Solaris 10 and Novell NDS

I finished my project to use existing Novell NDS accounts on Solaris 10. Here you find, what is needed.

First of all, you have to make sure that all needed schemas are available. Normally the posixAccount and shadowAccount Classes should be available by default. Additional schemas can be found at docs.sun.com.

After that add these classes to the user. Keep in mind, that some attributes might have different names (uid is name userId).

Now a proxy account has to be created. This account is needed by the Solaris Client to browse the directory.

As you are already in Novell's Console One, you can export the server certificates for both LDAP Directories. Make sure they are in pem (b64) format. The certificates will be used for TLS.

Use certutil (in /usr/sfw/bin) to create the cert8 databases and importing the server certificates. Then copy all .db files to /var/ldap.

If everything is done you can initialize the client. I use manual initialization. But if you have a large environment you might find it usefull to store the initialization profile also in the ldap directory.

Initializing the ldapclinet is a little bit tricky. As soon as you run the ldapclient init command, nsswitch.conf will be replaced, with a version that doesn't search for DNS entries.

Without DNS (or at least /etc/hosts entries) the ldap server will not be found, and if you use IP-addresses the certificate will not match. Therefore I use a two step method. First binding to a LDAP Server to port 389 (unsecure), and after that I edit the nsswitch.conf and pam.conf files.

(Another way would be to edit nsswitch.conf during initialization and the kill the cachemgr daemon)

After that I will modify my configuration to use tls:simple and fully qualified hostnames.

ldapclient -v manual -a domainName=domain.net -a authenticationMethod=simple -a credentialLevel=proxy -a proxyDN=cn=proxyUser,ou=ldap,o=organisation -a proxyPassword=password -a defaultSearchBase=o=clariden -a defaultSearchScope=sub -a defaultServerList=xxx.xxx.xxx.xxx -a serviceSearchDescriptor=passwd:o=clariden?sub?groupMembership=cn=solarisprod,ou=Administration,ou=Groups,o=Organisation -a serviceSearchDescriptor=shadow:ou=users,o=organisation?sub -a serviceSearchDescriptor=user_attr:ou=users,o=organisation?sub -a serviceSearchDescriptor=group:ou=users,o=organisation?sub -a serviceSearchDescriptor=audit_user:ou=userso=organisation?sub -a attributeMap=passwd:uid=userId -a attributeMap=user_attr:uid=userId -a attributeMap=audit_user:uid=userId -a certificatePath=/var/ldap

cp /etc/nsswitch.conf.ldap /etc/nsswitch.conf
cp /etc/pam.conf.ldap /etc/pam.conf

ldapclient -v mod -a defaultServerList=ldap1.domain,ldap2.domain -a authenticationMethod=tls:simple

The nsswitch.conf looks like e.g.:

# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files ldap
group: files ldap

# consult /etc "files" only if ldap is down.
hosts: files dns

There is a pam.conf sample on docs.sun.com

A little bit about the ldapclient init attributes, where not self explanatory:

-a serviceSearchDescriptor=passwd:o=organisation?sub?groupMembership=cn=solarisprod,ou=Administration,ou=unixgroups,o=organisation

This means that password entries will be searches if the user contains the groupMembership attribute solarisprod. This is a great way to limit (filtering with LDAP URL) users to certain servers. There are default filters that every service.

-a serviceSearchDescriptor=user_attr:o=Organisation?sub

This is is used for the user_attr database.

-a attributeMap=passwd:uid=userId -a attributeMap=user_attr:uid=userId \

Novell NDS uses internally the uid-attribute for users. In Novell's LDAP implentation this is mapped to userId. Because the Solaris Client searches the attribute by the name uid, this has to be mapped.

As nice as it would be, the pam.conf entry

passwd auth binding pam_passwd_auth.so.1 server_policy

would allow a password change to send the new password in clear text (TLS encrypted) to the LDAP Server to use a universal password. This means a solaris client could also change novell passwords.

But unfortunatly, NDS does not allow a user to change the password directly. The way to achieve this would be, to first delete the password and then add a new one, all in one ldap request.

Technorati Tags: Solaris LDAP Novell



Apache 2.2.2 and Novell NDS

I had some trouble with the Sun Solaris included LDAP SDK accessing a Novell NDS for Authentication/Authorization...

Anyway, I wanted to use Secure LDAP, and there's no way to get arround the Novell CLDAP SDK.

Here's the way to compile apache on a T2000. Take a look at all those with-ldap-something paramaters. Took a long time to figure these out. Documentation sucks...

./configure --prefix=/u00/appl/apache2 \
--enable-mods-shared=all \
--enable-ssl \
--enable-authnz-ldap \
--with-ssl=/usr/sfw \
--with-ldap \
--with-ldap-dir=/u00/appl/novell-cldap \
--enable-ldap \
--with-ldap-lib=/u00/appl/novell-cldap/lib \
--with-ldap-include=/u00/appl/novell-cldap/include \
--libdir=/usr/local/lib \
--with-apr=/u00/appl/apache2/apr-httpd \

It seems there is a bug in Apache's MPM-Worker implementation as my cgi's won't run when using that options. As I don't have that much traffic I don't use it.

What I don't like is, that by default you can't make a "make install" without being root. Apache want's to install the apr stuff into /usr/local/. Therefore you shoud first set the apr prefix to your directory of choice (mine is under apache2).

Here is the httpd.conf

LDAPTrustedGlobalCert CA_BASE64 /u00/appl/apache2/conf/rootca.pem
LDAPVerifyServerCert On
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPSharedCacheFile /u00/appl/apache2/logs/ldap_cache

Alias /location /u00/appl/somewhere

AuthType Basic
AuthName "host.domain"
AuthBasicProvider ldap
AuthLDAPURL ldaps://ldap1.domain/o=Organisation?uid
require ldap-attribute ou=OrganisationUnit
Options Indexes
IndexOptions FancyIndexing
IndexStyleSheet "/css/font.css"
Order allow,deny
Allow from all

The certificate is in pem/b64 format.

Good luck!

Technorati Tags: Apache LDAP

This page is powered by Blogger. Isn't yours?