How to enable LDAP authentication on SLES9 or SuSE Linux 10.x

  • 3000394
  • 03-May-2007
  • 27-Apr-2012

Environment

SuSE Linux Enterprise Server 9
SuSE Linux 10.x
Novell eDirectory 8.7.3.x

Situation

This TID walks you through the configuration of all necessary components to enable LDAP authentication from a SLES 9 or SuSE Linux 10.x workstation to a SLES 9 server running eDirectory 8.7.3.x

Resolution

  1. Configuration of the LDAP Server

  1. Verify that eDirectory is installed, running and current with: ndsstat

  2. Verify that the box running eDirectory is a SLES9 server with: cat /etc/SuSE-release

  3. Extend eDirectory with RFC2307 schema. Hint:By default eDirectory places the file at /usr/lib/nds-schema/rfc2307-usergroup.sch on the server when eDirectory is installed.

  4. Creating a Proxy User for Anonymous Binds
    When the user authenticates to the Linux box a call is made of eDirectory to validate the existence of the user. This call must have rights to read the directory. There are many ways to facilitate this. The creation of a Proxy User which is allowed to connect without a password is the method shown here.

      1. Create a new user account (for the examples of this document it is called ldapuser) and set the password to null. Do not click Cancel when prompted, but click OK so that Public/Private keys are generated.

      2. Modify the user and under under Password Restrictions uncheck the box that says"Allow user to change password".

      3. In iManager under the Rights Roll | Modify Trustees| select the container where your users reside (or the root of the tree if you wish) and give the proxy user Browse entry rights, and read and compare property rights on the following attributes:
        CN, Description, O, OU, Object Class, dc, gecos, gidNumber, homeDirectory, loginShell, memberUid, uidNumber, uniqueID

      4. Open the properties of the LDAP group object of your server and from the general page select this new user as the proxy user.

      5. Open the properties of. the LDAP sever object and click "Refresh LDAP server" from the general page.

Prepare the user objects for use as accounts on Linux

  1. Determine available UIDs and GIDs from the passwrd file on the SLES9 server.

    1. At the SLES9 server, type: less /etc/passwd

    2. Scan through all users and find the largest UID in the file. Hint:The passwd file has the format: account:password:UID:GID:GECOS:directory:shell

  2. Add the posixAccount, uidNumber, gidNumber, loginShell and homeDirectory for each user by doing the following:

    1. Manually add in iManager.

      1. Add the posixAccount auxiliary class to each user by doing the following:

      2. Add a distinctive UID and GID attribute value to each user. (The ID must be unique).

  1. The value you put into the uidNumber field must be unique. Start with the number found in step 1.3 and increment it for each user. For the gidNumber, use the number found in step 1.3.

#This LDIF file was generated by Novell's ICE and the LDIF destination handler.

version: 1


dn: cn=user2,o=users

changetype: modify

add: objectclass

objectclass: posixAccount

add: gidNumber

gidNumber: 100

add: uidNumber

uidNumber: 10002

add: homeDirectory

homeDirectory: /home/user1

add: loginShell

loginShell: loginshell=/bin/bash


#This LDIF file was generated by Novell's ICE and the LDIF destination handler.

version: 1


dn: cn=user3,o=Users

changetype: add

loginShell: /bin/bash

homeDirectory: /home/user3

gecos: User Three

gidNumber: 100

uidNumber: 10003

uid: user3

givenName: user3

fullName: User Three

sn: Three

objectClass: inetOrgPerson

objectClass: organizationalPerson

objectClass: Person

objectClass: ndsLoginProperties

objectClass: Top

objectClass: homeInfo

objectClass: posixAccount

cn: user3




Prepare the SuSE Linux Workstations and/or Servers that will allow authentication via LDAP.



  1. Insure the OpenLDAP client is installed.

  1. This procedure was tested using openldap2-client-2.2.27-6 on SuSE Linux 10.x, and openldap2-client-2.2.24-4.12 on SLES 9.

  1. Insure the LDAP pam module is installed.

  1. This procedure was tested using pam_ldap-178-3 package on SuSE Linux 10.x and pam_ldap-169-28.4 package. on SLES 9.

  1. Insure the LDAP nss module is installed

  1. This procedure was tested using the nss_ldap-238-2.2 package on SuSE Linux 10.x and nss_ldap-215-59.10 package on SLES 9.

    1. Check to see with: rpm -qa | grep nss_ldap

  1. Configure the ldap.conf file (note some or all of these configurations may be performed by YAST under LDAP client).

    1. Add the eDirectory LDAP server (host), the base DN (base), the LDAP port (port), the bind DN (binddn) and the Bind PWD (bindpw)to the /etc/ldap.conf file.



host 10.1.1.71

base o=users

ldap_version 3

binddn cn=ldapuser,o=users

bindpw novell

port 389

pam_password nds

ssl no

nss_map_attribute uniqueMember member

pam_filter objectclass=posixAccount

nss_base_passwd o=users

nss_base_shadow o=users

nss_base_group o=users





  1. Configure the nsswitch.conf file.

    1. Modify the /etc/nsswitch.conf file to point the "passwd” and "group” options to "compat” and the "passwd_compat” and the "group_compat” to"ldap”.

  1. Listed below is a sample /etc/nsswitch.conf file after being modified as specified in step 5, bold added for clarity.

passwd: compat

shadow: files nis

group: compat

hosts: files dns

networks: files dns

services: files

protocols: files

rpc: files

ethers: files

netmasks: files

netgroup: files

publickey: files

bootparams: files

automount: files nis

aliases: files

passwd_compat: ldap

group_compat: ldap



  1. Optional: Use YaST to configure the LDAP client

    1. Launch YaST | Network Services|LDAP Client

    2. Mark"Use Ldap” under User Authentication

    3. Under LDAP client

      1. Add LDAP base DN which is the uppermost container where users will be located for searches to begin

      2. Add Address of LDAP Servers. This should be the ipaddresses of eDirectory LDAP servers that are going to be communicated with for LDAP authentication. This can be a list of ipaddresses separated by a space.

      3. Tab to Finish and press enter

    4. NOTE: Your mileage May Very with this approach. SLES 9 and SuSE Linux 10.x provide a different interface within YaST for the configuration of the LDAP Client. The Author suggests using the interface and then manually verifying the correct additions were made to the /etc/ldap.conf and the /etc/nsswitch.conf files.

Dynamically Creating User Home Directories

If user home directories are going to be created locally then PAM will need to dynamically create a user home directory. You will just get an error in a text based login, and will not be allowed to login using an X session

1. Edit /etc/pam.d/login

session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022

  1. Open the /etc/pam.d/xdm file.

session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022

Note: If you don't want LUM enabled users to be able to read other users' home directories, perform

the following:

1) Edit the file /etc/login.defs

2) Change the value "UMASK 022" to"UMASK 077"

Additional Information