Solaris 8 LDAP Authentication via eDirectory: Configuration Notes
Novell Cool Solutions: Trench
By Ryan Anderson
Digg This -
Slashdot This
Posted: 2 Feb 2004 |
I found all existing eDirectory documentation, Cool Solutions, TIDs, and AppNotes lacking in information on how to get Solaris 8 clients working with eDirectory 8.7.1/3. Here's how I did it.
These instructions will allow you to authenticate Solaris 8 hosts to use LDAP authentication from eDirectory 8.7.x. Linux clients can authenticate using these instructions except using their pre-built rpm with the Padl Ltd LDAP libraries and the same ldap.conf below.
Important: All Solaris login binaries (telnet, ftp, etc) use PAM authentication fine, but if you use OpenSSH or any application using the name service, they may need to be re-compiled with the --with-pam option before working with LDAP authentication.
Modify the LDAP Group Object in eDirectory
- Find the container with the server objects, and find the object labeled:
'LDAP Group - <hostname of master>' - Rename it to something more all-encompassing, as this LDAP server group will be the LDAP group for all servers and clients
- Create a proxy user in eDirectory with a null password to be
used by the LDAP group later. From a container at or above where users
are kept, give inheritable rights to Read and Compare:
CN
Description
O
Object Class
dc
gecos
gidNumber
homeDirectory
loginShell
memberUID
uidNumber
uniqueID
Add browse rights to:
[Entry Rights] - Right-click the LDAP Group object and:
- Make the proxy user you created the 'Proxy Username' in the General tab.
* This is the username anonymous requests will be made as - Add any servers in the same workforce tree into the Server List tab.
- Under the Class Mappings tab, add mappings for:
posixAccount <--> posixAccount
shadowAccount <--> shadowAccount
posixGroup <--> posixGroup
- Make the proxy user you created the 'Proxy Username' in the General tab.
- Open 'LDAP Server - <hostname>' for each LDAP server.
- SSL/TLS Configuration --> Select SSL Certificate DNS
for 'Server Certificate' (should be the default already) - Click 'Refresh NLDAP Server Now' to make sure changes apply
- SSL/TLS Configuration --> Select SSL Certificate DNS
Compile and Configure the PADL Open Source Libraries
- These instructions apply to Solaris only; Linux already comes with the Padl libraries by default, so we will use them instead. However, the /etc/ldap.conf is the same on each platform
- For Solaris, I put LDAP software into /opt/ldap so it does not clobber Sun's software, or get lost in /usr/lib. I then make links in /usr/lib, but you can do it however you choose.
- Quick tutorial: nss_ldap is a replacement name service switch library that comes with Solaris. On Linux the included one is what we will use, it comes from PADL also. nss_ldap simply maps UIDs to names from LDAP in the same way /usr/lib/nss_nis.so maps UIDs and names from NIS. When you do 'ls -l' in a directory, the OS knows to look in the naming services listed in nsswitch.conf, and if it has 'ldap' listed after the 'passwd' entry, it will query /usr/lib/nss_ldap.so, which in turn looks at its config in /etc/ldap.conf to look to the LDAP server you specify to get UID to name mapping; NO AUTHENTICATION.
pam_ldap.so is a replacement pluggable authentication module (PAM) library that replaces the one on Solaris at /usr/lib/security. The sole job of this is to provide authentication. It too looks at /etc/ldap.conf to know what server(s) to authenticate to.
- Download openssl-0.9.7c (openssl.org), openldap-1.2.23 (openldap.org), pam_ldap-1.66, and nss_ldap-212 (padl.com)
- Get the right tools: A recent gcc compiled on the OS you are compiling on (I used 3.2.3; the compile will fail if you use gcc compiled on Solaris 2.6 on Solaris 8), gnu m4, gnu make, perl, autoconf 1.6.
- Fix the gotchas:
- Temporarily rename /usr/lib/libldap.so.4 during compilation so you don't link against it (it doesn't work w/eDir) ,
- You must rename /usr/ccs/bin/m4, then make a sym-link from /usr/ccs/bin/m4 to gnu m4: cd /usr/ccs/bin; ln -s /usr/local/bin/m4
- Set your PATH to be: <path to gcc>:<path to gnu tools>:/usr/ccs/bin:$PATH
- Set gcc env variables to compile everthing in 32-bit mode: export CFLAGS="-mcpu=v7 -m32" export LDFLAGS="-mcpu=v7 -m32"
- Compile openssl:
- untar openssl into /var/tmp/ossl, then cd into it
- ./Configure --prefix=/var/tmp/ossl solaris-sparcv9-gcc
- make depend
- make
- make install
- copy /var/tmp/ossl/bin/openssl to /opt/ldap/bin
- Setup shell environment in preparation for openldap:
- unset LD_LIBRARY_PATH
- export CPPFLAGS="-I/var/tmp/ossl/include"
- export LDFLAGS="$LDFLAGS -L/var/tmp/ossl/lib"
- Fix your PATH to remove any instance of 'cc'. OpenLDAP will use 'cc' even if gcc is in your path first!
- Compile openldap-2.1.23:
- cd <temp dir w/openldap>
- ./configure --prefix=/opt/ldap --enable-syslog --disable-slapd \ --with-tls
- make
- make depend
- make install
- Rename all occurrences of 'pam_ldap' or 'nss_ldap' in the pam_ldap and
nss_ldap source files to pam_nldap and nss_nldap (or whatever) so that
the files when compiled don't clobber files by the same name that are
part of Solaris.
- cd <dir w/pam_ldap-166>
- Run this shell script:
FILES=`ls`
for file in $FILES; do
perl -p -i.sav -e "s:nss_ldap:nss_nldap:g" $file
perl -p -i.sav -e "s:pam_ldap:pam_nldap:g" $file
done - Rename pam_ldap.* files to pam_nldap.* (or whatever)
- cd <dir w/nss_ldap 2.12>
- Run the same shell script after doing: FILES=`ls`
- Rename nss_ldap.spec to nss_nldap.spec
- Compile pam_ldap 1.66:
- Reset your shell to have the same environmental variables from step 5
- cd <dir w/pam_ldap-166>
- ./configure --prefix=/opt/ldap --enable-debug --with-ldap-dir=\ /opt/ldap --with-ldap-lib=openldap
- make
- Do 'ldd pam_nldap.so' and verify its linked correctly.
- su -c "make install"
- Compile nss_ldap 2.12:
- cd <dir w/nss_ldap-212>
- ./configure --prefix=/opt/ldap --enable-debug --with-ldap-dir= \
- make
- su -c "make install"
Make Links
- Make the following sym links:
/usr/lib/nss_nldap.so.1 -> /opt/ldap/lib/nss_nldap.so.1 /usr/lib/nss_nldap.so -> /usr/lib/nss_nldap.so.1 /usr/lib/security/pam_nldap.so.1 -> /opt/ldap/lib/nss_nldap.so.1 /usr/lib/security/pam_nldap.so -> /usr/lib/security/pam_nldap.so.1
Set up the /etc/ldap.conf file
On Solaris and Linux the contents are the same. Contents of the file:
******************************************************* # @(#)Id: ldap.conf.nldap,v 1.5 2004/01/12 20:36:24 andersrc Exp $ # # This is the configuration file for the LDAP nameservice # switch library (nss_ldap) and the LDAP PAM module (pam_ldap). # PADL Software http://www.padl.com # LDAP servers host server1 server2 # The distinguished name of the search base. base ou=FOO,o=BAR ldap_version 3 # The search scope. Options are: sub, one, base scope sub # These were changed from the defaults for fast failover timelimit 10 bind_timelimit 1 # Applies to SunONE only pam_lookup_policy no # Filter to AND with uid=%s pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute member # RFC2307bis naming contexts # NOTE: must compile nss_ldap.so with --enable-rfc2307bis to use this! # # Unix sysadmins are a member of group 'admin'; entry belongs on every # system regardless of NIS domain. This is optional. nss_base_passwd ou=FOO,o=BAR?sub?groupMembership=cn=admin,ou=FOO,o=BAR # Group users are in; try to make group name the same as `domainname` nss_base_passwd ou=FOO,o=BAR?sub?groupMembership=cn=usersgrp,ou=FOO,o=BAR # Where the groups are nss_base_group ou=FOO,o=BAR?one # attribute/objectclass mapping # Suggested (not required) for NDS nss_map_attribute uniqueMember member # TLS/SSL settings tls_ciphers TLSv1 ssl on *******************************************************
Set Up the /etc/pam.conf File on Solaris
- No two pam.conf files are the same, and none that I've seen get you the same behavior as the Solaris default (ie, three failed attempts, then kicks you off).
- I'm not including one here, so look for one online or make your own. Your basically going to have to add entries like this:
other auth sufficient | pam_unix.so.1 |
other auth optional | pam_nldap.so.1 use_first_pass |
# | |
other account sufficient | pam_unix.so.1 |
other account required | pam_nldap.so.1 |
# | |
other session required | pam_unix.so.1 |
# | |
other password required | pam_unix.so.1 |
other password optional | pam_nldap.so.1 |
- BTW: Since 'other' covers all services not explicitly defined, the above is a working pam.conf
Change /etc/nsswitch.conf File
- passwd: files nldap [NOTFOUND=return] nis
- group: files nldap [NOTFOUND=return] nis
Make a Solaris Package
If you are going to use LDAP authentication on more than a couple Sun systems, make a Solaris package:
- Copy all files in /opt/ldap into /opt/pkg/opt/ldap
- Copy your example nsswitch.conf, pam.conf, and ldap.conf to /opt/pkg/etc with .nldap appended to their name. Also add /usr/lib links in /opt/pkg/usr/lib.
- Make a pkginfo file in /opt/pkg with at least the following:
PKG=<package name; ie corpldap>
NAME=<short name; ie "LDAP client files">
ARCH=sparc
VERSION=1.0
CATEGORY=system - Create a prototype file into /opt/pkg:
- find /opt/pkg -print | pkgproto > /opt/pkg/prototype
- Edit prototyp to include: i pkginfo as the first line
- Change the three fields after existing paths (ie /etc) to ? ? ?
- Edit ownership and modes accordingly
- Build the package:
- pkgmk -o -r . -d /var/tmp -f prototype
- pkgtrans -s /var/tmp CORPldap_SunOS5.8.pkg
Add Unix Users or Groups into eDirectory or Add Unix Attributes to Existing Users or Groups
User:
- Remove the Unix snap-in from ConsoleOne; it doesn't work well
- Create the user in ConsoleOne as is normally done.
- Right-click the user object --> Extensions of this Object...
- Add Extension... --> Select posixAccount. A 'Generic editing' pop-up will display say, just click OK. It means there is no Unix snap-in
- Enter the following:
Name: posixAccount homeDirectory: /home/<username> (Create home directory from Unix and update NIS auto.home!) uniqueID: <username> Common Name: <username> gidNumber: <default gid number> uidNumber: <uid number>
Then click OK
- Right-click the user object again --> Extensions of this Object...
- Add Extension... --> shadowAccount. A 'Generic editing' pop-up, click OK
- Enter the following:
Name: shadowAccount uniqueID: <username> Then click OK
- You then have to go to the 'Other' tab for the user and add the following
attributes:
gecos: <full name>
loginShell: /bin/bash (or whatever) - You can also update an existing user with Unix attributes with an LDIF
file and this command:
ldapmodify -r -D cn=admin,ou=FOO,o=BAR -W -h <server> -f <ldif file>
LDIF file contents:
dn: cn=<username>,ou=FOO,o=BAR
changetype: modify
-
add: objectClass
objectClass: posixAccount
-
add: objectClass
objectClass: shadowAccount
-
add: uidNumber
uidNumber: <uid number>
-
add: gidNumber
gidNumber: <gid number>
-
add: gecos
gecos: <gecos>
-
add: homeDirectory
homeDirectory:/home/<username>
-
add: loginShell
loginShell:/bin/csh
* On a Solaris/Linux eDirectory server, its preferable to use the included 'ice' command to do the same thing (man ice)
Group:
- Create a group object as is normally done
- In ConsoleOne, right-click the group object --> Extensions of this object.. --> Add Extension... --> posixGroup (ignore the pop-up;click OK)
- Enter the following:
Name: posixGroup Common Name: <name of group> gidNumber: <gid> Then click OK
- If a user has this GID as their default, nothing else needs to be done
to associate them with this group. If you want to add a user to the
group, you will need to add them in the Members tab in ConsoleOne.
On Unix, do 'groups' to verify they are in the group.
If you have any questions you may contact Ryan at Ryan.Anderson@udlp.com

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com