Thursday, April 24, 2014

Setting up Solaris Server/Machine to the Directory Server Enterprise Edition for Pluggable Authentication Module (PAM)


This article describes on how to connect a solaris server to the dsee server. This includes serveral steps

1.1    Create ldap groups and users

Ldap groups are used to be sure that only authenticated users can login to the server. Two ldapgroups where created test01_user_group and test01_admin_group in the following way:
Sample ldif below contains a test user with appropriate objectclasses set (please note the solarisGroup for the _adm group)
Create a file <import.ldif> with the following content:

dn: uid=DUBEYD,ou=people, dc=mycomp,dc=mydomain,dc=com
userPassword: {SSHA}e2+YblxlKb8q0NOTNCNwHHld6uAdSxhdxmWWGw==
uidNumber: 10001
gecos: Deepak Dubey
loginShell: /bin/sh
gidNumber: 99999
givenName: Deepak
sn: Steen
objectClass: inetorgperson
objectClass: posixAccount
objectClass: organizationalPerson
objectClass: top
objectClass: person
objectClass: shadowAccount
uid: DUBEYD
cn: Deepak Dubey
homeDirectory: /home/DUBEYD

dn: cn=Sis_Dsi_SA_servers_usr,ou=UserGroups,ou=group, dc=mycomp,dc=mydomain,dc=com
objectClass: groupOfUniqueNames
objectClass: top
objectClass: posixGroup
gidNumber: 90011
uniqueMember: uid=DUBEYD,ou=people,dc=mycomp,dc=mydomain,dc=com
cn: Sis_Dsi_SA_servers_usr

dn: cn=omyawb12_usr,ou=UsrSubGroups,ou=UserGroups,ou=group, dc=oam,dc=uk,
 dc=tmo
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: cn=Sis_Dsi_SA_servers_usr,ou=UserGroups,ou=group,dc=oam,dc=uk,d
 c=tmo
cn: test01_user_group

dn: cn= omyawb12_adm,ou=AdmSubGroups,ou=AdminGroups,ou=group, dc=mycomp,dc=mydomain,dc=com
objectClass: groupOfUniqueNames
objectClass: top
objectClass:solarisGroup
objectclass:posixGroup
gidNumber:99999
cn: test01_admin_group



Then from a machine where an ldapclient is installed (for instance the dsee server) issue the following command

> ldapadd -h vDSEEWB01 -p 389 -D "cn=Directory Manager" -f import.ldif -q

1.2    LDAP Client Setup

In order for a Solaris client to use LDAP as a naming service the following needs to be in place.

·          The client's domain name must be served by the LDAP server
·          The nsswitch.conf file needs to point to LDAP for the required services
·          The client needs to be configured with all the given parameters that define its behavior
·          ldap_cachemgr needs to be running on the client
·          At least one server for which a client is configured must be up and running

The ldapclient utility is the key to setting up an LDAP client, as it performs all of the above steps, except for starting the server.

1.2.1    Execute ldapclient for client registration

Login to the server you want to connect to ldap as root (via sudo) and execute the below command.
Below you can substitue the proxyDN value with any user’s DN who has search access rights on the defaultsearchbase. Last IP address is ip address of DSEE server machine.
Password will be stored encrypted.

ldapclient manual -v -a defaultsearchbase=dc=mycomp,dc=mydomain,dc=com -a proxyDN=cn=admin,cn=Administrators,cn=dscc -a serviceSearchDescriptor=group:ou=group,dc=mycomp,dc=mydomain,dc=com "serviceSearchDescriptor=shadow:ou=people,dc=mycomp,dc=mydomain,dc=com?sub?(isMemberOf=cn=test01_user_group,ou=UsrSubGroups,ou=UserGroups,ou=group,dc=mycomp,dc=mydomain,dc=com)"  "serviceSearchDescriptor=passwd:ou=people,dc=mycomp,dc=mydomain,dc=com?sub?(isMemberOf=cn=test01_user_group,ou=UsrSubGroups,ou=UserGroups,ou=group,dc=mycomp,dc=mydomain,dc=com)" -a credentialLevel=proxy -a authenticationMethod=simple -a proxypassword=password -a domainName=oam.uk.tmo 10.225.248.125
After the execution of above command you can verify if the settings are set.

>  ldapclient list

1.2.2    Overwrite /etc/pam.conf

Login to the server you want to connect to ldap as root (via sudo) and backup the existing /etc/pam.conf file
Overwrite the content of /etc/pam.conf with the following:


#

#ident      "@(#)pam.conf          1.31         07/12/07 SMI"

#

# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.

# Use is subject to license terms.

#

# PAM configuration

#

# Unless explicitly defined, all services use the modules

# defined in the "other" section.

#

# Modules are defined with relative pathnames, i.e., they are

# relative to /usr/lib/security/$ISA. Absolute path names, as

# present in this file in previous releases are still acceptable.

#

# Authentication management

#

# login service (explicit because of pam_dial_auth)

#





login        auth requisite                           pam_authtok_get.so.1

login        auth required                           pam_dhkeys.so.1

login        auth required                           pam_unix_cred.so.1

login        auth required                           pam_dial_auth.so.1

login        auth binding                            pam_unix_auth.so.1 server_policy

login        auth required                           pam_ldap.so.1





#

# rlogin service (explicit because of pam_rhost_auth)

#

rlogin       auth sufficient                          pam_rhosts_auth.so.1

rlogin       auth requisite                           pam_authtok_get.so.1

rlogin       auth required                           pam_dhkeys.so.1

rlogin       auth required                           pam_unix_cred.so.1

rlogin       auth binding                            pam_unix_auth.so.1 server_policy

rlogin       auth required                           pam_ldap.so.1



#

# Kerberized rlogin service

#

krlogin     auth required                           pam_unix_cred.so.1

krlogin     auth required                           pam_krb5.so.1

#

# rsh service (explicit because of pam_rhost_auth,

# and pam_unix_auth for meaningful pam_setcred)

#

rsh           auth sufficient                          pam_rhosts_auth.so.1

rsh           auth required                           pam_unix_cred.so.1

rsh auth binding pam_unix_auth.so.1 server_policy

rsh auth required pam_ldap.so.1

#

# Kerberized rsh service

#

krsh         auth required                           pam_unix_cred.so.1

krsh         auth required                           pam_krb5.so.1

#

# Kerberized telnet service

#

ktelnet      auth required                           pam_unix_cred.so.1

ktelnet      auth required                           pam_krb5.so.1

#

# PPP service (explicit because of pam_dial_auth)

#

ppp          auth requisite                           pam_authtok_get.so.1

ppp          auth required                           pam_dhkeys.so.1

ppp          auth required                           pam_unix_cred.so.1

ppp          auth binding                            pam_unix_auth.so.1  server_policy

ppp          auth required                           pam_dial_auth.so.1

ppp          auth required                           pam_ldap.so.1









#

# Default definitions for Authentication management

# Used when service name is not explicitly mentioned for authentication

#

other        auth requisite                           pam_authtok_get.so.1

other        auth required                           pam_dhkeys.so.1

other        auth required                           pam_unix_cred.so.1

other        auth binding                            pam_unix_auth.so.1 server_policy

other        auth required                           pam_ldap.so.1



#

# passwd command (explicit because of a different authentication module)

#



passwd     auth binding                            pam_passwd_auth.so.1 server_policy

passwd     auth required                           pam_ldap.so.1



#

# cron service (explicit because of non-usage of pam_roles.so.1)

#

cron         account required      pam_unix_account.so.1

#

# Default definition for Account management

# Used when service name is not explicitly mentioned for account management

#

other account requisite pam_roles.so.1

other account binding pam_unix_account.so.1 server_policy

other account required pam_ldap.so.1





#

# Default definition for Session management

# Used when service name is not explicitly mentioned for session management

#

other        session required      pam_unix_session.so.1



other session required pam_mkhomedir.so skel=/etc/skel/ umask=0022



#

# Default definition for Password management

# Used when service name is not explicitly mentioned for password management

#

other        password required   pam_dhkeys.so.1

other        password requisite   pam_authtok_get.so.1

other        password requisite   pam_authtok_check.so.1

other        password required   pam_authtok_store.so.1 debug server_policy

#

# Support for Kerberos V5 authentication and example configurations can

# be found in the pam_krb5(5) man page under the "EXAMPLES" section.

#




1.2.3    Overwrite /etc/nsswitch.conf file.

Back up the existing file and overwrite the contents with the below text.

#
# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# ident   "@(#)nsswitch.ldap              1.10        06/05/03 SMI"

#
# /etc/nsswitch.ldap:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# LDAP service requires that svc:/network/ldap/client:default be enabled
# and online.

# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd:     files ldap

#passwd: compat
#passwd_compat: ldap


group:      files ldap

# consult /etc "files" only if ldap is down.
hosts:      files dns

# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes:    files dns

networks:   files dns
protocols:  ldap [NOTFOUND=return] files
rpc:        ldap [NOTFOUND=return] files
ethers:     ldap [NOTFOUND=return] files
netmasks:   ldap [NOTFOUND=return] files
bootparams: ldap [NOTFOUND=return] files
publickey:  ldap [NOTFOUND=return] files

netgroup:   ldap

automount:  files ldap
aliases:    files ldap

# for efficient getservbyname() avoid ldap
services:   files ldap

printers:   user files ldap

auth_attr:  files ldap
prof_attr:  files ldap

project:    files ldap

tnrhtp:     files ldap
tnrhdb:     files ldap

1.2.4    Copy pam_mkhomedir.so file

Transfer pam_mkhomedir.so from subversion or deliverables to the client machine and copy it to /usr/lib/security directory.

1.2.5    Add sudo configuration

Using viduo add the following line to the sudoers file:
%test01_admin_group ALL=(ALL) ALL

1.2.6    Restart ldap client service

Issue the below command.

> svcadm restart network/ldap/client:default



1.2.7        Solaris Native LDAP client side

# Create NSS DB (Don't enter password. Just hit return)
certutil -N -d /var/ldap
chmod 444 /var/ldap/\*
# Download the Test CA certificate on the client machine into a temporary location. Ex: /var/tmp/cacert.pem
# Add CA certificate to the NSS DB
certutil -A -n "ca-cert" -i /var/tmp/cacert.pem -a -t CT -d /var/ldap
# Verify that "myhost" is fully qualified. Else modify /etc/hosts (and if necessary /etc/nssswitch.conf)
getent hosts 11.22.33.44 
11.22.33.44 myhost.test.sun.com
# Test with ldapsearch
ldapsearch -v -h myhost.test.sun.com -p 636 -Z -P /var/ldap/cert8.db -b "dc=sun,dc=com" -s base "objectclass=\*"
# Initialize Native LDAP client using profile "tls-profile".
/usr/sbin/ldapclient init -a profileName=tls-profile -a domainname=test.sun.com -a proxyDN=cn=proxyagent,ou=profile,dc=test,dc=sun,dc=com -a proxyPassword=proxy 11.22.33.44
Posted by at
Labels: , ,