Setting up Solaris Server/Machine to the Directory Server Enterprise Edition for Pluggable Authentication Module (PAM)

This article describes on how to connect a solaris server to the dsee server. This includes serveral steps

1.1 Create ldap groups and users

Ldap groups are used to be sure that only authenticated users can login to the server. Two ldapgroups where created test01_user_group and test01_admin_group in the following way:

Sample ldif below contains a test user with appropriate objectclasses set (please note the solarisGroup for the _adm group)

Create a file <import.ldif> with the following content:

dn: uid=DUBEYD,ou=people, dc=mycomp,dc=mydomain,dc=com

userPassword: {SSHA}e2+YblxlKb8q0NOTNCNwHHld6uAdSxhdxmWWGw==

uidNumber: 10001

gecos: Deepak Dubey

loginShell: /bin/sh

gidNumber: 99999

givenName: Deepak

sn: Steen

objectClass: inetorgperson

objectClass: posixAccount

objectClass: organizationalPerson

objectClass: top

objectClass: person

objectClass: shadowAccount

uid: DUBEYD

cn: Deepak Dubey

homeDirectory: /home/DUBEYD

dn: cn=Sis_Dsi_SA_servers_usr,ou=UserGroups,ou=group, dc=mycomp,dc=mydomain,dc=com

objectClass: groupOfUniqueNames

objectClass: top

objectClass: posixGroup

gidNumber: 90011

uniqueMember: uid=DUBEYD,ou=people,dc=mycomp,dc=mydomain,dc=com

cn: Sis_Dsi_SA_servers_usr

dn: cn=omyawb12_usr,ou=UsrSubGroups,ou=UserGroups,ou=group, dc=oam,dc=uk,

dc=tmo

objectClass: groupOfUniqueNames

objectClass: top

uniqueMember: cn=Sis_Dsi_SA_servers_usr,ou=UserGroups,ou=group,dc=oam,dc=uk,d

c=tmo

cn: test01_user_group

dn: cn= omyawb12_adm,ou=AdmSubGroups,ou=AdminGroups,ou=group, dc=mycomp,dc=mydomain,dc=com

objectClass: groupOfUniqueNames

objectClass: top

objectClass:solarisGroup

objectclass:posixGroup

gidNumber:99999

cn: test01_admin_group

Then from a machine where an ldapclient is installed (for instance the dsee server) issue the following command

> ldapadd -h vDSEEWB01 -p 389 -D "cn=Directory Manager" -f import.ldif -q

1.2 LDAP Client Setup

In order for a Solaris client to use LDAP as a naming service the following needs to be in place.

· The client's domain name must be served by the LDAP server

· The nsswitch.conf file needs to point to LDAP for the required services

· The client needs to be configured with all the given parameters that define its behavior

· ldap_cachemgr needs to be running on the client

· At least one server for which a client is configured must be up and running

The ldapclient utility is the key to setting up an LDAP client, as it performs all of the above steps, except for starting the server.

1.2.1 Execute ldapclient for client registration

Below you can substitue the proxyDN value with any user’s DN who has search access rights on the defaultsearchbase. Last IP address is ip address of DSEE server machine.

Password will be stored encrypted.

ldapclient manual -v -a defaultsearchbase=dc=mycomp,dc=mydomain,dc=com -a proxyDN=cn=admin,cn=Administrators,cn=dscc -a serviceSearchDescriptor=group:ou=group,dc=mycomp,dc=mydomain,dc=com "serviceSearchDescriptor=shadow:ou=people,dc=mycomp,dc=mydomain,dc=com?sub?(isMemberOf=cn=test01_user_group,ou=UsrSubGroups,ou=UserGroups,ou=group,dc=mycomp,dc=mydomain,dc=com)" "serviceSearchDescriptor=passwd:ou=people,dc=mycomp,dc=mydomain,dc=com?sub?(isMemberOf=cn=test01_user_group,ou=UsrSubGroups,ou=UserGroups,ou=group,dc=mycomp,dc=mydomain,dc=com)" -a credentialLevel=proxy -a authenticationMethod=simple -a proxypassword=password -a domainName=oam.uk.tmo 10.225.248.125

After the execution of above command you can verify if the settings are set.

> ldapclient list

1.2.2 Overwrite /etc/pam.conf

Overwrite the content of /etc/pam.conf with the following:

#ident "@(#)pam.conf 1.31 07/12/07 SMI"

# Use is subject to license terms.

# PAM configuration

# Unless explicitly defined, all services use the modules

# defined in the "other" section.

# Modules are defined with relative pathnames, i.e., they are

# relative to /usr/lib/security/$ISA. Absolute path names, as

# present in this file in previous releases are still acceptable.

# Authentication management

# login service (explicit because of pam_dial_auth)

# rlogin service (explicit because of pam_rhost_auth)

rlogin auth sufficient pam_rhosts_auth.so.1

rlogin auth requisite pam_authtok_get.so.1

rlogin auth required pam_dhkeys.so.1

rlogin auth required pam_unix_cred.so.1

rlogin auth binding pam_unix_auth.so.1 server_policy

rlogin auth required pam_ldap.so.1

# Kerberized rlogin service

krlogin auth required pam_unix_cred.so.1

krlogin auth required pam_krb5.so.1

# rsh service (explicit because of pam_rhost_auth,

# and pam_unix_auth for meaningful pam_setcred)

rsh auth sufficient pam_rhosts_auth.so.1

rsh auth required pam_unix_cred.so.1

rsh auth binding pam_unix_auth.so.1 server_policy

rsh auth required pam_ldap.so.1

# Kerberized rsh service

krsh auth required pam_unix_cred.so.1

krsh auth required pam_krb5.so.1

# Kerberized telnet service

ktelnet auth required pam_unix_cred.so.1

ktelnet auth required pam_krb5.so.1

# PPP service (explicit because of pam_dial_auth)

ppp auth requisite pam_authtok_get.so.1

ppp auth required pam_dhkeys.so.1

ppp auth required pam_unix_cred.so.1

ppp auth binding pam_unix_auth.so.1 server_policy

ppp auth required pam_dial_auth.so.1

ppp auth required pam_ldap.so.1

# Default definitions for Authentication management

# Used when service name is not explicitly mentioned for authentication

other auth requisite pam_authtok_get.so.1

other auth required pam_dhkeys.so.1

other auth required pam_unix_cred.so.1

other auth binding pam_unix_auth.so.1 server_policy

other auth required pam_ldap.so.1

# passwd command (explicit because of a different authentication module)

passwd auth binding pam_passwd_auth.so.1 server_policy

passwd auth required pam_ldap.so.1

# cron service (explicit because of non-usage of pam_roles.so.1)

cron account required pam_unix_account.so.1

# Default definition for Account management

# Used when service name is not explicitly mentioned for account management

other account requisite pam_roles.so.1

other account binding pam_unix_account.so.1 server_policy

other account required pam_ldap.so.1

# Default definition for Session management

# Used when service name is not explicitly mentioned for session management

other session required pam_unix_session.so.1

other session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

# Default definition for Password management

# Used when service name is not explicitly mentioned for password management

other password required pam_dhkeys.so.1

other password requisite pam_authtok_get.so.1

other password requisite pam_authtok_check.so.1

other password required pam_authtok_store.so.1 debug server_policy

# Support for Kerberos V5 authentication and example configurations can

# be found in the pam_krb5(5) man page under the "EXAMPLES" section.

1.2.3 Overwrite /etc/nsswitch.conf file.

Back up the existing file and overwrite the contents with the below text.

# Use is subject to license terms.

# ident "@(#)nsswitch.ldap 1.10 06/05/03 SMI"

# /etc/nsswitch.ldap:

# An example file that could be copied over to /etc/nsswitch.conf; it

# uses LDAP in conjunction with files.

# "hosts:" and "services:" in this file are used only if the

# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# LDAP service requires that svc:/network/ldap/client:default be enabled

# and online.

# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.

passwd: files ldap

#passwd: compat

#passwd_compat: ldap

group: files ldap

# consult /etc "files" only if ldap is down.

hosts: files dns

# Note that IPv4 addresses are searched for in all of the ipnodes databases

# before searching the hosts databases.

ipnodes: files dns

networks: files dns

protocols: ldap [NOTFOUND=return] files

rpc: ldap [NOTFOUND=return] files

ethers: ldap [NOTFOUND=return] files

netmasks: ldap [NOTFOUND=return] files

bootparams: ldap [NOTFOUND=return] files

publickey: ldap [NOTFOUND=return] files

netgroup: ldap

automount: files ldap

aliases: files ldap

# for efficient getservbyname() avoid ldap

services: files ldap

printers: user files ldap

auth_attr: files ldap

prof_attr: files ldap

project: files ldap

tnrhtp: files ldap

tnrhdb: files ldap

1.2.4 Copy pam_mkhomedir.so file

Transfer pam_mkhomedir.so from subversion or deliverables to the client machine and copy it to /usr/lib/security directory.

1.2.5 Add sudo configuration

Using viduo add the following line to the sudoers file:

%test01_admin_group ALL=(ALL) ALL

1.2.6 Restart ldap client service

Issue the below command.

> svcadm restart network/ldap/client:default

1.2.7 Solaris Native LDAP client side

# Create NSS DB (Don't enter password. Just hit return)
certutil -N -d /var/ldap
chmod 444 /var/ldap/\*
# Download the Test CA certificate on the client machine into a temporary location. Ex: /var/tmp/cacert.pem
# Add CA certificate to the NSS DB
certutil -A -n "ca-cert" -i /var/tmp/cacert.pem -a -t CT -d /var/ldap
# Verify that "myhost" is fully qualified. Else modify /etc/hosts (and if necessary /etc/nssswitch.conf)
getent hosts 11.22.33.44
11.22.33.44 myhost.test.sun.com
# Test with ldapsearch
ldapsearch -v -h myhost.test.sun.com -p 636 -Z -P /var/ldap/cert8.db -b "dc=sun,dc=com" -s base "objectclass=\*"
# Initialize Native LDAP client using profile "tls-profile".
/usr/sbin/ldapclient init -a profileName=tls-profile -a domainname=test.sun.com -a proxyDN=cn=proxyagent,ou=profile,dc=test,dc=sun,dc=com -a proxyPassword=proxy 11.22.33.44

Search This Blog

Mannu's World