OpenLDAP Faq-O-Matic : OpenLDAP Software FAQ : Integration : How to use LDAP authentication with AFS and PAM? | |
This is a brief how-to to enable AFS authentication and LDAP authorization
for PAM enabled applications. Since PAM is pretty generic, you can ignore the
AFS and use whatever PAM module you want. The applications are typically
compiled using the --with-pam option. This enables us to use one database system
for user information while keeping the authentication on the AFS database.
First for pam configurations. you need the pam_afs.so module in /lib/security (on solaris it looks like this can be in /usr/lib/security too) with ownership of root. This comes with OpenAFS 2.7 which is the one I used I didnt go back and test previous versions. For linux you need a file with the name of service ie samba in the /etc/pam.d directory that looks like this: #%PAM-1.0 auth required pam_afs.so account required pam_unix.so session required pam_unix.so-- for Solaris you need the /etc/pam.conf file to have about the same thing except the service is prepended to the line and you hard code the module. (im looking to see if there is a universal config for this. Sun created PAM, so im thinking they may have altered the standards a bit after its initial release.) The pam.conf file should have entry for samba should look like this: samba auth required /lib/security/pam_afs.so.1 samba account required /lib/security/pam_unix.so.1 samba session required /lib/security/pam_unix.so.1one extra option that seems to be broken is cell=yourcell.com --LDAP integration You need to have a LDAP database configured using the NIS schema. In order to do this you need to create a base/root, Group and People objects in the LDAP database etc. An ldif file like this should work (ie ldapadd -x -D "cn=admin,dc=yourdomain,dc=com" -W -f blah.ldif ) ----beginning of ldif stuff # yourdomain, com dn: dc=yourdomain,dc=com objectClass: dcObject objectClass: organization o: yourdomain---endof ldif stuff note: the password for the administrator is 'secret' as per the ldap install instructions, you should change it. The password entry for the user only need to exist it doesnt matter what you put in it since you are doing authentification via AFS, You also need a user (in this case testuser) in the AFS database with the same name. It becomes less confusing if your map the afs id # to the uid/gid number. Then you need to have nss_ldap or something similar installed on your system. Sun/RedHat/etc all come with a something installed out of the box or you can get the latest (what RH uses) or if that doesnt work you can use the nss_ldap package from padl.com. You need to edit the /etc/nsswitch.conf file to read something like: -- Linux passwd: files ldap shadow: files ldap group: files ldap-- Solaris passwd: files ldap group: files ldapnote: Im not sure if the shadow is actually needed for Linux but it works. This basically says to the system for user/group/shadow information we are going to look at the files first then we are going to look at ldap next. (note: if you just use ldap you may have problems with local user accounts.) Then you need an /etc/ldap.conf file or your ldap clients information ie Sun has its own ldap piece and it is stored in /var/ldap.
The ldap file takes the form of: host yourldapserver.com # The distinguished name of the search base. base dc=Yourhostname,dc=comWhere host is where the ldap server is (should be an IP, if your DNS is stored in the LDAP database.) and the base is the distinguised name of your database. You can find migration tools to convert your current information to an LDAP based system from padl.com. These tools are installed with RedHat. An example configuration of a slapd.conf file is like this: (well the important parts.you might want to do more with the security piece this is meant to be very basic.) ----begin slapd.conf stuff ##include relevent schma's i think only core, nis are really needed. include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema #
##access permission access to dn.base="dc=yourdomain,dc=com" by auth access to dn.children="ou=People,dc=yourdomain,dc=com" by * read access to dn.children="ou=Group,dc=yourdomain,dc=com" by * read---- end of slapd.conf stuff. TESTING: Once you get through all that now you want to see if it works. You should be able to login via samba now. To test to see where the problem exist ('cause there are always problems) I usually just check to see if im getting information from the ldap server. Like: For linux you can usually just finger the user like: finger testuserFor solaris I use a little script. sbin> more ldaptest.pl #!/usr/bin/perl $user ="testuser";Basically this tells you if you have a firewall issue, ldap server not working, misconfigured, nsswitch file, ldap.conf file or etc. Or if PAM or the server daemon that is causing the problem. Your output should look like: name testuser passwd eA== uid 501 gid 501 quota comment NA gecos Test User dir /home/testuser shell /bin/false Another test is to do an ldapsearch from the command line to help isolate the ldap pieces of the puzzle.
There might be some mistakes, etc. So feel free to correct any errors, but last I knew if you followed these instructions you could have a very basic authorization server working with PAM/LDAP. | |
[Append to This Answer] |
Previous: | How do I use LDAP in/with Linux? |
Next: | How do integrate OpenLDAP with HP LDAP-UX? |
|