eDirectory/PAM Authentication to Linux Services
Novell Cool Solutions: Feature
By Preston Gallwas
Digg This -
Posted: 10 Jan 2007
Problem:I need to authenticate users from eDirectory via PAM to services such as VMWare Server, and perform administration using sudo.
- Using Linux User Management (LUM) from the SLED 10 source, install and configure.
- Add authentication sources to the appropriate pam.d files.
- Download and install iManager plugin for Linux User Management from download.novell.com.
- Add SLED10 DVD as an "add on product" source.
- Search and add novell-lum , accept dependency resolution.
- Search and add "yast2-linux-user-mgmt".
- Accept and install.
- Run Yast Module under Security/Users -> Linux User management.
- Select LDAP server, type in base DN.
Note: Since it does an LDAP search in a downward motion, you must place it at the proper height in the tree to find the users you want.
- Open a terminal session.
- Run namconfig add -l 636
- Follow the prompts. In my case, I placed the server workstations at the root of the tree.
- Open iManager and go into the Linux User management.
- Click enable group for LUM.
- Find the group and make sure all users you want are a member of this group.
- Click OK. A dialog comes up asking for the object to associate with.
- Associate the object with the server you want.
You should be set. If not, try this:
- Open a terminal session.
- Run this command:
Warning: Make sure you can access the LDAP server - if you don't, gdm will fail to load and you'll be stuck in command-line-only mode, because X cannot initialize properly. If you're already stuck at that point, go into /etc/nssswitch.conf and find group: compat nam passwd: compat nam and remove "nam", then save.
Yast gave me an error on two servers saying NAMCONFIG must be run manually because the admin users did not have rights to the tree, so I reran LUM Config and did NOT include the admin user (see the warning below).
Authentication to VMWare
- To get LUM users to authenticate to the VMWare Console, edit /etc/pam.d/vmware-authd to look as follows:
#%PAM-1.0 auth sufficient /lib/security/pam_unix2.so shadow nullok auth sufficient /lib/security/pam_nam.so auth required /lib/security/pam_unix_auth.so shadow nullok account sufficient /lib/security/pam_unix2.so account sufficient /lib/security/pam_nam.so account required /lib/security/pam_unix_acct.so
- To get LUM users to authenticate to sudo, edit /etc/pam.d/sudo to look as follows:
auth sufficient pam_nam.so account sufficient pam_nam.so password sufficient pam_nam.so session optional pam_nam.so #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session
- Edit /etc/sudoers to set up the sudoers file depending on what you need.
For our organization, the only group that will administer this server are users in the group "LUM-Users", so our sudoers file looks as follows:
# In the default (unconfigured) configuration, sudo asks for the root password. # This allows use of an ordinary user account for administration of a freshly # installed system. When configuring sudo, delete the two # following lines: #Defaults targetpw # ask for the password of the target user i.e. root #ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! # Runas alias specification # User privilege specification root ALL=(ALL) ALL # Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL %LUM-Users ALL=(ALL) ALL # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now %hpsmh ALL=NOPASSWD:/etc/init.d/snmpd %hpsmh ALL=NOPASSWD:/usr/bin/snmptrap
SLES 10, SLED 10, VMWare Server 1.0.1, sudo
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com