Novell Home

eDirectory/PAM Authentication to Linux Services

Novell Cool Solutions: Feature
By Preston Gallwas

Digg This - Slashdot This

Posted: 10 Jan 2007
 

Problem:

I need to authenticate users from eDirectory via PAM to services such as VMWare Server, and perform administration using sudo.

Solution:

  1. Using Linux User Management (LUM) from the SLED 10 source, install and configure.
  2. Add authentication sources to the appropriate pam.d files.
  3. Download and install iManager plugin for Linux User Management from download.novell.com.
  4. Add SLED10 DVD as an "add on product" source.
  5. Search and add novell-lum , accept dependency resolution.
  6. Search and add "yast2-linux-user-mgmt".
  7. Accept and install.
  8. Run Yast Module under Security/Users -> Linux User management.
  9. Select LDAP server, type in base DN.

    Note: Since it does an LDAP search in a downward motion, you must place it at the proper height in the tree to find the users you want.
  10. Yast gave me an error on two servers saying NAMCONFIG must be run manually because the admin users did not have rights to the tree, so I reran LUM Config and did NOT include the admin user (see the warning below).

  11. Open a terminal session.
  12. Run namconfig add -l 636
  13. Follow the prompts. In my case, I placed the server workstations at the root of the tree.
  14. Open iManager and go into the Linux User management.
  15. Click enable group for LUM.
  16. Find the group and make sure all users you want are a member of this group.
  17. Click OK. A dialog comes up asking for the object to associate with.
  18. Associate the object with the server you want.
    You should be set. If not, try this:
  19. Open a terminal session.
  20. Run this command:
    namconfig cache_refresh

    Warning: Make sure you can access the LDAP server - if you don't, gdm will fail to load and you'll be stuck in command-line-only mode, because X cannot initialize properly. If you're already stuck at that point, go into /etc/nssswitch.conf and find group: compat nam passwd: compat nam and remove "nam", then save.

Authentication to VMWare

  1. To get LUM users to authenticate to the VMWare Console, edit /etc/pam.d/vmware-authd to look as follows:
    #%PAM-1.0
    auth       sufficient       /lib/security/pam_unix2.so shadow nullok
    auth       sufficient       /lib/security/pam_nam.so
    auth       required         /lib/security/pam_unix_auth.so shadow nullok
    account    sufficient       /lib/security/pam_unix2.so
    account    sufficient       /lib/security/pam_nam.so
    account    required         /lib/security/pam_unix_acct.so

  2. To get LUM users to authenticate to sudo, edit /etc/pam.d/sudo to look as follows:
    auth      sufficient  pam_nam.so
    account   sufficient  pam_nam.so
    password  sufficient  pam_nam.so
    session   optional    pam_nam.so
    #%PAM-1.0
    auth     include        common-auth
    account  include        common-account
    password include        common-password
    session  include        common-session

  3. Edit /etc/sudoers to set up the sudoers file depending on what you need.

    For our organization, the only group that will administer this server are users in the group "LUM-Users", so our sudoers file looks as follows:

    # In the default (unconfigured) configuration, sudo asks for the root password.
    # This allows use of an ordinary user account for administration of a freshly
    # installed system. When configuring sudo, delete the two
    # following lines:
    #Defaults targetpw    # ask for the password of the target user i.e. root
    #ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
    
    # Runas alias specification
    
    # User privilege specification
    root    ALL=(ALL) ALL
    
    # Uncomment to allow people in group wheel to run all commands
    # %wheel        ALL=(ALL)       ALL
      %LUM-Users    ALL=(ALL)       ALL
    # Same thing without a password
    # %wheel        ALL=(ALL)       NOPASSWD: ALL
    
    # Samples
    # %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
    # %users  localhost=/sbin/shutdown -h now
    %hpsmh ALL=NOPASSWD:/etc/init.d/snmpd
    %hpsmh ALL=NOPASSWD:/usr/bin/snmptrap

Environment:

SLES 10, SLED 10, VMWare Server 1.0.1, sudo


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell