Setting up Red Hat Linux Server (RHEL) to the LDAP Server for Pluggable Authentication Module (PAM) setup

-
This artcle describes connecting a redhat server to the dsee (LDAP) server. This includes serveral steps

1.1    Create ldap groups

Ldap groups are used to be sure that only authenticated users can login to the server. Two ldapgroups where created test01_user_group and test01_admin_group in the following way:

Create an file <import.ldif> with the following content:

dn: cn= test01_user_group,ou=UsrSubGroups,ou=UserGroups,ou=group, dc=mycomp,dc=mydomain,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: test01_user_group

dn: cn=test01_admin_group,ou=AdmSubGroups,ou=AdminGroups,ou=group, dc=mycomp,dc=mydomain,dc=com
objectClass: groupOfUniqueNames
objectClass: top
objectclass:posixGroup
gidNumber:99998
cn: test01_admin_group

Then from a machine where an ldapclient is installed (for instance the dsee server) issue the following command

> ldapadd -h localhost -p 1389 -D "cn=Directory Manager" -f import.ldif -q


1.2    Overwrite /etc/openldap/ldap.conf

Login to the server you want to connect to ldap as root (via sudo) and overwrite the content of /etc/openldap/ldap.conf with the following:

URI ldap://192.168.148.128:389
BASE ou=people,dc=mycomp,dc=mydomain,dc=com
TLS_CACERTDIR /etc/openldap/cacerts

1.3    Overwrite /etc/ldap.conf

Login to the server you want to connect to ldap as root (via sudo) and overwrite the content of /etc/ldap.conf with the following:

base dc=mycomp,dc=mydomain,dc=com

scope sub

timelimit 120

bind_timelimit 120

idle_timelimit 3600

pam_login_attribute uid

ldap_version 3

nss_base_passwd ou=people,dc=mycomp,dc=mydomain,dc=com?one

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm

uri ldap://172.27.83.253:389

pam_filter isMemberOf=cn=test01_user_group,ou=UsrSubGroups,ou=UserGroups,ou=group,dc=mycomp,dc=mydomain,dc=com

ssl no

tls_cacertdir /etc/openldap/cacerts

The following parameters differ from server to server

Parameter
Description
uri
Comma seperated list of url of the ldaps for the specific site (luton west-brom)
pam_filter isMemberOf=
The group users have to be (indirect) member of in order to be able to login to this server

1.4    Complete configuration

Issue the following command:
> authconfig --enableldap --enableldapauth --update

Then open /etc/pam.d/system-auth and add the following line:
session     required      pam_mkhomedir.so mask=0022 skel=/etc/skel

1.5    Add sudo configuration

Using viduo add the following line to the sudoers file:
%test01_admin_group ALL=(ALL) ALL

Comments

Post a Comment

Popular posts from this blog

OIM 11g R2 PS2 : SOA Approval Workflow Sample

-
Image
In this post I am posting the sample code for a sample SOA approval workflow. Some of the features that this workflow addresses are Approval to Manager or Role Owners is dynamic based on the custom OIM system property "approval-condition". Value is set either "AND" or "OR". Manager or Role Owner can be set to be notified only with no approval required. In this case only email is sent to notify them but no approval is required from them. Custom OIM system property are created to address this.   manager-notify-only = TRUE or FALSE  TRUE = only notify the manager no approval request sent. FALSE = notify the manager and send an approval request.   roleowner-notify-only = TRUE or FALSE  TRUE = only notify the role owner no approval request sent. FALSE = notify the role owner and send an approval request. Third Level System Notification was required but it should be dynamic.  Custom OIM system property are created to address this sysadmin-...
Read more

OIM OIA Custom Code Integration via Web Services

-
This post covers the OIM OIA custom integration via web services. What this integration code does is listen for create or modify event in OIM and if that change is detected for a user profile then propagates it to OIA user in real time. If a user is created in OIM, then create the user in OIA. If a user is modified in OIM, then modify the user in OIA.  OIM changes are detected via Event Handler. OIA web services are invoked to create or modify the user in OIA. OIM Event Handler 1 package com.dubey.deepak.oim.oia.intg; 2 3 import Thor.API.Exceptions.tcAPIException; 4 import Thor.API.Exceptions.tcStaleDataUpdateException; 5 import Thor.API.Exceptions.tcUserNotFoundException; 6 7 import com.dubey.deepak.oim.oia.intg.ItResourceObj; 8 import com.dubey.deepak.oim.oia.intg.OIADBConnector; 9 import com.dubey.deepak.oim.oia.intg.OIAIntegrationConstants; 10 import com.dubey.deepak.oim.oia.intg.OIARequest; 11 import com.dubey.deepak.oim.oia.intg.OIA...
Read more

OIM 11g Custom ADF Application Development

-
Image
In this post , I will cover the steps required to create a custom ADF web application. What this application does is facilitate Account Claim Process. Users has been migrated from some other IAM product to OIM and exist in disabled state and hence cannot login to perform Self Service operations. User needs to identify themselves by providing their personal details like personal identification number, zip code and dob etc. After successfully Identifying themselves they will be able to set a new password and set their challenge questions and answers. During this process the application will activate their account and set the new password and QnA. At the end of the process, they will be able to login OIM with their new password set. The application has been developed using JDeveloper using ADF technology to render user interfaces and MVC design pattern to keep the concerns separate. Application Structure              ...
Read more