Ldap Client Configuration

Ldap Client Config

Freebsd Configuration

These commands should install the needed software, and install openldap2*-client port:

# cd /usr/ports/net/nss_ldap
# make install
# cd /usr/ports/security/pam_ldap
# make install
## IF NEEDED ##
# cd /usr/ports/shells/bash
# make install clean

The below are examples of the /usr/local/etc/ldap.conf, and /etc/pam.d/passwd,sshd,ldap, and system files:

# cat ldap.conf
host 127.0.0.1
base dc=domain,dc=com
ldap_version 3
port 636
timelimit 4
bind_timelimit 4
bind_policy soft
# This next two *can* be used if you have compiled sudo with ldap support #
sudoers_base ou=SUDOers,dc=domain,dc=com
#sudoers_debug 2
pam_filter objectclass=posixAccount
pam_login_attribute uid
ssl yes
pam_password md5
TLS_CACERTDIR /usr/local/etc/openldap/certs
TLS_REQCERT allow

# mkdir /usr/local/etc/openldap/certs

# cat passwd
password required pam_unix.so no_warn try_first_pass nullok
password sufficient /usr/local/lib/pam_ldap.so use_first_pass

# cat sshd
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
account required pam_login_access.so
account required pam_unix.so
session required pam_permit.so
password required pam_unix.so no_warn try_first_pass

# cat ldap
login auth sufficient /usr/local/lib/pam_ldap.so

# cat system
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
account required pam_login_access.so
account required pam_unix.so
session required pam_lastlog.so no_fail
password required pam_unix.so no_warn try_first_pass

Change /etc/nsswitch.conf to this:

passwd: files ldap
#passwd_compat: ldap

A couple more things need to be done to allow this to work:

# ln -s /usr/local/etc/ldap.conf /etc/ldap.conf
# ln -s /usr/local/etc/ldap.conf /etc/nss_ldap.conf
# ln -s /usr/local/etc/ldap.conf /usr/local/etc/nss_ldap.conf
# ln -s /usr/local/bin/bash /bin/bash

Edit /etc/ssh/sshd_config and change the 'UsePam' option to:

UsePam yes

And restart sshd

# /etc/rc.d/sshd restart

Redhat Configuration

Install the nss_ldap rpm, and the openldap tools:

# up2date -i nss_ldap openldap

Setup ssl:

# cd /etc/openldap
# mkdir certs
# mv ldap.conf ldap.conf.backup && ln -s /etc/ldap.conf

You may simply be able to run 'authconfig' to have all of the rest setup (except ssl)

The following *should* be setup using 'authconfig', but if not, here are the files.

Here's the /etc/ldap.conf file:

# cat /etc/ldap.conf
host 127.0.0.1
base dc=domain,dc=com
ldap_version 3
port 636
timelimit 4
bind_timelimit 4
bind_policy soft
# This next two *can* be used if you have compiled sudo with ldap support #
sudoers_base ou=SUDOers,dc=domain,dc=com
#sudoers_debug 2
pam_filter objectclass=posixAccount
pam_login_attribute uid
ssl yes
pam_password md5
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT allow

And the /etc/nsswitch.conf file (The parts that should be changed):

# cat /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
protocols: files ldap
services: files ldap
netgroup: files ldap
automount: files ldap

Here's the only pam file you need to change (/etc/pam.d/system-auth):

# cat system-auth
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account required /lib/security/$ISA/pam_access.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account default=bad success=ok user_unknown=ignore /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=077
session optional /lib/security/$ISA/pam_ldap.so

Solaris Client Configuration (sol9)

Download the nspr, and nss packages for Solaris 9 here (http://internap.dl.sourceforge.net/sourceforge/ttt/nspr-4.3-sparc-solari...) and here (http://internap.dl.sourceforge.net/sourceforge/ttt/nss-3.8-sparc-solaris...) and install them. Next get the old certutil package from here (http://www.gurulabs.com/goodies/downloads.php), and install this, overwriting /usr/local/bin/certutil.

This download here (http://www.sun.com/download/products.xml?id=3f74a0db) may be a good option also.

Next run this command to setup your certificate database:

# /usr/local/bin/certutil -N -d /var/ldap

Run this command to set ldap client settings on the machine:

#ldapclient -v manual -a authenticationMethod=tls:simple -a credentialLevel=proxy \
-a defaultSearchBase="dc=test,dc=domain,dc=com" \
-a domainName=domain.com -a followReferrals=false \
-a preferredServerList=127.0.0.1 -a serviceAuthenticationMethod=pam_ldap:tls:simple \
-a proxyPassword=blahblahblah -a proxyDn=cn=proxyagent,ou=profile,dc=domain,dc=com

Here is /etc/pam.conf:

# PAM configuration
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1 try_first_pass
#
sshd auth requisite pam_authtok_get.so.1
sshd auth required pam_dhkeys.so.1
sshd auth sufficient pam_unix_auth.so.1
sshd auth required pam_ldap.so.1 try_first_pass
sshd account required pam_unix_account.so.1
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass:0

Verify these options are enabled in sshd_config:

PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
Subsystem sftp /usr/local/libexec/sftp-server

Restart sshd, and restart ldap.client. After this is done, I had these in my /etc/nsswitch.* files. Add them if they do not exist:

# grep ldap nsswitch.*
nsswitch.conf:# /etc/nsswitch.ldap:
nsswitch.conf:passwd: files ldap
nsswitch.conf:group: files ldap
nsswitch.conf:# consult /etc "files" only if ldap is down.
nsswitch.conf:hosts: ldap NOTFOUND=return files
nsswitch.conf:#ipnodes: ldap NOTFOUND=return files
nsswitch.conf:networks: ldap NOTFOUND=return files
nsswitch.conf:protocols: ldap NOTFOUND=return files
nsswitch.conf:rpc: ldap NOTFOUND=return files
nsswitch.conf:ethers: ldap NOTFOUND=return files
nsswitch.conf:netmasks: ldap NOTFOUND=return files
nsswitch.conf:bootparams: ldap NOTFOUND=return files
nsswitch.conf:publickey: ldap NOTFOUND=return files
nsswitch.conf:netgroup: ldap
nsswitch.conf:automount: files ldap
nsswitch.conf:aliases: files ldap
nsswitch.conf:# for efficient getservbyname() avoid ldap
nsswitch.conf:services: files ldap
nsswitch.conf:printers: user files ldap
nsswitch.conf:auth_attr: files ldap
nsswitch.conf:prof_attr: files ldap
nsswitch.conf:project: files ldap
nsswitch.ldap:# /etc/nsswitch.ldap:
nsswitch.ldap:passwd: files ldap
nsswitch.ldap:group: files ldap
nsswitch.ldap:# consult /etc "files" only if ldap is down.
nsswitch.ldap:hosts: ldap NOTFOUND=return files
nsswitch.ldap:#ipnodes: ldap NOTFOUND=return files
nsswitch.ldap:networks: ldap NOTFOUND=return files
nsswitch.ldap:protocols: ldap NOTFOUND=return files
nsswitch.ldap:rpc: ldap NOTFOUND=return files
nsswitch.ldap:ethers: ldap NOTFOUND=return files
nsswitch.ldap:netmasks: ldap NOTFOUND=return files
nsswitch.ldap:bootparams: ldap NOTFOUND=return files
nsswitch.ldap:publickey: ldap NOTFOUND=return files
nsswitch.ldap:netgroup: ldap
nsswitch.ldap:automount: files ldap
nsswitch.ldap:aliases: files ldap
nsswitch.ldap:# for efficient getservbyname() avoid ldap
nsswitch.ldap:services: files ldap
nsswitch.ldap:printers: user files ldap
nsswitch.ldap:auth_attr: files ldap
nsswitch.ldap:prof_attr: files ldap
nsswitch.ldap:project: files ldap

That should do it. Test settings with id, getent, or ldaplist:

# ldaplist -l passwd me
dn: uid=me,ou=people,dc=domain,dc=com

telephoneNumber: 9382728383
employeeType: ACTIVE
cn: my name
title: System Administrator
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: domainEmployee
loginShell: /bin/bash
uidNumber: 1000
manager: 1023
gidNumber: 1000
sn: blah
homeDirectory: /home/blah

Redhat EL4 Active Directory Integration

http://enterprise.linux.com/enterprise/04/12/09/2318244.shtml?tid=102&tid=101&tid=100

SFU settings from the above, along with the AD setup from above, then the ldap conf below:

ldap.conf

host 192.168.0.2
base cn=Users,dc=domain,dc=com
binddn cn=unix1,cn=Users,dc=domain,dc=com
bindpw changeme
scope sub
ssl no
nss_base_passwd cn=Users,dc=testlab,dc=domain,dc=com?sub
nss_base_shadow cn=Users,dc=testlab,dc=domain,dc=com?sub
nss_base_group cn=Users,dc=testlab,dc=domain,dc=com?sub
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name

nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid msSFU30Name
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
pam_login_attribute msSFU30Name
pam_filter objectclass=User
pam_password ad

*Working sasl*
*/etc/ldap.conf required to be chmod 644*
*/tmp/krb5cc_0 required to be chmod 644*

root@xen01 log# cat /etc/ldap.conf
uri ldap://vmadhost.testlab.domain.com
base cn=Users,dc=testlab,dc=domain,dc=com
ldap_version 3
use_sasl on
rootuse_sasl on
SASL_MECH GSSAPI
sasl_secprops maxssf=0
krb5_ccname FILE:/var/tmp/proxycreds
binddn cn=service_proxy,cn=Users,dc=testlab,dc=domain,dc=com
scope sub
idle_timelimit 3600
timelimit 30
nss_base_passwd cn=Users,dc=testlab,dc=domain,dc=com?sub
nss_base_shadow cn=Users,dc=testlab,dc=domain,dc=com?sub
nss_base_group cn=Users,dc=testlab,dc=domain,dc=com?sub
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name

# Services for UNIX 3.5 mappings
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid msSFU30Name
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
pam_login_attribute msSFU30Name
pam_filter objectclass=User
pam_password ad
/etc/ssh/sshd_config ------------

Port 22
Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AllowTcpForwarding yes
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
Subsystem sftp /usr/libexec/openssh/sftp-server

*** Active Directory SSL Setup ***

/etc/ldap.con

host vmadhost.testlab.domain.com
base cn=Users,dc=testlab,dc=domain,dc=com
ldap_version 3
ssl start_tls
tls_cacertfile /etc/ssl/certs/adcert.pem
binddn cn=proxyuser,cn=Users,dc=testlab,dc=domain,dc=com
port 389
scope sub
idle_timelimit 3600
timelimit 30
nss_base_passwd cn=Users,dc=testlab,dc=domain,dc=com?sub
nss_base_shadow cn=Users,dc=testlab,dc=domain,dc=com?sub
nss_base_group cn=Users,dc=testlab,dc=domain,dc=com?sub
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name

nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid msSFU30Name
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
pam_login_attribute msSFU30Name
pam_filter objectclass=User
pam_password ad

debug 1

/etc/openldap/ldap.conf

debug 1
URI ldaps://domain.com
BASE cn=Users,dc=domain,dc=com
TLS_CACERTDIR /etc/ssl/certs
TLS_REQCERT never