Novell is now a part of Micro Focus

How to Configure Linux to Authenticate to eDirectory via LDAP

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 5 Nov 2003

This document describes the steps necessary to configure system authentication of a Linux host to Novell eDirectory over LDAP. The scope of this document includes the configuration of the Linux host (LDAP client), and (LDAP Server) Novell eDirectory. This configuration provides authentication redirection via LDAP to Novell eDirectory.

Linux PAM LDAP Authentication

Many Linux systems use an authentication architecture named Pluggable Authentication Modules (PAM). This architecture provides a flexible authentication model for system and PAM aware applications. Many Linux systems ship with the PAM modules that allow the system to authenticate to a LDAP server such as Novell eDirectory. These modules are provided by PADL Software Pty Ltd at

There are two services that need to be configured for LDAP authentication to work correctly. First, the system naming service needs to be configured to use LDAP to resolve resources such as user and group accounts. For example, if a directory is given the ownership to user 510 then the naming service needs to resolve uid 510 to a user name. Generally this is done by finding all user accounts in the /etc/passwd file. Since users will now be stored in eDirectory the system will need to be configured to resolve accounts in both the passwd file and in eDirectory. This functionality is provided by the /usr/lib/ library. The configuration outlined in this document will configure PAM to check the local /etct/passwd file for a user account such as root, and then check the LDAP server.

Authentication services is the service that actually authenticates users to LDAP. As mentioned before, the PAM LDAP modules will be used to redirect authentication to Novell eDirectory. The /lib/security/ PAM module provides LDAP authentication.

The tested configuration for the LDAP server was Novell eDirectory 8.7 running on Redhat 8.0 Linux. The tested Linux hosts used for LDAP authentication were Redhat 7.2 and Redhat 8.0.

Configuring Novell eDirectory for Linux System Authentication

The schema defined for Linux account authentication is defined in RFC2307 ( Novell offers schema import files in traditional eDirectory schema format and Lightweight Data Interchange Format (LDIF) that can be used to extend the Novell eDirectory schema. The following steps can used to extend the schema in your environment:

  1. Login to the Linux host running Novell eDirectory as the root user.
  2. Change to /usr/lib/nds-schema by typing: cd /usr/lib/nds-schema
  3. The "/usr/lib/nds-schema/rfc2307-usergroup.ldif" file contains the schema required for UNIX and Linux system authentication. Type the following to extend the schema: ndssch -h localhost -t YOUR_TREE ADMIN.FDN rfc2307-usergroup.sch
  4. Supply the password for the administrative acounnt provided.

Creating a Proxy User for Anonymous Binds

  1. Create a new user account and set the password to null. Do not click Cancel when prompted, but click OK so that Public/Private keys are generated.
  2. Open the properties of the account and under Password Restrictions uncheck the box that says "Allow user to change password".
  3. On the tree root object right-click on the object and select "Trustees of this Object" and give the proxy user Browse entry rights, and read and compare property rights on the following attributes:

  4. CN
    Object Class

  5. Open the properties of the LDAP group object of your server and from the general page select this new user as the proxy user.
  6. Open the properties of. the LDAP sever object and click "Refresh LDAP server" from the general page.

Configuring Novell eDirectory Accounts for Linux Authentication

This section shows how to added the posixAccount auxiliary class to a user account and set the required fields.

  1. Highlight a User account and right-click on it.
  2. Select "Extensions of this Object...".
  3. Click "Add Extension...".
  4. Select > posixAccount from the list and click OK.
  5. Press OK on the dialog "Generic Editing..." message to continue.
  6. Fill in the fields listed in the next dialog named "New posixAccount":

  7. Field Purpose Example
    Name: The name of this extension posixAccount
    homeDirectory: The user home directory /home/ncurtis
    uniqueID: The unique ID of the user ncurtis
    Common Name: Shown in Other name in ConsoleOne Nathan Curtis
    gidNumber: The GID in Linux 515
    uidNumber: The UID in Linux 515

    Other attributes required, and that can be added under the "Other" tab of the Object:

    Field Purpose Example
    loginShell The name of this extension /bin/bash

    The loginShell attribute is required by SUSE Linux for proper X login.

  8. Click OK to save the changes.

Configuring a SUSE Linux Host (LDAP client)

  1. Start The YaST2 Control Center: /sbin/yast2 'menu'
  2. Select the "Network/Advanced" section and then > LDAP client.
  3. Select "Use LDAP".
  4. Add the LDAP server in the server field and the search base of where users are located. For example:
    Base DN: ou=users, dc=novell,dc=com
    Addresses of LDAP Servers:
  5. Select LDAP TLS/SSL.
  6. Save your changes with by clicking Finish.

Configuring a Redhat Linux Host (LDAP client)

The following steps show the easiest way to configure a Redhat Linux host for LDAP redirection authentication.

  1. Login as root.
  2. From a terminal type: authconfig
  3. On the "User Information Configuration" screen select "Use LDAP"
  4. Select "Use TLS".
  5. Add the LDAP server in the server field and the search base of where users are located. For example:
    Base DN: ou=users, dc=novell,dc=com
  6. Select Next.
  7. The information entered in the step above will be brought over for this screen. Tab through this screen. And select OK.
  8. Restart the Linux system or completely kill X if testing graphical logins. A CTL+DEL+BACKSPACE will not work. Terminal logins should work without rebooting.

Dynamically Creating User Home Directories

If user home directories are going to be created locally then PAM will need to dynamically create a user home directory. You will just get an error in a text based login, and will not be allowed to login using an X session.

The following configures PAM to create user home directories if they do not exist during the login process. For additional information see TID 10067700, "How to create homedirectories on Unix automatically".

SUSE Linux 8.1

1. Open the /etc/pam.d/login file and add the following line above the first session line:

      session       required       /lib/security/ skel=/etc/skel umask=0022

2. Open the /etc/pam.d/xdm file and add the following line above the first session line:

      session       required       /lib/security/ skel=/etc/skel umask=0022

RedHat Linux 7.2 / 8.0

1. Open the /etc/pam.d/system-auth file and add the following line above the first session line:

      session       required       /lib/security/ skel=/etc/skel umask=0022

For details or updates on this tip, see TID 10081706

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates