Mise en place du client OpenLDAP

From Deimos.fr / Bloc Notes Informatique
Jump to: navigation, search

1 Introduction

OpenLDAP n'est malheureusement pas disponible en standard sur Solaris, cependant il est possible de l'installer via pkg-get.

2 Configuration

  • Configurer le fichier /etc/pam.conf :

Pour chaque ligne :

Configuration File /etc/pam.conf
service  auth required           pam_unix_auth.so.1

remplacer "required" par "sufficient" et ajouter derrière la ligne :

Configuration File /etc/pam.conf
service auth sufficient pam_ldap.so.1 try_first_pass

Ce qui doit donner quelquechose comme ceci :

Configuration File /etc/pam.conf
#
#ident  "@(#)pam.conf   1.28    04/04/21 SMI"
#
# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth sufficient         pam_ldap.so.1 try_first_pass
login   auth sufficient         pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth sufficient         pam_ldap.so.1 try_first_pass
rlogin  auth sufficient         pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth binding            pam_krb5.so.1
krlogin auth sufficient         pam_ldap.so.1
krlogin auth sufficient         pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth binding            pam_krb5.so.1
krsh    auth sufficient         pam_ldap.so.1
krsh    auth sufficient         pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth binding            pam_krb5.so.1
ktelnet auth sufficient         pam_ldap.so.1
ktelnet auth sufficient         pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth sufficient         pam_ldap.so.1
ppp     auth sufficient         pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth sufficient         pam_ldap.so.1
other   auth sufficient         pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth required           pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#

  • Configurer le fichier /etc/nsswitch.ldap

Laisser "ldap" uniquement là où c'est utile : pour le moment sur les lignes passwd: et group:.
Pour le reste, mettre le contenu du fichier /etc/nsswitch.dns.
Ce qui donne :

Configuration File /etc/nsswitch.ldap
#
# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
 
#
# /etc/nsswitch.dns:
#
# An example file that could be copied over to /etc/nsswitch.conf; it uses
# DNS for hosts lookups, otherwise it does not use any other naming service.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
 
# DNS service expects that an instance of svc:/network/dns/client be
# enabled and online.
 
passwd:     files ldap
group:      files ldap
 
# You must also set up the /etc/resolv.conf file for DNS name
# server lookup.  See resolv.conf(4).
hosts:      files dns 
 
# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes:   files dns 
 
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
# At present there isn't a 'files' backend for netgroup;  the system will 
#   figure it out pretty quickly, and won't use netgroups at all.
netgroup:   files
automount:  files
aliases:    files
services:   files
printers:       user files
 
auth_attr:  files
prof_attr:  files
project:    files
 
tnrhtp:     files
tnrhdb:     files

Une fois que cela est fait, nous allons pouvoir mettre en place la configuration. Attention : si vous êtes en environnement cluster, adapatez à la conf initiale ! :

Command
cp /etc/nsswitch.ldap /etc/nsswitch.conf

  • Lancer la configuration du client ldap

Il suffit de taper la commande :

Command ldapclient
ldapclient manual -v -a authenticationMethod=simple -a proxyDN=cn=admin,dc=openldap,dc=mydomain,dc=local -aproxyPassword=bidon -a defaultSearchBase=dc=openldap,dc=mydomain,dc=local -a defaultServerList=ldap.mydomain.local -a serviceSearchDescriptor=passwd:dc=openldap,dc=mydomain,dc=local?sub -a serviceSearchDescriptor=shadow:dc=openldap,dc=mydomain,dc=local?sub -a serviceSearchDescriptor=group:dc=openldap,dc=mydomain,dc=local?sub -a serviceAuthenticationMethod=pam_ldap:simple<nowiki>=</nowiki>

Attention : il semble que la commande ldapclient soit buggée et nécéssite les paramètres proxyDN et proxyPassword même s'ils sont inutilisés ! (et même s'ils contiennent n'importe quoi)

Command /etc/auto_home
#
# Copyright 2003 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)auto_home  1.6     03/04/28 SMI"
#
# Home directory map for automounter
#
+auto_home
* localhost:/export/home/&

Au cas où vous voudriez créer automatiquement le home directory, vous devez effectuer un portage du pam_mkhomedir de linux :

Une bonne idée serait aussi de monter automatiquement le home depuis un serveur nfs.

Il faut que les comptes utilisateurs dans l'annuaire LDAP aient dans leur liste d 'objectClass la classe « shadowAccount » pour pouvoir être pris en compte par solaris.

3 FAQ

3.1 WARNING: /var/ldap/ldap_client_file is missing or not readable

J'ai eu ce message lorsque j'ai voulu initialiser le service avec la commande ldapclient et que les serveurs ldap étaient down. Vérifiez donc que :

  • Le service client (svc:/network/ldap/client:default) est offline
  • Les serveurs LDAP sont bien dispnibles

Dans le cas ou ça ne fonctionne toujours pas, il va falloir créer 2 fichiers à la main :

Configuration File /var/ldap/ldap_client_file
#
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= server2, server1
NS_LDAP_SEARCH_BASEDN= dc=openldap,dc=mycompany,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_CACHETTL= 0
NS_LDAP_SERVICE_SEARCH_DESC= passwd:dc=openldap,dc=mycompany,dc=com?sub?&(&(objectClass=posixAccount)(!(objectClass=computer)))
NS_LDAP_SERVICE_SEARCH_DESC= shadow:dc=openldap,dc=mycompany,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC= group:dc=openldap,dc=mycompany,dc=com?sub
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple

et le fichier contenant les identifiants :

Configuration File /var/ldap/ldap_client_cred
#
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_BINDDN= cn=admin,dc=openldap,dc=mycompany,dc=lan
NS_LDAP_BINDPASSWD= {NS1}4a3788e8c053424f

Pour générer un mot de passe, utiliez la commande ldap_gen_profil :

Command ldap_gen_profil
ldap_gen_profile -P profile -b dc=mycompany,dc=local -w test 127.0.0.1 | grep SolarisBindPassword

4 Ressources

http://docs.sun.com/app/docs/doc/806-4077/6jd6blbev?a=view#ldapsecure-74
http://www.ypass.net/solaris/openldap/ldapcachemgr.php