Getting Started with PAM Modules
Novell Cool Solutions: Tip
Digg This -
Posted: 15 Dec 2004
A Cool Solutions reader shares with us his experiences in getting started with PAM (Pluggable Authentication Modules) on Linux, for authenticating against eDirectory. If PAM is on the horizon for you, these insights may be helpful as well.
During the past few days I experimented with the PAM modules on Linux as to have users authenticated against eDir 8.7.3; before starting, I carefully read the following:
- TID #10081706 (Configure Linux to Authenticate to eDirectory via LDAP)
- Cool Solutions article "Authenticating Linux to eDirectory via LDAP"
- "Linux Authentication via Novell e-Directory HOWTO"on the Linux Gazette Web site.
I ended up having a nearly complete configuration, although at the minute this is for testing purposes.
Expanding the Schema
One of the first thing I had to do is to expand the eDirectory schema with the rfc2307 extensions as reported by TID #10081706. Next, I installed the UNIX user snapin for ConsoleOne on Windows, namely the c1unx85a.exe file.
It's also necessary to extend the objects that are to get these additional extensions with the posixAccount aux class (for user accounts) or the posixGroup aux class (for group objects). One way to do this is in batch mode, using an LDIF file by modifying the objectClass attribute and then adding the attributes.
After setting up the proxy user, I was able to fire up the Unix User snapin under C1 only to find that the Unix attributes were not editable; I had to add a new group and adding the posixGroup attribute first and then I had to add the posixAccount to every user in the group.
Only after performing the above steps I was able to get the UnixUser snapin to work as expected.
Then I wondered about having to perform the above posixAccount configuration for every user in a given group manually. Is there a way to have it done by the system automatically? Fortunately, for automation of this process, there is the LUM (Linux User Management) component of NNLS. Basically, it lets you create Linux User objects in eDirectory for Windows users who access Samba file services. And it lets you require PAM users on the NNLS server to authenticate through eDirectory.
Here are some documentation links on PAM and LUM that may be helpful to you.
Linux User Management Overview:http://www.novell.com/documentation/nnls/index.html?page=/documentation/nnls/labguide/data/bov1dq9.html
Custom installation configurations:
Other Configuration Notes
The article on LinuxGazette that suggests the mapping of the following LDAP<->NDS attributes:
LDAP Attr - NDS Attr
loginShell - loginShell
uidNumber - uidNumber
gidNumber - gidNumber
The system hosting eDir 8.7.3 was a SUSE Linux Prof 9.0 and I used the same box as the client for LDAP/PAM auth against eDirectory.
I found that the "getent" utility is very useful when you want to check if a given user is actually looked up in eDirectory.
Using Yast I was able to configure the ldap.conf (don't forget the "pam_password nds" line) and nsswitch.conf files. In minutes I was able to get eDirectory users logged into Linux.
I have to admit that the above Linux box has been "stressed up" with a lot of tests, so it might not be the ideal box for a good test. I have yet to experiment with the above configuration and play with the various settings in ConsoleOne. I'd like to try configuring things such as the periodic change of password, the period where an eDirectory user is allowed to log in to Linux, and so on.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com