Solaris 8 LDAP Authentication via eDirectory: Configuration Notes

Novell Cool Solutions: Trench
By Ryan Anderson

Digg This - Slashdot This

Posted: 2 Feb 2004

I found all existing eDirectory documentation, Cool Solutions, TIDs, and AppNotes lacking in information on how to get Solaris 8 clients working with eDirectory 8.7.1/3. Here's how I did it.

These instructions will allow you to authenticate Solaris 8 hosts to use LDAP authentication from eDirectory 8.7.x. Linux clients can authenticate using these instructions except using their pre-built rpm with the Padl Ltd LDAP libraries and the same ldap.conf below.

Important: All Solaris login binaries (telnet, ftp, etc) use PAM authentication fine, but if you use OpenSSH or any application using the name service, they may need to be re-compiled with the --with-pam option before working with LDAP authentication.

Modify the LDAP Group Object in eDirectory

Find the container with the server objects, and find the object labeled:
'LDAP Group - <hostname of master>'

Rename it to something more all-encompassing, as this LDAP server group will be the LDAP group for all servers and clients

Create a proxy user in eDirectory with a null password to be used by the LDAP group later. From a container at or above where users are kept, give inheritable rights to Read and Compare:
CN
Description
O
Object Class
dc
gecos
gidNumber
homeDirectory
loginShell
memberUID
uidNumber
uniqueID
Add browse rights to:
[Entry Rights]

Right-click the LDAP Group object and:
1. Make the proxy user you created the 'Proxy Username' in the General tab.
  * This is the username anonymous requests will be made as
2. Add any servers in the same workforce tree into the Server List tab.
3. Under the Class Mappings tab, add mappings for:
  posixAccount <--> posixAccount
  shadowAccount <--> shadowAccount
  posixGroup <--> posixGroup

Open 'LDAP Server - <hostname>' for each LDAP server.
1. SSL/TLS Configuration --> Select SSL Certificate DNS
  for 'Server Certificate' (should be the default already)
2. Click 'Refresh NLDAP Server Now' to make sure changes apply

Compile and Configure the PADL Open Source Libraries

These instructions apply to Solaris only; Linux already comes with the Padl libraries by default, so we will use them instead. However, the /etc/ldap.conf is the same on each platform

For Solaris, I put LDAP software into /opt/ldap so it does not clobber Sun's software, or get lost in /usr/lib. I then make links in /usr/lib, but you can do it however you choose.

Quick tutorial: nss_ldap is a replacement name service switch library that comes with Solaris. On Linux the included one is what we will use, it comes from PADL also. nss_ldap simply maps UIDs to names from LDAP in the same way /usr/lib/nss_nis.so maps UIDs and names from NIS. When you do 'ls -l' in a directory, the OS knows to look in the naming services listed in nsswitch.conf, and if it has 'ldap' listed after the 'passwd' entry, it will query /usr/lib/nss_ldap.so, which in turn looks at its config in /etc/ldap.conf to look to the LDAP server you specify to get UID to name mapping; NO AUTHENTICATION.

Download openssl-0.9.7c (openssl.org), openldap-1.2.23 (openldap.org), pam_ldap-1.66, and nss_ldap-212 (padl.com)

Get the right tools: A recent gcc compiled on the OS you are compiling on (I used 3.2.3; the compile will fail if you use gcc compiled on Solaris 2.6 on Solaris 8), gnu m4, gnu make, perl, autoconf 1.6.

Fix the gotchas:
1. Temporarily rename /usr/lib/libldap.so.4 during compilation so you don't link against it (it doesn't work w/eDir)
2. You must rename /usr/ccs/bin/m4, then make a sym-link from /usr/ccs/bin/m4 to gnu m4: cd /usr/ccs/bin; ln -s /usr/local/bin/m4
* Fix these when done compiling

Set your PATH to be: <path to gcc>:<path to gnu tools>:/usr/ccs/bin:$PATH

Set gcc env variables to compile everthing in 32-bit mode: export CFLAGS="-mcpu=v7 -m32" export LDFLAGS="-mcpu=v7 -m32"

Compile openssl:
1. untar openssl into /var/tmp/ossl, then cd into it
2. ./Configure --prefix=/var/tmp/ossl solaris-sparcv9-gcc
3. make depend
4. make
5. make install
6. copy /var/tmp/ossl/bin/openssl to /opt/ldap/bin

Setup shell environment in preparation for openldap:
1. unset LD_LIBRARY_PATH
2. export CPPFLAGS="-I/var/tmp/ossl/include"
3. export LDFLAGS="$LDFLAGS -L/var/tmp/ossl/lib"
4. Fix your PATH to remove any instance of 'cc'. OpenLDAP will use 'cc' even if gcc is in your path first!

Compile openldap-2.1.23:
1. cd <temp dir w/openldap>
2. ./configure --prefix=/opt/ldap --enable-syslog --disable-slapd \ --with-tls
3. make
4. make depend
5. make install
NOTE: If you get errors about not finding a valid TLS/SSL library, its probably because its trying to compile 64-bit! Make sure you still have the 32-bit env vars from step 5.

Rename all occurrences of 'pam_ldap' or 'nss_ldap' in the pam_ldap and nss_ldap source files to pam_nldap and nss_nldap (or whatever) so that the files when compiled don't clobber files by the same name that are part of Solaris.
1. cd <dir w/pam_ldap-166>
2. Run this shell script:
  FILES=`ls`
  for file in $FILES; do
  perl -p -i.sav -e "s:nss_ldap:nss_nldap:g" $file
  perl -p -i.sav -e "s:pam_ldap:pam_nldap:g" $file
  done
3. Rename pam_ldap.* files to pam_nldap.* (or whatever)
4. cd <dir w/nss_ldap 2.12>
5. Run the same shell script after doing: FILES=`ls`
6. Rename nss_ldap.spec to nss_nldap.spec

Compile pam_ldap 1.66:
1. Reset your shell to have the same environmental variables from step 5
2. cd <dir w/pam_ldap-166>
3. ./configure --prefix=/opt/ldap --enable-debug --with-ldap-dir=\ /opt/ldap --with-ldap-lib=openldap
4. make
5. Do 'ldd pam_nldap.so' and verify its linked correctly.
6. su -c "make install"

Compile nss_ldap 2.12:
1. cd <dir w/nss_ldap-212>
2. ./configure --prefix=/opt/ldap --enable-debug --with-ldap-dir= \
3. make
4. su -c "make install"

Make Links

Make the following sym links:

/usr/lib/nss_nldap.so.1	->	/opt/ldap/lib/nss_nldap.so.1
/usr/lib/nss_nldap.so	->	/usr/lib/nss_nldap.so.1
/usr/lib/security/pam_nldap.so.1	->	/opt/ldap/lib/nss_nldap.so.1
/usr/lib/security/pam_nldap.so	->	/usr/lib/security/pam_nldap.so.1

Set up the /etc/ldap.conf file

On Solaris and Linux the contents are the same. Contents of the file:

*******************************************************
# @(#)Id: ldap.conf.nldap,v 1.5 2004/01/12 20:36:24 andersrc Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library (nss_ldap) and the LDAP PAM module (pam_ldap).
# PADL Software http://www.padl.com

# LDAP servers
host server1 server2 

# The distinguished name of the search base.
base ou=FOO,o=BAR

ldap_version 3

# The search scope. Options are: sub, one, base
scope sub

# These were changed from the defaults for fast failover
timelimit 10
bind_timelimit 1

# Applies to SunONE only
pam_lookup_policy no

# Filter to AND with uid=%s
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute member

# RFC2307bis naming contexts
# NOTE: must compile nss_ldap.so with --enable-rfc2307bis to use this! 
#
# Unix sysadmins are a member of group 'admin'; entry belongs on every
# system regardless of NIS domain. This is optional.
nss_base_passwd		ou=FOO,o=BAR?sub?groupMembership=cn=admin,ou=FOO,o=BAR
# Group users are in; try to make group name the same as `domainname`
nss_base_passwd		ou=FOO,o=BAR?sub?groupMembership=cn=usersgrp,ou=FOO,o=BAR
# Where the groups are
nss_base_group		ou=FOO,o=BAR?one

# attribute/objectclass mapping
# Suggested (not required) for NDS
nss_map_attribute uniqueMember member

# TLS/SSL settings
tls_ciphers TLSv1
ssl on
*******************************************************

Set Up the /etc/pam.conf File on Solaris

No two pam.conf files are the same, and none that I've seen get you the same behavior as the Solaris default (ie, three failed attempts, then kicks you off).
I'm not including one here, so look for one online or make your own. Your basically going to have to add entries like this:

other auth sufficient	pam_unix.so.1
other auth optional	pam_nldap.so.1 use_first_pass
#
other account sufficient	pam_unix.so.1
other account required	pam_nldap.so.1
#
other session required	pam_unix.so.1
#
other password required	pam_unix.so.1
other password optional	pam_nldap.so.1

BTW: Since 'other' covers all services not explicitly defined, the above is a working pam.conf

Change /etc/nsswitch.conf File

passwd: files nldap [NOTFOUND=return] nis

group: files nldap [NOTFOUND=return] nis

Make a Solaris Package

If you are going to use LDAP authentication on more than a couple Sun systems, make a Solaris package:

Copy all files in /opt/ldap into /opt/pkg/opt/ldap

Copy your example nsswitch.conf, pam.conf, and ldap.conf to /opt/pkg/etc with .nldap appended to their name. Also add /usr/lib links in /opt/pkg/usr/lib.

Make a pkginfo file in /opt/pkg with at least the following:
PKG=<package name; ie corpldap>
NAME=<short name; ie "LDAP client files">
ARCH=sparc
VERSION=1.0
CATEGORY=system

Create a prototype file into /opt/pkg:
1. find /opt/pkg -print | pkgproto > /opt/pkg/prototype
2. Edit prototyp to include: i pkginfo as the first line
3. Change the three fields after existing paths (ie /etc) to ? ? ?
4. Edit ownership and modes accordingly
Build the package:
1. pkgmk -o -r . -d /var/tmp -f prototype
2. pkgtrans -s /var/tmp CORPldap_SunOS5.8.pkg

Add Unix Users or Groups into eDirectory or Add Unix Attributes to Existing Users or Groups

User:

Remove the Unix snap-in from ConsoleOne; it doesn't work well

Create the user in ConsoleOne as is normally done.

Right-click the user object --> Extensions of this Object...

Add Extension... --> Select posixAccount. A 'Generic editing' pop-up will display say, just click OK. It means there is no Unix snap-in

Enter the following:

Name:	posixAccount
homeDirectory:	/home/<username>
(Create home directory from Unix and update NIS auto.home!)
uniqueID:	<username>
Common Name:	<username>
gidNumber:	<default gid number>
uidNumber:	<uid number>
Then click OK

Right-click the user object again --> Extensions of this Object...

Add Extension... --> shadowAccount. A 'Generic editing' pop-up, click OK

Enter the following:

Name: shadowAccount

uniqueID: <username>
Then click OK
You then have to go to the 'Other' tab for the user and add the following attributes:
gecos: <full name>
loginShell: /bin/bash (or whatever)

You can also update an existing user with Unix attributes with an LDIF file and this command:
ldapmodify -r -D cn=admin,ou=FOO,o=BAR -W -h <server> -f <ldif file>

LDIF file contents:
dn: cn=<username>,ou=FOO,o=BAR
changetype: modify
-
add: objectClass
objectClass: posixAccount
-
add: objectClass
objectClass: shadowAccount
-
add: uidNumber
uidNumber: <uid number>
-
add: gidNumber
gidNumber: <gid number>
-
add: gecos
gecos: <gecos>
-
add: homeDirectory
homeDirectory:/home/<username>
-
add: loginShell
loginShell:/bin/csh

* On a Solaris/Linux eDirectory server, its preferable to use the included 'ice' command to do the same thing (man ice)

Group:

Create a group object as is normally done

In ConsoleOne, right-click the group object --> Extensions of this object.. --> Add Extension... --> posixGroup (ignore the pop-up;click OK)

Enter the following:

Name: posixGroup

Common Name: <name of group>

gidNumber: <gid>

Then click OK
If a user has this GID as their default, nothing else needs to be done to associate them with this group. If you want to add a user to the group, you will need to add them in the Members tab in ConsoleOne.
On Unix, do 'groups' to verify they are in the group.