this workstation so they are priviliged to authenticate to the workstation. Therefore, we need to have the workstation imported into eDirectory.

To import the workstation we use namconfig.
Use the following command:

namconfig add –a cn=admin,o=novell –r o=novell –w ou=services,
o=novell –S 172.16.1.200:389 –l 636

What this all means:
-a cn=admin,o=novell. This is the user we are logging in as
-r o=novell. This is the partition root. My test tree only has 1 partition
-w ou=services,o=novell. This is the context where the workstation will be created
-S 172.16.1.200:389. This is the LDAP server we are using
-l 636. This is the secure LDAP port we are using

Make sure that the context where the workstation will be created matches the context where the Unix config checks for workstation. You can check this from iManager | Linux User Management | Modify Linux/Unix Config Object.

Importing the workstation should produce a message like the following:

Click for larger view of image.

If we now check ConsoleOne we'll see a new Unix workstation object.

We are now ready to setup LUM for a user so that we can login, but we'll need to make some changes first.

In order to be able to login in Xwindows we'll need to modify the pluggable authentication module for the XDM service. We can find this file in /etc/pam.d/xdm.
In the same directory is a file called pam_nam_sample. This file contains the 4 lines we need to add to the xdm pam. Copy the content of pam_nam_sample and paste this into file called xdm. If you want to enable this for other services you can modify the appropriate file.

The file will look like this:

NLD:/etc/pam.d # cat xdm
auth    sufficient      /lib/security/pam_nam.so
account sufficient      /lib/security/pam_nam.so
password sufficient     /lib/security/pam_nam.so
session optional        /lib/security/pam_nam.so
#%PAM-1.0
auth     required       pam_unix2.so    nullok #set_secrpc
account  required       pam_unix2.so
password required       pam_pwcheck.so  nullok
password required       pam_unix2.so    nullok use_first_pass use_authtok
session  required       pam_unix2.so    debug # trace or none
session  required       pam_devperm.so
session  required       pam_resmgr.so
NLD:/etc/pam.d #

Now restart the workstation.

Last thing we need to do is to enable a user for LUM so the user can login to the workstation. For this whole process we'll use iManager.

We've created a group called Lum-Users and made a our user John Doe member of this group. Now we need to enable this group in LUM.
Within Linux User Management | Click Enable groups for linux and select the Lum-Group we've just created.