Posted: 23 Feb 2005
This article serves as a guide to help you authenticate
SLES9/NLD 9.0 to eDirectory via LDAP. It corrects some of the inaccuracies in
the current NLD 9 Implementation guide.
You can also download the article here: http://homepage.mac.com/hlouey/FileSharing55.html
Purpose
The purpose of this document is to give administrators a
step-by-step guide to successfully configure Netware 6.5 so SLES9 and NLD
clients can authenticate to eDirectory via LDAP. While this document has been
tested only on SLES9 and NLD 9, it should not be too difficult adapt this
solution for other Linux distributions.
Requirements
- Netware 6.5 with Service Pack 2 installed
- LDAP Server on Netware 6.5 configure and running
- ConsoleOne 1.2 or later with the appropriate snap-ins installed
- Appropriate clients installed
- OpenSSL 0.9.6b or later
- OpenLDAP 2.0.25 or later
- Nss_ldap package installed
For this document my Netware 6.5 Server is configured as:
- IP Address – 10.0.0.253
- LDAP Server and Group Container – ou=melbourne,o=digitalairlines
Figure 1 - Sample configuration
To minimize pain, make sure SP2 is installed.
Server-side Configuration
Here are the steps to follow for server-side
configuration:
1. Create a proxy user for LDAP.
Granted, you should be able to get authentication to work by
setting up LDAP access via an anonymous login from the client side. However, I
have found this has never successfully parsed back all of the required LDAP
attributes from eDirectory to the Linux client.
2. Set a null password for this user and disable password
changing.
3. Configure your LDAP Group for use with this proxy user as
shown below.
Figure 2 - Proxy user for LDAP Group
4. Make sure your server's LDAP group has an assigned proxy
user. Make the proxy user a trustee of [root] and give him Browse [Entry
Rights], flag-inheritable.
5. Assign read and compare property rights for the following
attributes: CN
Description
O
OU
Object
Class
dc
gecos
gidNumber
homeDirectory
loginshell
memberUid
uidNumber
uniqueID
Figure 3 - Property rights
LDAP User Trustee Assignments
1. Create a group for your UNIX users in eDirectory and add
the appropriate settings to the UNIX profile tab.
Figure 4 - UNIX users group
Figure 5 - UNIX users group
2. Make sure your UNIX users are members of this group.
3. Create a user in eDirectory and modify the appropriate UNIX
schema objects.
Figure 6 - Modifying eDirectory schema objects
4. When setting up the shell for your UNIX user, make sure the
path of the intended shell matches the path that is in the file /etc/shells on
your intended Linux client.
In the previous example, when asked to select Login Shell, you
would select Other and type /bin/bash for the bourne shell. Leaving the default
value for bourne shell in ConsoleOne will return an error at the time of login
as its path to the bash shell does not match what is in /etc/shells.
Figure 7 - Login Shell data
5. Make sure your selected UNIX shell is in the above
file.
6. Make your user a member of the Unix Group.
Testing
A quick way to test that the LDAP server is configured
correctly and that your Linux workstation is able to see the correct LDAP
attributes for successful authentication is to run the ldapsearch command line
utility from your Linux workstation Run ldapsearch –h 10.0.0.253 –x –b ou=melbourne,o=digitalairlines –s
sub “(cn=geeko1)”
Figure 8 - ldapsearch results
ldapsearch Command-line Arguments
If successful, the command should return the UNIX schema
objects from eDirectory. If unsuccessful, eDirectory authentication will not
occur, and you'll need to go back and recheck all your eDirectory settings until
it works properly.
Figure 9 - Successful search
Notice the gidNumber and uidNumber attributes have been
parsed. as well as homeDirectory and loginShell. Congratulations - the hard part
is over!
Client-side Configuration
In order to successfully login via LDAP, we now have to set up
and configure the LDAP Client and PAM modules on our intended Linux client.
1. In SLES9 and NLD9 go to YAST -> Network Services ->
LDAP Client.
Figure 10 - LDAP client configuration
2. In User Authentication, select Use LDAP.
3. Under LDAP Client, enter the full context to where your
LDAP server and group objects are located, as well as the IP address of your
LDAP Server.
4. Click Advanced Configuration.
Figure 11 - Advanced configuration screen
5. Under User and Group Settings, select Enable LDAP Users to
Log In.
6. Under Access to LDAP Server, enter the full context to the
container of your LDAP server and the full-distinguished name of your LDAP proxy
user.
7. Click Configure User Management Settings.
8. You will be asked for the password of your proxy user. If
the password is configured correctly, just press Enter.
9. Click Next twice to configure and exit the LDAP Client
setup utility.
Setting Up the pam.d Files
1. Launch an editor with root privileges by pressing Alt-F2
and entering: Kdesu gedit /etc/pam.d/login
2. Enter the root password.
3. Add the following to the bottom of the file: session required pam_mkhomedir.so skel=/etc/skel
umask=0022
4. Repeat these steps for the /etc/pam.d/xdm and
/etc/pam.d/gdm files.
Figure 12 - /etc/pam.d/login
Login via LDAP
If all is well, you should be able to log in with your
eDirectory-created objects Appropriate home directories and desktop preference
files should be created for you automatically.
Figure 13 - Login successful, with UID and GID
variables displayed
Figure 14 - Proof that geeko1 does not exist on the
local /etc/passwd file
|