Solaris 9 Using Native LDAP
Preliminary
It is possible to authenticate against an openLDAP server using the native ldap libraries that come with solaris 9.One concern with using openLDAP is that it is possible that installing a solaris security patch or even simply upgrading the system may have some undesired effect on the openLDAP installation. However using the native LDAP binaries allows for a simple upgrade and security path - just install the sun security packages as they come along.
Configure ldapclient
Sun's ldap configuration tool is ldapclient
It is pre-configured to work with a Sun iPlanet style Directory Information Tree (DIT).
If your LDAP does not follow this structure you will need to manually configure ldapclient to reflect this.
ldapclient manual -a profileName=profile-imb \ -a domainName=your.site.com \ -a serviceSearchDescriptor=passwd:cn=users,dc=your,dc=site,dc=com \ -a serviceSearchDescriptor=group:cn=groups,dc=your,dc=site,dc=com \ -a authenticationMethod=tls:simple \ -a credentialLevel=proxy \ -a defaultSearchBase=dc=your,dc=site,dc=com \ -a searchTimeLimit=60 \ -a profileTTL=3600 \ -a proxyDN=uid=root,cn=users,dc=your,dc=site,dc=com \ -a proxyPassword=secret 138.122.131.121
Sample entry of solaris/ldap profile:
dn: cn=profile-imb,ou=profile,dc=your,dc=site,dc=com objectClass: DUAConfigProfile defaultSearchBase: dc=your,dc=site,dc=com cn: profile-imb credentialLevel: proxy defaultServerList: 138.122.131.121 profileTTL: 300 searchTimeLimit: 60 authenticationMethod: tls:simple serviceSearchDescriptor: passwd:cn=users,dc=your,dc=site,dc=com serviceSearchDescriptor: group:cn=groups,dc=your,dc=site,dc=com
Changing non-LDAP passwords
Some confusion can arise when changing the password on an LDAP enabled server.
If the user is only in /etc/passwd (not in the LDAP directory).
matrix:~# passwd derek New Password: Re-enter new Password: passwd(LDAP): derek does not exist passwd: password successfully changed for derek
If you want to change the password of a user that exist in both /etc/passwd and in the LDAP directory, but you only want to change the password of the file user.
matrix:~# passwd -f file d.benson New Password: Re-enter new Password: passwd: password successfully changed for d.benson
Samba
I was not able to get samba working using Sun's LDAP package, so we installed openLDAP as well, but kept this isolated from the main system by stowing it in/opt/local
OpenSSL
Download and install the latest version of openssl (0.9.7c) from http://www.openssl.org/.
root@ldap > gunzip openssl-0.9.7c.tar.gz
root@ldap > tar -xvf openssl-0.9.7c.tar
root@ldap > cd openssl-0.9.7c
root@ldap > ./config --prefix=/opt/local/PACKAGES/openssl-0.9.7c
root@ldap > make
root@ldap > make test
root@ldap > make install
root@ldap > cd /opt/local/PACKAGES/
root@ldap > stow -v openssl-0.9.7c
If you have any problems and need to make again ensure that you run make distclean.
OpenLDAP
Some environmental variables may need to be set. These will vary acccording to where you installed OpenSSL:
root@ldap > export LDFLAGS CPPFLAGS
root@ldap > export LD_LIBRARY_PATH=/opt/local/lib
root@ldap > LDFLAGS="-L/opt/local/lib -R/opt/local/lib"
root@ldap > CPPFLAGS="-I/opt/local/include"
Download the latest stable source code (2.1.25) from http://www.openldap.org/
In this case we do not want the openLDAP server (slapd) installed, so we need to explicitly disable it.
root@ldap > gunzip openldap-2.1.25.tgz
root@ldap > tar -xvf openldap-2.1.25.tar
root@ldap > cd openldap-2.1.25
root@ldap > ./configure --prefix=/opt/local/PACKAGES/openldap-2.1.25 --with-tls --disable-slapd
root@ldap > make depend
root@ldap > make
root@ldap > make install
root@ldap > cd /opt/local/PACKAGES/
root@ldap > stow -v openldap-2.1.25
Finally, remember to install the CA certificate that you created and edit the ldap.conf file to match your configuration.
You should now have a working LDAP client. You could test it with ldapsearch. For example:
root@ldap >ldapsearch -LLL -x -H ldaps://ldap.your.site.com -b dc=your,dc=site,dc=com "uid=l.r*" dn
Samba
root@ldap > gunzip samba-3.0.2a.tar.gz
root@ldap > tar -xvf samba-3.0.2a.tar
root@ldap > cd samba-3.0.2a/source
root@ldap > ./configure --prefix=/opt/local/PACKAGES/samba-3.0.2a --with-ldap --with-quotas --with-smbwrapper
root@ldap > make
root@ldap > make install
root@ldap > cd /opt/local/PACKAGES/
root@ldap > stow -v samba-3.0.2a
/etc/pam.conf
I'm still working through this but the following seems to work in general.
I have tried to keep this as simple as possible. I will only a a specific reference to a service if I find that it requires different treatment.
# PAM configuration
#
# Authentication management
#
rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1
other auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
other auth required /usr/lib/security/$ISA/pam_ldap.so.1 use_first_pass
#
# Account management
#
other account requisite /usr/lib/security/$ISA/pam_roles.so.1
other account required /usr/lib/security/$ISA/pam_projects.so.1
other account sufficient /usr/lib/security/$ISA/pam_unix.so.1
other account required /usr/lib/security/$ISA/pam_ldap.so.1 use_first_pass
#
# Session management
#
other session sufficient /usr/lib/security/$ISA/pam_unix.so.1
other session optional /usr/lib/security/$ISA/pam_ldap.so.1 use_first_pass
#
# Password management
#
other password sufficient /usr/lib/security/$ISA/pam_ldap.so.1
other password required /usr/lib/security/$ISA/pam_unix.so.1 use_first_pass
Now /etc/nsswitch.conf needs to be edited. This is the file that tells the computer to use LDAP.
nsswitch.conf
I haven't really given this much thought but this seems to work:
# /etc/nsswitch.files:
#
# An example file that could be copied over to /etc/nsswitch.conf;
#
passwd: files ldap
shadow: files ldap
group: files
hosts: files dns
ipnodes: files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
# At present there isn't a 'files' backend for netgroup; the system will
# figure it out pretty quickly, and won't use netgroups at all.
netgroup: files
automount: files
aliases: files
services: files
sendmailvars: files
printers: user files
auth_attr: files
prof_attr: files
project: files