Configuring Linux and Squid for LDAP authentication to eDirectory
Novell Cool Solutions: Trench
Digg This -
Posted: 21 Jul 2003
Q. How do you configure Linux for LDAP authentication to NDS?
A. The following steps are required. This has only been tested on RedHat Linux, but i'm sure you can apply the same steps to other Unix's.
What we used:
Redhat 7.1 machine, running 2.4.9-34smp kernel. The relevant openssl and ldap libraries installed were:
These were just standard RedHat rpms.
What we did:
We don't know if all of these steps are necessary, but these are the things we did and it works :-)
1. Download the RootCert.der from z: of a Novell server
2. Convert the Novell root certificate using the command:
openssl x509 -in /root/RootCert.der -inform DER -out /root/RootCert.pem -outform PEM
3. In the openssl.cnf (on my system in /usr/share/ssl)
- set the value certificate to point to the RootCert.pem (certificate being the CA certificate)
- set my private key to be the same certificate. (not sure if that's correct though)
4. Create a secure tunnel connection using the command:
/usr/sbin/stunnel -c -r 188.8.131.52:636 -d 389
5. Most systems have a default ldap.conf (/etc/ldap.conf). There's also one in /etc/openldap/ldap.conf. We didn't know which one to use, so we made one a symbolic link to the other. Pretty much left everything else as the default settings. Here are the relevant ones. If you don't have an ldap.conf at all, just put these settings in a file:
- host 127.0.0.1 base o=curtin port 389
- pam_login_attribute cn <---- this is the important one
- If there are any ssl or sasl options in your ldap.conf, set them to yes.
This completed the configuration for the OS.
1. Modify a few /etc/squid/squid.conf lines for the authentication stuff:
- authenticate_program /usr/lib/squid/pam_auth acl password proxy_auth REQUIRED
- modify the http_access in the squid.conf to only allow authenticated people: http_access allow password http_access deny all
2. Create the file /etc/pam.d/squid
- auth required /lib/security/pam_ldap.so
- account required /lib/security/pam_ldap.so
3. restart squid and log in!
Special thanks to Alison Smith from Electrical and Computer Engineering for her work on this.
For updates and changes, check the original source of this information at http://novell.curtin.edu.au/faq/ldap4lnx.html
You can find more of these gold nuggets on the Curtin University of Technology site at: http://novell.curtin.edu.au/faq/
This information has been created for use by Curtin University of Technology ("Curtin").
Curtin has taken care in the preparation of the content of the content in question ("The Material"). The Material is provided "as is".
Curtin does not assume and makes no warranty, representation, or guarantee whether express or implied in respect of:
- the contents, accuracy, completeness or use of any of the information contained in the Material or contents of the Material;
- any errors, omissions or inaccuracies of any of the information contained in the Material or contents of the Material; or
- any of the information contained in the Material or that the contents of the Material can be relied upon for any reason; or
- any of the information will be error free, free from defects or fit for particular purpose; or
- that any liability or damage to your computer hardware, software, data, information, materials or business could arise or result from the use of the Materials.
Curtin shall not be liable for any losses or damages whatsoever, direct or indirect (including without limitation, consequential losses, loss of revenue, loss of profits, loss or destruction of data or otherwise) whether in contract, tort, negligence or otherwise from the use of, or the reliance on the information contained in the Material or contents of the Material.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com