Authenticating SUSE LINUX to eDirectory via LDAP

Posted: 23 Feb 2005

This article serves as a guide to help you authenticate SLES9/NLD 9.0 to eDirectory via LDAP. It corrects some of the inaccuracies in the current NLD 9 Implementation guide.

You can also download the article here: http://homepage.mac.com/hlouey/FileSharing55.html

Purpose

The purpose of this document is to give administrators a step-by-step guide to successfully configure Netware 6.5 so SLES9 and NLD clients can authenticate to eDirectory via LDAP. While this document has been tested only on SLES9 and NLD 9, it should not be too difficult adapt this solution for other Linux distributions.

Requirements

  • Netware 6.5 with Service Pack 2 installed
  • LDAP Server on Netware 6.5 configure and running
  • ConsoleOne 1.2 or later with the appropriate snap-ins installed
  • Appropriate clients installed
  • OpenSSL 0.9.6b or later
  • OpenLDAP 2.0.25 or later
  • Nss_ldap package installed

For this document my Netware 6.5 Server is configured as:

  • IP Address – 10.0.0.253
  • LDAP Server and Group Container – ou=melbourne,o=digitalairlines

Figure 1 - Sample configuration

To minimize pain, make sure SP2 is installed.

Server-side Configuration

Here are the steps to follow for server-side configuration:

1. Create a proxy user for LDAP.

Granted, you should be able to get authentication to work by setting up LDAP access via an anonymous login from the client side. However, I have found this has never successfully parsed back all of the required LDAP attributes from eDirectory to the Linux client.

2. Set a null password for this user and disable password changing.

3. Configure your LDAP Group for use with this proxy user as shown below.

Figure 2 - Proxy user for LDAP Group

4. Make sure your server's LDAP group has an assigned proxy user. Make the proxy user a trustee of [root] and give him Browse [Entry Rights], flag-inheritable.

5. Assign read and compare property rights for the following attributes:

CN
Description
O
OU
Object 
Class
dc
gecos
gidNumber
homeDirectory
loginshell
memberUid
uidNumber
uniqueID

Figure 3 - Property rights

LDAP User Trustee Assignments

1. Create a group for your UNIX users in eDirectory and add the appropriate settings to the UNIX profile tab.

Figure 4 - UNIX users group

Figure 5 - UNIX users group

2. Make sure your UNIX users are members of this group.

3. Create a user in eDirectory and modify the appropriate UNIX schema objects.

Figure 6 - Modifying eDirectory schema objects

4. When setting up the shell for your UNIX user, make sure the path of the intended shell matches the path that is in the file /etc/shells on your intended Linux client.

In the previous example, when asked to select Login Shell, you would select Other and type /bin/bash for the bourne shell. Leaving the default value for bourne shell in ConsoleOne will return an error at the time of login as its path to the bash shell does not match what is in /etc/shells.

Figure 7 - Login Shell data

5. Make sure your selected UNIX shell is in the above file.

6. Make your user a member of the Unix Group.

Testing

A quick way to test that the LDAP server is configured correctly and that your Linux workstation is able to see the correct LDAP attributes for successful authentication is to run the ldapsearch command line utility from your Linux workstation

Run ldapsearch –h 10.0.0.253 –x –b ou=melbourne,o=digitalairlines –s
 sub “(cn=geeko1)”

Figure 8 - ldapsearch results

ldapsearch Command-line Arguments

If successful, the command should return the UNIX schema objects from eDirectory. If unsuccessful, eDirectory authentication will not occur, and you'll need to go back and recheck all your eDirectory settings until it works properly.

Figure 9 - Successful search

Notice the gidNumber and uidNumber attributes have been parsed. as well as homeDirectory and loginShell. Congratulations - the hard part is over!

Client-side Configuration

In order to successfully login via LDAP, we now have to set up and configure the LDAP Client and PAM modules on our intended Linux client.

1. In SLES9 and NLD9 go to YAST -> Network Services -> LDAP Client.

Figure 10 - LDAP client configuration

2. In User Authentication, select Use LDAP.

3. Under LDAP Client, enter the full context to where your LDAP server and group objects are located, as well as the IP address of your LDAP Server.

4. Click Advanced Configuration.

Figure 11 - Advanced configuration screen

5. Under User and Group Settings, select Enable LDAP Users to Log In.

6. Under Access to LDAP Server, enter the full context to the container of your LDAP server and the full-distinguished name of your LDAP proxy user.

7. Click Configure User Management Settings.

8. You will be asked for the password of your proxy user. If the password is configured correctly, just press Enter.

9. Click Next twice to configure and exit the LDAP Client setup utility.

Setting Up the pam.d Files

1. Launch an editor with root privileges by pressing Alt-F2 and entering:

Kdesu gedit /etc/pam.d/login

2. Enter the root password.

3. Add the following to the bottom of the file:

session   required   pam_mkhomedir.so   skel=/etc/skel   

umask=0022

4. Repeat these steps for the /etc/pam.d/xdm and /etc/pam.d/gdm files.

Figure 12 - /etc/pam.d/login

Login via LDAP

If all is well, you should be able to log in with your eDirectory-created objects Appropriate home directories and desktop preference files should be created for you automatically.

Figure 13 - Login successful, with UID and GID variables displayed

Figure 14 - Proof that geeko1 does not exist on the local /etc/passwd file



Informacja z serwisu http://www.djack.com.pl