[SunHELP] help on LDAP authentication on Solaris 8
Miroszlav Moricz
sunhelp at sunhelp.org
Wed Jun 13 09:57:59 CDT 2001
--31688410.992444279774.JavaMail.imail.cheeks.excite.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi!
Here's a README file which will help you to setup iPlanet Directory Server!
Bye, Miroszlav.
On Wed, 30 May 2001 22:35:12 +0700, sunhelp at sunhelp.org wrote:
> Greetings,
>
> I'm trying to configure all my solaris machine to authenticate using
> LDAP instead of NIS (with or without +) or file on each servers.
> Btw, I'm using iPlanet Directory Server.
> So, where do i have to start to configure that?
> where is the configuration file? i cannot find it anywhere, or it seems
> i don't know what the file name is.
> Can you help me out here?
>
> Thanks in advance.
>
> Regards,
> CE Lee
>
>
> _______________________________________________
> SunHELP maillist - SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp
_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/
--31688410.992444279774.JavaMail.imail.cheeks.excite.com
Content-Type: text/plain; name=README.master
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename=README.master
----------------------------------------------------------------
Steps involved in installing a basic directory server on Solaris
----------------------------------------------------------------
1. Install Solaris 8
2. Login as root as root privileges are required for installation.
3. Download the directory server binaries
http://www.iplanet.com/downloads/testdrive/index.html
4. unzip and untar to get the install binaries.
(If u don't want to download, u can copy the tar file from following place:
/home/ldap/user/sagrawal/ldap-deploy/dir411dsol.tar)
5. Execute the "setup" program. This is in the directory extracted by tar.
6. When asked to continue with installation, select the default, Yes.
7. Enter Yes if u agree to license terms.
8. When asked what to install, select the default, Netscape Servers.
9. When asked type of installation, select the Custom Installation.
10. Enter the directory where u want to install the server.
Convention is default (/usr/netscape/server4).
11. When asked to select the install components, select the default
(all components).
12. For Netscape Server Family, Netscape Server Family Core Components,
Netscape Directory Suite, and Administration Services components,
select the default (all components).
13. For hostname, select the default (local host).
14. When asked to select system user. select default (nobody). Solaris
creates this account by default on every system.
Similarly, select default (nobody) for group.
15. When asked to register with an existing Netscape configuration
directory server, select default (No).
16. When asked if another directory to store data, select default (No).
17. For Directory server network port, select default (389).
18. For Directory server identifier, select default (local host).
19. For Netscape configuration directory server administrator ID, select
default (admin), or whatever u prefer. This id is like a login id,
and should not be specified in DN format.
20. Enter the administrator password.
21. Enter the suffix of directory tree. It depends on the data u plan to
have. In our case, we use dc=sun,dc=com
22. Enter the DN of directory manager. It's not a must to have a suffix
in this DN. Convention is default (cn=Directory Manager)
23. Enter the directory manager password (at least 8 char).
24. When asked to enter Administration Domain, select default (sun.com)
25. When asked to select replication, select default (No). It can be
configured later too if needed.
26. When asked to install sample entries, select default (No) if u've
u'r own data.
27. When asked to enter LDIF file, or install sample entries, enter "none"
if u've u'r own data.
27. When asked if to disable schema checking, select default (No).
28. Enter any non used value (between 1024 and 65535) for Administration port.
29. For IP address, select the default (local host).
30. For Server Administrator ID, select default (same as Netscape
configuration directory server administrator ID). It can be different,
but just easy to remember this way. Enter the password.
31. For "Run Administration Server as", select default (root).
32. If everything is ok, setup extracts the files and copies in designated
place, updates configuration, and start the admin & directory server.
----------------------------------------------------------------------------
33. If u want to use directory server (ns-slapd) as a naming switch backend,
some modifications in schema are required. If directory server is running,
stop it (using console or stop-slapd command).
/usr/netscape/server4/slapd-<hostname>/stop-slapd
It's good to backup the config directory before making any changes. If u
installed directory server at default location, it should be at
/usr/netscape/server4/slapd-<hostname>/config
34. Modify the object class configuration file (slapd.oc.conf).
A sample slapd.oc.conf file is located at
/home/ldap/user/sagrawal/ldap-deploy/ds411/conf/slapd.oc.conf.dsmpk17x
cd /usr/netscape/server4/slapd-<hostname>/config
vi slapd.oc.conf
a. find objectclass ipNetwork
move the cn from "requires" to "allows"
35. Add following object class definitions in slapd.user_oc.conf :
A sample slapd.user_oc.conf file is located at
/home/ldap/user/sagrawal/ldap-deploy/ds411/conf/slapd.user_oc.conf.dsmpk17x
(In fact u can just copy this file if u don't have other things defined in
u'r local file)
a. add the following for the publickey objectclass :
(append at the end of file)
# XXX NIS publickey objectclass
objectclass NisKeyObject
oid 1.3.6.1.1.1.2.14
superior top
requires
cn,
nisPublickey,
nisSecretkey
allows
uidNumber,
description
b. add the following for the nisDomainObject objectclass :
# XXX NIS domain objectclass
objectclass nisDomainObject
oid 1.3.6.1.1.1.2.15
superior top
requires
nisDomain
c. add the following for the LDAP client profile objectclass :
# XXX LDAP client profile Objectclass
objectclass SolarisNamingProfile
oid 1.3.6.1.4.1.42.2.27.5.2.7
superior top
requires
cn,
SolarisLDAPservers,
SolarisSearchBaseDN
allows
SolarisBindDN,
SolarisBindPassword,
SolarisAuthMethod,
SolarisTransportSecurity,
SolarisCertificatePath,
SolarisCertificatePassword,
SolarisDataSearchDN,
SolarisSearchScope,
SolarisSearchTimeLimit,
SolarisPreferredServer,
SolarisPreferredServerOnly,
SolarisCacheTTL,
SolarisSearchReferral
d. add the following for the mailGroup objectclass :
# XXX mailGroup objectlcass
objectclass mailGroup
oid 2.16.840.1.113730.3.2.4
superior top
requires
mail
allows
cn,
mgrpRFC822MailMember
e. add the following for the nisMailAlias objectclass :
# XXX nisMailAlias objectlcass
objectClass nisMailAlias
oid 1.3.6.1.4.1.42.2.27.1.2.5
superior top
requires
cn
allows
rfc822mailMember
f. add the following for the nisNetId objectclass :
# XXX nisNetId objectlcass
objectClass nisNetId
oid 1.3.6.1.4.1.42.2.27.1.2.6
superior top
requires
cn
allows
nisNetIdUser,
nisNetIdGroup,
nisNetIdHost
35. Add following attribute definitions in slapd.user_at.conf :
A sample slapd.user_at.conf file is located at
/home/ldap/user/sagrawal/ldap-deploy/ds411/conf/slapd.user_at.conf.dsmpk17x
(In fact u can just copy this file if u don't have other things defined in
u'r local file)
a. add the "nisMapEntry" attribute :
(append at the end of file)
# XXX Sun nisMapEntry attributes
attribute nisPublickey 1.3.6.1.1.1.1.28 cis
attribute nisSecretkey 1.3.6.1.1.1.1.29 cis
attribute nisDomain 1.3.6.1.1.1.1.30 cis
b. add the following lines for LDAP client profile :
# XXX attributes for LDAP client profile
attribute SolarisLDAPServers 1.3.6.1.4.1.42.2.27.5.1.15 cis
attribute SolarisSearchBaseDN 1.3.6.1.4.1.42.2.27.5.1.16 dn single
attribute SolarisCacheTTL 1.3.6.1.4.1.42.2.27.5.1.17 cis single
attribute SolarisBindDN 1.3.6.1.4.1.42.2.27.5.1.18 dn single
attribute SolarisBindPassword 1.3.6.1.4.1.42.2.27.5.1.19 ces single
attribute SolarisAuthMethod 1.3.6.1.4.1.42.2.27.5.1.20 cis
attribute SolarisTransportSecurity 1.3.6.1.4.1.42.2.27.5.1.21 cis
attribute SolarisCertificatePath 1.3.6.1.4.1.42.2.27.5.1.22 ces single
attribute SolarisCertificatePassword 1.3.6.1.4.1.42.2.27.5.1.23 ces single
attribute SolarisDataSearchDN 1.3.6.1.4.1.42.2.27.5.1.24 cis
attribute SolarisSearchScope 1.3.6.1.4.1.42.2.27.5.1.25 cis single
attribute SolarisSearchTimeLimit 1.3.6.1.4.1.42.2.27.5.1.26 int single
attribute SolarisPreferredServer 1.3.6.1.4.1.42.2.27.5.1.27 cis
attribute SolarisPreferredServerOnly 1.3.6.1.4.1.42.2.27.5.1.28 cis single
attribute SolarisSearchReferral 1.3.6.1.4.1.42.2.27.5.1.29 cis single
c. add the following for mailGroup :
# XXX Sun additional attributes to RFC2307 attributes (NIS)
attribute mgrpRFC822MailMember 2.16.840.1.113730.3.1.30 cis
attribute rfc822mailMember ces
attribute nisNetIdUser 1.3.6.1.4.1.42.2.27.1.1.12 ces
attribute nisNetIdGroup 1.3.6.1.4.1.42.2.27.1.1.13 ces
attribute nisNetIdHost 1.3.6.1.4.1.42.2.27.1.1.14 ces
-------------------------------------------------------------------------------
Steps involved in populating data
-------------------------------------------------------------------------------
Now we are going to load data for which directory server has to be running.
So start it using command "start-slapd".
/usr/netscape/server4/slapd-<hostname>/start-slapd
36. The directory server SHOULD be configured so that it stores passwords
using unix crypt format, this is required if pam_unix is to be used (the
normal case).
To configure it from GUI: from Directory Server console, under
"Configuration", click on Database, select "Passwords" tab, change
"Password encryption" combo box to "Unix Crypt".
37. Set proper ACI for the top of our tree (dc=sun,dc=com). Please note
that you may need to set proper ACI for your environment.
Change the "Allow self entry modification" ACI of the top of our tree
(dc=sun,dc=com) from:
aci=(targetattr = "*")(version 3.0; acl "Allow self entry modification";
allow (write)userdn = "ldap:///self";)
to:
aci=(targetattr!="cn || uid || uidNumber || gidNumber || homeDirectory
|| loginShell || gecos || shadowLastChange || shadowMin || shadowMax ||
shadowWarning || shadowInactive || shadowExpire || shadowFlag ||
memberUid")(version 3.0; acl "Allow self entry modification"; allow
(write) userdn = "ldap:///self"; )
To configure it from GUI: from Directory Server console, select
"Directory" tab, click on servername, click on sun from the right window,
select open from the Oject menu, change the "Allow self entry modification
aci.
38. Create a work directory, say /usr/local/deploy, with write permission.
Add the top level naming contexts using the tops.ldif file from
/home/ldap/user/sagrawal/ldap-deploy/ldif directory. If u'r suffix
is different (other than dc=sun,dc=com), u will have to modify in
u'r local tops.ldif file (and may be other places too).
cd /usr/local/deploy
cp /home/ldap/user/sagrawal/ldap-deploy/ldif/tops.ldif .
ldapadd -D <admin DN> -w <admin passwd> -f tops.ldif
39. A snapshot of NIS data from system "moon" has been copied on 2/3/2000.
So it may not be latest. To get latest data, u need mount permission
on moon from ENS.
40. copy libldapssl30.so to your machine
cp /home/ldap/user/sagrawal/ldap-deploy/script/libldapssl30.so /usr/lib
41. From Directory Server console, under "configuration" select "<hostname>:<port>"
and "performance", increase the sizelimit & timelimit to max by setting
them to -1.
42. From Directory Server console, under "configuration" select "database"
and "performance", increase the caching parameters depending upon the
memory & hard disk of u'r system. For a Ultra-2 with 4 GB disk and
768 MB memory, following sample values are used :
Max entries in cache : 50000
Max cache size : 128000000
look through limit : 500000
43. Set read acl for passwd for search basedn: dc=eng,dc=sun,dc=com.
The aci would look like as in following entry:
#ldapsearch -L -h dsmpk17x -b "dc=eng,dc=sun,dc=com" -s base "objectclass=*"
dn: dc=eng,dc=sun,dc=com
dc: eng
associateddomain: eng.sun.com
objectclass: top
objectclass: domain
objectclass: domainRelatedObject
objectclass: nisDomainObject
nisdomain: sunsoft.eng.sun.com
aci: (target="ldap:///dc=eng,dc=sun,dc=com")(targetattr="userPassword")
(version 3.0; acl "password read"; allow (compare,read,search)
userdn = "ldap:///cn =proxyagent,ou=profile,dc=eng,dc=sun,dc=com"; )
To do it from gui, from Directory Server console, under "Directory",
click your server; expand sun, select eng. From "Object" menu, select
"open". Modify the aci attribute.
44. To populate the data, you can make use of following script :
/home/ldap/user/sagrawal/ldap-deploy/script/populate_data.ksh
U should copy this script locally, make changes in exported variables
as per u'r setup, and then execute. The time taken varies on data
size and type of machine. On an Ultra-2, for installing entire eng
domain data first time takes around 7 hours. Further updates take less.
If u wish to capture the output & error message, u can use following
command :
/home/ldap/user/sagrawal/ldap-deploy/script/populate_data.ksh > \
populate_data.out 2>&1 &
tail -f populate_data.out
45. Create vlv indices for password, group, host, network, and special
entries.
cp /home/ldap/user/sagrawal/ldap-deploy/ldif/vlv.ldif .
ldapadd -D <admin DN> -w <admin passwd> -f vlv.ldif
/usr/netscape/server4/slapd-<hostname>/vlvindex getpwent
/usr/netscape/server4/slapd-<hostname>/vlvindex getgrent
/usr/netscape/server4/slapd-<hostname>/vlvindex gethostent
/usr/netscape/server4/slapd-<hostname>/vlvindex getnetent
/usr/netscape/server4/slapd-<hostname>/vlvindex getspent
Give "anyone" read, search, compare permission so that
ldapclient doesn't fail to find nisdomainobject. It can
be done using console. Here is the sample entry :
# ldapsearch -L -b cn=features,cn=config objectclass=*
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
objectclass: top
objectclass: directoryServerFeature
oid: 2.16.840.1.113730.3.4.9
cn: VLV Request Control
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control";
allow (compare,read,search) userdn = "ldap:///anyone"; )
If u want to do it from gui, from Directory Server console, under
"Directory" expend "config", select "features" and then "VLV Request
Control". From "Object" menu, select "Open" and then modify the aci
attribute.
46. Since hosts entries are huge, it's better to create the indices
otherwise dsimport might be painfully slow.
To do it through GUI, from Directory Server console, under "configuration"
select "database" and "index", click on "add attribute" to get the list,
then select "iphostnumber" and check for "equality" in checkbox. Save
the changes.
47. Similarly, indices need to be created for uidNumber, and ipNetworknumber.
48. Now we will add proxyagent's entry in ldap server. A typical file would
look like :
dn: cn=proxyagent,ou=profile,dc=eng,dc=sun,dc=com
cn: proxyagent
sn: proxyagent
objectclass: top
objectclass: person
userpassword: test1234
You can change the password if u wish to have something else. Store this
in a file say, proxyagent.ldif. Now add this entry in server.
ldapadd -D <admin DN> -w <admin passwd> -f proxyagent.ldif
49. Now we need to generate the client profile and then add into LDAP server.
It should be generated on 2.8 Solaris machine or higher as older OS levels
won't have the ldap utilities.
ldap_gen_profile -P profile -b baseDN -D bindDN -w bindDNpasswd ldapServer_IP_address(es)[:port#]
The bindDN here is the bind DN of the proxy agent. U can specify more than
one LDAP server's IP address if u want to fail over to another LDAP server.
Capture the above result in a file, say profile.ldif
A typical command looks like :
ldap_gen_profile -P default -b "dc=eng,dc=sun,dc=com" \
-D cn=proxyagent,ou=profile,dc=eng,dc=sun,dc=com" -w secret
-a simple 129.146.17.28 > profile.ldif
Currently there is a problem with ldap_gen_profile as it inserts a leading
tab in second onwards lines. It needs to be deleted. The sameple result
would look like :
dn: cn=default,ou=profile,dc=eng,dc=sun,dc=com
SolarisBindDN: cn=proxyagent,ou=profile,dc=eng,dc=sun,dc=com
SolarisBindPassword: {NS1}4a3788e8c053424f
SolarisLDAPServers: 129.146.17.28
SolarisSearchBaseDN: dc=eng,dc=sun,dc=com
SolarisAuthMethod: NS_LDAP_AUTH_SIMPLE
SolarisTransportSecurity: NS_LDAP_SEC_NONE
SolarisSearchReferral: NS_LDAP_FOLLOWREF
SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL
SolarisSearchTimeLimit: 30
SolarisCacheTTL: 43200
cn: default
ObjectClass: top
ObjectClass: SolarisNamingProfile
Now add this entry in ldap server.
ldapadd -D <admin DN> -w <admin passwd> -f profile.ldif
50. To set a machine as a client to this server run the follwing
commands from the client :
ldapclient -v -P <profile_name> <ldapserverIPaddress>
e.g.,
ldapclient -v -P default 129.146.17.28
--31688410.992444279774.JavaMail.imail.cheeks.excite.com--
More information about the SunHELP
mailing list