Solaris 9,10 Using Native LDAP

Preliminary

It is possible to authenticate against an openLDAP server using the native ldap libraries that come with Solaris 9 and Solaris 10.

One concern with using openLDAP is that it is possible that installing a solaris security patch or even simply upgrading the system may have some undesired effect on the openLDAP installation. However using the native LDAP binaries allows for a simple upgrade and security path - just install the sun security packages as they come along.

Configure ldapclient

Sun's ldap configuration tool is ldapclient It is pre-configured to work with a Sun iPlanet style Directory Information Tree (DIT). If your LDAP does not follow this structure you will need to manually configure ldapclient to reflect this. You will need to have solaris.schema and DUAConfig.schema included in the LDAP servers schema.

root@ldap # ldapclient manual
-a domainName=your.site.com  
-a serviceSearchDescriptor=passwd:cn=users,dc=your,dc=site,dc=com 
-a serviceSearchDescriptor=group:cn=groups,dc=your,dc=site,dc=com 
-a authenticationMethod=tls:simple 
-a credentialLevel=proxy 
-a defaultSearchBase=dc=your,dc=site,dc=com 
-a searchTimeLimit=60 
-a profileTTL=3600
-a defaultServerList=ldap1.your.site.com,ldap2.your.site.com 
-a proxyDN=uid=root,cn=users,dc=your,dc=site,dc=com 
-a proxyPassword=********

You can also store this information on the LDAP server to make configuring a client easier.

root@ldap # ldapclient init -a profileName=profile-imb 
-a proxyDN=uid=root,cn=users,dc=your,dc=site,dc=com 
-a proxyPassword=********
ldap1.your.site.com

A sample entry of solaris/ldap profile record which would be stored directly off the root node of your LDAP server in ou=profile:

dn: cn=profile-imb,ou=profile,dc=your,dc=site,dc=com
objectClass: DUAConfigProfile
defaultSearchBase: dc=your,dc=site,dc=com
cn: profile-imb
credentialLevel: proxy
defaultServerList: ldap1.your.site.com,ldap2.your.site.com
profileTTL: 300
searchTimeLimit: 60
authenticationMethod: simple
serviceSearchDescriptor: passwd:cn=users,dc=your,dc=site,dc=com
serviceSearchDescriptor: group:cn=groups,dc=your,dc=site,dc=com

Changing non-LDAP passwords

Some confusion can arise when changing the password on an LDAP enabled server. If the user is only in /etc/passwd (not in the LDAP directory).

root@ldap # passwd derek
New Password:
Re-enter new Password:
passwd(LDAP): derek does not exist
passwd: password successfully changed for derek

If you want to change the password of a user that exist in both /etc/passwd and in the LDAP directory, but you only want to change the password of the file user.

root@ldap # passwd -f file d.benson
New Password:
Re-enter new Password:
passwd: password successfully changed for d.benson

Samba

I was not able to get samba working using Sun's LDAP package, so we installed openLDAP as well, but kept this isolated from the main system by stowing it in /opt/local

OpenSSL

Download and install the latest version of openssl (0.9.7c) from http://www.openssl.org/.

root@ldap > gunzip openssl-0.9.7c.tar.gz
root@ldap > tar -xvf openssl-0.9.7c.tar
root@ldap > cd openssl-0.9.7c
root@ldap > ./config --prefix=/opt/local/PACKAGES/openssl-0.9.7c
root@ldap > make
root@ldap > make test
root@ldap > make install
root@ldap > cd /opt/local/PACKAGES/
root@ldap > stow -v openssl-0.9.7c

If you have any problems and need to make again ensure that you run make distclean.

OpenLDAP

Some environmental variables may need to be set. These will vary acccording to where you installed OpenSSL:

root@ldap > export LD_LIBRARY_PATH=/opt/local/lib
root@ldap > LDFLAGS="-L/opt/local/lib -R/opt/local/lib"
root@ldap > CPPFLAGS="-I/opt/local/include"
root@ldap > export LDFLAGS CPPFLAGS

Download the latest stable source code (2.1.25) from http://www.openldap.org/

In this case we do not want the openLDAP server (slapd) installed, so we need to explicitly disable it.

root@ldap > gunzip openldap-2.1.25.tgz
root@ldap > tar -xvf openldap-2.1.25.tar
root@ldap > cd openldap-2.1.25
root@ldap > ./configure --prefix=/opt/local/PACKAGES/openldap-2.1.25 --with-tls --disable-slapd
root@ldap > make depend
root@ldap > make
root@ldap > make install
root@ldap > cd /opt/local/PACKAGES/
root@ldap > stow -v openldap-2.1.25

Finally, remember to install the CA certificate that you created and edit the ldap.conf file to match your configuration.

You should now have a working LDAP client. You could test it with ldapsearch. For example:

root@ldap >ldapsearch -LLL -x -H ldaps://ldap.your.site.com -b dc=your,dc=site,dc=com "uid=l.r*" dn

Samba

root@ldap > gunzip samba-3.0.2a.tar.gz
root@ldap > tar -xvf samba-3.0.2a.tar
root@ldap > cd samba-3.0.2a/source
root@ldap > ./configure --prefix=/opt/local/PACKAGES/samba-3.0.2a --with-ldap --with-quotas --with-smbwrapper
root@ldap > make
root@ldap > make install
root@ldap > cd /opt/local/PACKAGES/
root@ldap > stow -v samba-3.0.2a

/etc/pam.conf

I'm still working through this but the following seems to work in general.

I have tried to keep this as simple as possible. I will only a a specific reference to a service if I find that it requires different treatment.

# PAM configuration
#
# Authentication management
#
rsh     auth required   /usr/lib/security/$ISA/pam_rhosts_auth.so.1
other   auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
other   auth required /usr/lib/security/$ISA/pam_ldap.so.1 use_first_pass

#
# Account management
#
other   account requisite       /usr/lib/security/$ISA/pam_roles.so.1
other   account required        /usr/lib/security/$ISA/pam_projects.so.1
other   account sufficient      /usr/lib/security/$ISA/pam_unix.so.1
other   account required        /usr/lib/security/$ISA/pam_ldap.so.1 use_first_pass

#
# Session management
#
other session sufficient /usr/lib/security/$ISA/pam_unix.so.1
other session optional   /usr/lib/security/$ISA/pam_ldap.so.1 use_first_pass

#
# Password management
#
other   password sufficient      /usr/lib/security/$ISA/pam_ldap.so.1
other   password required        /usr/lib/security/$ISA/pam_unix.so.1 use_first_pass

Now /etc/nsswitch.conf needs to be edited. This is the file that tells the computer to use LDAP.

nsswitch.conf

I haven't really given this much thought but this seems to work:


# /etc/nsswitch.files:
#
# An example file that could be copied over to /etc/nsswitch.conf;
#
passwd:     files ldap
shadow:     files ldap
group:      files
hosts:      files dns
ipnodes:    files
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
# At present there isn't a 'files' backend for netgroup;  the system will
#   figure it out pretty quickly, and won't use netgroups at all.
netgroup:   files
automount:  files
aliases:    files
services:   files
sendmailvars:   files
printers:       user files
auth_attr:  files
prof_attr:  files
project:    files

Author: Lance Rathbone
Last modified: Wednesday December 08, 2010

Home