Solaris LDAP Authentication

This document covers how a Solaris system can be configured for LDAP authentication. It is an early draft and has only been tested with Solaris 10 zones although there is no reason why it should not work with earlier versions of Solaris.

Configure an SSL Tunnel

Because our LDAP service requires SSL connections before allowing authentication, it is necessary to connect to the LDAP server using SSL. The easiest way of doing this, is to configure a network tunnel ... the local machine will think it is talking to an LDAP server on the local machine.

First (for Solaris 9 and 10), create the configuration necessary for the stunnel tool in /opt/etc. Or copy from /site/scripts/lib/ldapclient/st-ldap.conf :-

    client = yes
    [ldap]
        accept=localhost:389
        connect=ldap-ser.port.ac.uk:636

Note the "accept=localhost:389" ... the use of 'localhost' here prevents the tunnel from being visible (and usable) from the network, which would be a possible security hole.

Next ensure that the Blastwave install of stunnel is installed :-

pkg-get -i stunnel
mkdir -p /opt/csw/var/run/stunnel
chown nobody /opt/csw/var/run/stunnel

If this doesn't work you need to get Blastwave installed and configured.

Next is to configure an XML manifest for the SMF service if applying to Solaris 10. Either create the XML file with these conditions or use /site/scripts/lib/ldapclient/st-ldap.xml :-

  <?xml version="1.0"?>

  <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">

  <service_bundle type='manifest' name='Lstunnel-ldap'>

  <service
          name='site/Lstunnel-ldap'
          type='service'
          version='1'>

          <create_default_instance enabled='true' />

          <dependent
            name='exim_multi-user-server'
            grouping='require_all'
            restart_on='none'>
            <service_fmri value='svc:/milestone/multi-user-server' />
          </dependent>


          <exec_method
                  type='method'
                  name='start'
                  exec='/ISOadm/nw-sun/sbin/stunnel /opt/etc/st-ldap.conf'
                  timeout_seconds='0' />

          <exec_method
                  type='method'
                  name='stop'
                  exec=':kill -15'
                  timeout_seconds='3' />
  
  </service>
  </service_bundle>

This can be imported with svccfg import st-ldap.xml. Once imported start with svcadm enable Lstunnel-ldap.

For Solaris 9 copy /site/scripts/lib/ldapclient/ldap.client to /etc/init.d, and run /etc/init.d/ldap.client start.

Configure PAM

For Solaris 9 and 10 replace /etc/pam.conf with, the appropiate files from /site/scripts/lib/ldapclient. select pam9.conf for Solaris 9, pam10.conf for Solaris 10.

The following is the correct pam.conf for Solaris 10, for Solaris 9 all lines contained cred are omitted.

#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite        pam_authtok_get.so.1
login   auth required         pam_dhkeys.so.1
login   auth required         pam_unix_cred.so.1
login   auth required         pam_dial_auth.so.1
login   auth binding          pam_unix_auth.so.1 server_policy
login   auth required         pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient       pam_rhosts_auth.so.1
rlogin  auth requisite        pam_authtok_get.so.1
rlogin  auth required         pam_dhkeys.so.1
rlogin  auth required         pam_unix_cred.so.1
rlogin  auth binding          pam_unix_auth.so.1 server_policy
rlogin  auth required         pam_ldap.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient       pam_rhosts_auth.so.1
rsh     auth required         pam_unix_cred.so.1
rsh     auth binding          pam_unix_auth.so.1 server_policy
rsh     auth required         pam_ldap.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite        pam_authtok_get.so.1
ppp     auth required         pam_dhkeys.so.1
ppp     auth required         pam_dial_auth.so.1
ppp     auth binding          pam_unix_auth.so.1 server_policy
ppp     auth required         pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite        pam_authtok_get.so.1
other   auth required         pam_dhkeys.so.1
other   auth required         pam_unix_cred.so.1
other   auth binding          pam_unix_auth.so.1 server_policy
other   auth required         pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth binding          pam_passwd_auth.so.1 server_policy
passwd  auth required         pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required      pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite     pam_roles.so.1
other   account binding       pam_unix_account.so.1 server_policy
other   account required      pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required      pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required     pam_dhkeys.so.1
other   password requisite    pam_authtok_get.so.1
other   password requisite    pam_authtok_check.so.1
other   password required     pam_authtok_store.so.1 server_policy
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#

Instead of just looking in /etc/passwd, this checks there and checks in the LDAP server. The /etc/passwd file takes priority.

Configuring LDAP

Configure the LDAP client daemon manually with the following command, there is a script file in /site/scripts called ldap-mancli which will do the same thing, as long as stunnel is running:-

/usr/sbin/ldapclient manual
                -a defaultServerList=localhost
                -a defaultSearchBase=ou=lan,o=port
                -a defaultSearchScope=sub
                -a authenticationMethod=none
                -a credentialLevel=anonymous
                -a serviceAuthenticationMethod=passwd:simple
                -a serviceAuthenticationMethod=shadow:simple
                -a serviceAuthenticationMethod=pam_ldap:simple
                -a attributeMap=passwd:gecos=fullname
                -a attributeMap=passwd:homeDirectory=unixHome
                -a attributeMap=passwd:uid=cn
                -a serviceSearchDescriptor=shadow:ou=lan,o=port?sub
                -a serviceSearchDescriptor=passwd:ou=lan,o=port?sub

To restrict the ability to login to members of a group, add "?groupMembership=cn=gp-ac-pepitas,ou=sysperms,ou=ns,ou=lan,o=port" to the end of the "serviceSearchDescriptor". Obviously make the name of the group appropriate!

Cleaning Up

The ldapclient command makes some changes we don't like, so edit /etc/nsswitch.conf and remove the 'ldap' word from all the name services except for 'passwd' and 'group' (including any "[NOTFOUND=return]" bits). Double check DNS has files and dns.

Also disable the autofs with svcadm disable autofs as this seems to spring into life.

Remaining Stuff

1. Map homeDirectory to unixHome for systems where a local home directory is preferred.
2. Look into setting up autofs for /Network/Servers/{IP}/... so we automount the users home directory.

Other bits that need considering. (Notes of what we forgot on Tiger).

The users home directories need to be created. Copy a working machine.

• Edit /etc/profile to call mkhome if no home directory.
• Copy file /opt/bin/mkhome from another machine and set the permissions appropriately.
• It is also suggested that the directories /home/a-z and A-Z be created ready for the user homes.

Finally:

There was a problem on Tiger with uid to name translation. This was cause by incorrect permissions on the /var/run/name_service_door file. It should be a+r, look in Tiger /NOTES for details.

Debugging

Finding out what is going wrong is kind of tricky as there is very little logging for LDAP. The simplest method of debugging is to change the LDAP server list to "ldap.port.ac.uk" and dump the traffic :-

    ldapclient -v mod -a defaultServerList=ldap.port.ac.uk
    snoop -o ldap.dump -s 0 host hickory-blue

The output file is best inspected on a workstation using Ethereal.

Don't forget to change the server list back again ... because this is plain text LDAP (which is necessary for dumping traffic), the NDS won't allow any authentication.

Working ldapclient list Configuration

# /usr/sbin/ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= localhost
NS_LDAP_SEARCH_BASEDN= ou=lan,o=port
NS_LDAP_AUTH= none
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= anonymous
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=lan,o=port?sub
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=lan,o=port?sub
NS_LDAP_ATTRIBUTEMAP= passwd:homeDirectory=unixHome
NS_LDAP_ATTRIBUTEMAP= passwd:gecos=description
NS_LDAP_ATTRIBUTEMAP= passwd:uid=cn
NS_LDAP_SERVICE_AUTH_METHOD= passwd:simple
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
NS_LDAP_SERVICE_AUTH_METHOD= shadow:simple

-- MikeMeredith - 23 May 2005