Authenticating SUSE Linux Enterprise Server 9 and NLD to eDirectory via LDAP
Novell Cool Solutions: Tip
By Henry Louey
Digg This -
Posted: 23 Feb 2005
This article serves as a guide to help you authenticate SLES9/NLD 9.0 to eDirectory via LDAP. It corrects some of the inaccuracies in the current NLD 9 Implementation guide.
You can also download the article here: http://homepage.mac.com/hlouey/FileSharing55.html
The purpose of this document is to give administrators a step-by-step guide to successfully configure Netware 6.5 so SLES9 and NLD clients can authenticate to eDirectory via LDAP. While this document has been tested only on SLES9 and NLD 9, it should not be too difficult adapt this solution for other Linux distributions.
- Netware 6.5 with Service Pack 2 installed
- LDAP Server on Netware 6.5 configure and running
- ConsoleOne 1.2 or later with the appropriate snap-ins installed
- Appropriate clients installed
- OpenSSL 0.9.6b or later
- OpenLDAP 2.0.25 or later
- Nss_ldap package installed
For this document my Netware 6.5 Server is configured as:
- IP Address -- 10.0.0.253
- LDAP Server and Group Container -- ou=melbourne,o=digitalairlines
Figure 1 - Sample configuration
To minimize pain, make sure SP2 is installed.
Here are the steps to follow for server-side configuration:
1. Create a proxy user for LDAP.
Granted, you should be able to get authentication to work by setting up LDAP access via an anonymous login from the client side. However, I have found this has never successfully parsed back all of the required LDAP attributes from eDirectory to the Linux client.
2. Set a null password for this user and disable password changing.
3. Configure your LDAP Group for use with this proxy user as shown below.
Figure 2 - Proxy user for LDAP Group
4. Make sure your server's LDAP group has an assigned proxy user. Make the proxy user a trustee of [root] and give him Browse [Entry Rights], flag-inheritable.
5. Assign read and compare property rights for the following attributes:
CN Description O OU Object Class dc gecos gidNumber homeDirectory loginshell memberUid uidNumber uniqueID
Figure 3 - Property rights
LDAP User Trustee Assignments
1. Create a group for your UNIX users in eDirectory and add the appropriate settings to the UNIX profile tab.
Figure 4 - UNIX users group
Figure 5 - UNIX users group
2. Make sure your UNIX users are members of this group.
3. Create a user in eDirectory and modify the appropriate UNIX schema objects.
Figure 6 - Modifying eDirectory schema objects
4. When setting up the shell for your UNIX user, make sure the path of the intended shell matches the path that is in the file /etc/shells on your intended Linux client.
In the previous example, when asked to select Login Shell, you would select Other and type /bin/bash for the bourne shell. Leaving the default value for bourne shell in ConsoleOne will return an error at the time of login as its path to the bash shell does not match what is in /etc/shells.
Figure 7 - Login Shell data
5. Make sure your selected UNIX shell is in the above file.
6. Make your user a member of the Unix Group.
A quick way to test that the LDAP server is configured correctly and that your Linux workstation is able to see the correct LDAP attributes for successful authentication is to run the ldapsearch command line utility from your Linux workstation
Run ldapsearch --h 10.0.0.253 --x --b ou=melbourne,o=digitalairlines --s sub ?(cn=geeko1)?
Figure 8 - ldapsearch results
ldapsearch Command-line Arguments
If successful, the command should return the UNIX schema objects from eDirectory. If unsuccessful, eDirectory authentication will not occur, and you'll need to go back and recheck all your eDirectory settings until it works properly.
Figure 9 - Successful search
Notice the gidNumber and uidNumber attributes have been parsed. as well as homeDirectory and loginShell. Congratulations - the hard part is over!
In order to successfully login via LDAP, we now have to set up and configure the LDAP Client and PAM modules on our intended Linux client.
1. In SLES9 and NLD9 go to YAST -> Network Services -> LDAP Client.
Figure 10 - LDAP client configuration
2. In User Authentication, select Use LDAP.
3. Under LDAP Client, enter the full context to where your LDAP server and group objects are located, as well as the IP address of your LDAP Server.
4. Click Advanced Configuration.
Figure 11 - Advanced configuration screen
5. Under User and Group Settings, select Enable LDAP Users to Log In.
6. Under Access to LDAP Server, enter the full context to the container of your LDAP server and the full-distinguished name of your LDAP proxy user.
7. Click Configure User Management Settings.
8. You will be asked for the password of your proxy user. If the password is configured correctly, just press Enter.
9. Click Next twice to configure and exit the LDAP Client setup utility.
Setting Up the pam.d Files
1. Launch an editor with root privileges by pressing Alt-F2 and entering:
Kdesu gedit /etc/pam.d/login
2. Enter the root password.
3. Add the following to the bottom of the file:
session required pam_mkhomedir.so skel=/etc/skel umask=0022
4. Repeat these steps for the /etc/pam.d/xdm and /etc/pam.d/gdm files.
Figure 12 - /etc/pam.d/login
Login via LDAP
If all is well, you should be able to log in with your eDirectory-created objects Appropriate home directories and desktop preference files should be created for you automatically.
Figure 13 - Login successful, with UID and GID variables displayed
Figure 14 - Proof that geeko1 does not exist on the local /etc/passwd file
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com