SJSDS Configure LDAP Clients

From AMCPU Wiki

Contents

[edit]

Solaris 8 Configuration

Solaris 8 comes installed with the necessary LDAP client binaries and libraries to allow it to be quickly configured as an LDAP client. The ldapclient utility downloads a profile from the LDAP server which contains all of the configuration options and stores them locally. The proxyuser and proxypassword are also stored locally in a root-only readable file. This is the user that the client uses to connect to the LDAP server.

To configure the client do the following: 

#ldapclient -P profile -d domain.net -D \
cn=proxyagent,ou=profile,dc=domain,dc=net -w password 10.10.10.10
#/usr/lib/ldap/ldap_cachemgr -g
#vi /etc/nsswitch.conf (add dns to the hosts line)
#cp pam.conf pam.conf.bak
#vi pam.conf

Edit the pam.conf file to use the pam_ldap.so.1 module: 

# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth required           pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_dial_auth.so.1
login   auth sufficient         pam_unix_auth.so.1
login   auth required           pam_ldap.so.1 try_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth required           pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth sufficient         pam_unix_auth.so.1
rlogin  auth required           pam_ldap.so.1 try_first_pass
#
# rsh service (explicit because of pam_rhost_auth)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_authtok_get.so.1
rsh     auth required           pam_dhkeys.so.1
rsh     auth sufficient         pam_unix_auth.so.1
rsh     auth required           pam_ldap.so.1 try_first_pass
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth required           pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_dial_auth.so.1
ppp     auth sufficient         pam_unix_auth.so.1
ppp     auth required           pam_ldap.so.1 try_first_pass
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication

#
other   auth required           pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_unix_auth.so.1
other   auth required           pam_ldap.so.1 try_first_pass
#
# passwd command (explicit because of a different authentication module)

#
passwd  auth sufficient         pam_passwd_auth.so.1
passwd  auth required           pam_ldap.so.1  try_first_pass
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
#management
#
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
#management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password
#management
#
other   password required       pam_dhkeys.so.1
other   password required       pam_authtok_get.so.1
other   password required       pam_authtok_check.so.1
other   password sufficient     pam_authtok_store.so.1
other   password required       pam_ldap.so.1

To allow SSH logins to authenticate against LDAP, the UsePAM configuration option must be set to "yes" in the sshd_config file. 

UsePAM yes

Also, if you have used tls:simple as your authentication method (which is strongly recommended), then remember to copy your certificate and public keys from the server to each of the ldap clients. These files will be located on each of the LDAP clients in: 

/var/ldap/cert7.db
/var/ldap/key3.db

These *.db files are generated by opening a mozilla-based browser, entering https://ldaphost:636 in the URL field and hitting enter. Then accept the certificate that the server offers. Those *.db files will be stored in your ~/.netscape/ directory. Simply copy them to the LDAP clients in the paths that are shown above and you have enabled SSL-encrypted transmission of data to and from the LDAP server.

[edit]

Solaris 9 Configuration

Solaris 9 comes installed with the necessary LDAP client binaries and libraries to allow it to be quickly configured as an LDAP client. The ldapclient utility downloads a profile from the LDAP server which contains all of the configuration options and stores them locally. The proxyuser and proxypassword are also stored locally in a root-only readable file. This is the user that the client uses to connect to the LDAP server.

To configure the client do the following: 

#ldapclient -v init -a profileName=profile \
-a proxyDn=cn=proxyagent,ou=profile,ou=whatever,dc=domain,dc=net \
-a proxyPassword=password 10.10.10.10

Running this command results in the following output. This shows the changes that are being made to the system and backs up all files that it changes to the /var/ldap/restore directory 

Parsing profileName=default
Parsing domainName=domain.net
Parsing proxyDn=cn=proxyagent,ou=profile,dc=domain,dc=net
Parsing proxyPassword=password
Arguments parsed:
        domainName: domain.net
        proxyDN: cn=proxyagent,ou=profile,dc=domain,dc=net
        profileName: default
        proxyPassword: password
        defaultServerList: ldaphost.domain.net
Handling init option
About to configure machine by downloading a profile
findBaseDN: begins
findBaseDN: ldap not running
findBaseDN: calling __ns_ldap_default_config()
found 2 namingcontexts
findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)
(nisdomain=domain.net))"
rootDN[0] dc=domain,dc=net
found baseDN dc=domain,dc=net for domain domain.net
Proxy DN: cn=proxyagent,ou=profile,dc=domain,dc=net
Proxy password: {NS1}sdfadf9234r23sr
Credential level: 1
Authentication method: 1
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
Stopping nscd
Stopping autofs
ldap not running
nisd not running
Stopping nis_cache
nispasswd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=0
file_backup: (/var/nis/NIS_COLD_START -> /var/ldap/restore/NIS_COLD_START)
file_backup: nis domain is "domain.net"
file_backup: stat(/var/yp/binding/domain.net)=-1
file_backup: No /var/yp/binding/domain.net directory.
file_backup: stat(/var/ldap/ldap_client_file)=-1
file_backup: No /var/ldap/ldap_client_file file.
Starting network services
start: /usr/bin/domainname domain.net... success
start: /usr/lib/ldap/ldap_cachemgr... success
start: /etc/init.d/autofs start... success
start: /etc/init.d/nscd start... success
start: /etc/init.d/sendmail start... success
System successfully configured

Continue the setup with the following commands: 

#/usr/lib/ldap/ldap_cachemgr -g
#vi /etc/nsswitch.conf (add dns to the hosts line)
#cp pam.conf pam.conf.bak
#vi pam.conf

Edit the pam.conf file to use the pam_ldap.so.1 module: 

# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth required           pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_dial_auth.so.1
login   auth sufficient         pam_unix_auth.so.1
login   auth required           pam_ldap.so.1 try_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth required           pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth sufficient         pam_unix_auth.so.1
rlogin  auth required           pam_ldap.so.1 try_first_pass
#
# rsh service (explicit because of pam_rhost_auth)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_authtok_get.so.1
rsh     auth required           pam_dhkeys.so.1
rsh     auth sufficient         pam_unix_auth.so.1
rsh     auth required           pam_ldap.so.1 try_first_pass
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth required           pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_dial_auth.so.1
ppp     auth sufficient         pam_unix_auth.so.1
ppp     auth required           pam_ldap.so.1 try_first_pass
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication

#
other   auth required           pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_unix_auth.so.1
other   auth required           pam_ldap.so.1 try_first_pass
#
# passwd command (explicit because of a different authentication module)

#
passwd  auth sufficient         pam_passwd_auth.so.1
passwd  auth required           pam_ldap.so.1  try_first_pass
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
#management
#
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
#management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password
#management
#
other   password required       pam_dhkeys.so.1
other   password required       pam_authtok_get.so.1
other   password required       pam_authtok_check.so.1
other   password sufficient     pam_authtok_store.so.1
other   password required       pam_ldap.so.1

To allow SSH logins to authenticate against LDAP, the UsePAM configuration option must be set to "yes" in the sshd_config file. 

UsePAM yes

Also, if you have used tls:simple as your authentication method (which is strongly recommended), then remember to copy your certificate and public keys from the server to each of the ldap clients. These files will be located on each of the LDAP clients in: 

/var/ldap/cert7.db
/var/ldap/key3.db

These *.db files are generated by opening a mozilla-based browser, entering https://ldaphost:636 in the URL field and hitting enter. Then accept the certificate that the server offers. Those *.db files will be stored in your ~/.netscape/ directory. Simply copy them to the LDAP clients in the paths that are shown above and you have enabled SSL-encrypted transmission of data to and from the LDAP server.

[edit]

Solaris 10 Configuration

Same procedure as the Solaris 9 steps show above.

[edit]

SunRay Server Configuration

[edit]

FreeBSD Configuration

[edit]

Linux Configuration

Retrieved from "http://www.amcpu.org/wiki/index.php?title=SJSDS_Configure_LDAP_Clients"
Personal tools