(iPlanet Directory Server is now called SUN ONE Directory Server or Java System Directory Server)
(SimpleBind + SSL/TLS/start_tls + without-SASL + automount + netgroup + sudo + apache)
(See also related documents at http://web.singnet.com.sg/~garyttt/)
Purpose:
This document describes the steps involved in installing and configuring a SUN ONE (iPlanet) Directory Server (DS5.2 or iDS 5.2) with SSL/TLS support on Soalris8/9. This is to be accessed by RedHat Linux or Solaris8/9 LDAP Client. Many useful productivity UNIX Shell scripts are also provided in this document.
To use LDAP centralized authentication with nss_ldap and pam_ldap, i.e. to use LDAP "uid" and "userPassword" for UNIX account id and password lookup, you must also complete the setup documented in “Installing and configuring OpenSSH with pam_ldap for Solaris9” and/or" Installing and configuring OpenSSH with pam_ldap for RedHat Enterprise Linux3"
Another related document "Deploying SUN Solaris Native LDAP Client by using automated scripts", describes the steps involved in building up an infrastructure environment for rapid deployment of Native LDAP Client.
Download URL:
http://www.sun.com/software/products/directory_srvr_ee/get.jsp
Public Mail Lists/Forums:
http://lists.fini.net/mailman/listinfo/ldap-interop
http://forum.java.sun.com/forum.jspa?forumID=761
http://www.dbforums.com (comp.unix.solaris)
http://bbs.chinaunix.net/ (Chinese web site)
Useful URLs:
· SUN Blogs http://blogs.sun.com,
Search for “ldap” or “ldapclient” or “ldap ssl” or “ldap tls” or “ldap nis” depending on your need.
· Raja’s SUN Native LDAP Product Support Document
http://blogs.sun.com/roller/resources/raja/ldap-psd.html
· SUN Blue Print: Tom Bailaski and Michael Haines’s “LDAP in the Solaris Operating Environment”
http://www.sun.com/books/catalog/haines_bialaski_ldap.xml (not downloadable, got to buy it)
· SUN Blue Print: Michael Haines’s “Understanding NIS to LDAP Service (N2L) Architecture”
http://www.sun.com/blueprints/0306/819-4326.pdf
· A twisted world - Rohan Pinto’s Weblog :: NIS to LDAP migration guide
http://blogs.sun.com/rohanpinto/entry/nis_to_ldap_migration_guide
· SUN ONE Directory Server 5.2 Installation and Tunning Guide:
http://docs.sun.com/source/816-6697-10/contents.html
· SUN Solaris9's “System Administration Guide: Naming and Directory Services - May 2002”:
http://docs.sun.com/app/docs/doc/816-4856
· SUN Solaris10's “System Administration Guide: Naming and Directory Services”:
http://docs.sun.com/app/docs/doc/816-4556
· SUN ONE Directory Server 5.2 documentations:
http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52
· SUN Jave System/Directory Server 5 / 2005Q1 documentations:
http://docs.sun.com/app/docs/coll/DirectoryServer_05q1
· SUN Jave System/Directory Server 5 / 2005Q4 documentations:
http://docs.sun.com/app/docs/coll/1316.1
· John Berger’s Beginner Guide to SunONE DS
http://www.thebergerbits.com/Beginners_Guide_to_SunONE_DS.pdf
· SUN ONE Directory Server 5.2 release notes:
http://docs.sun.com/source/816-6703-10/index.html
· SUN Java System Directory Server 5.2 / 2005Q1 release notes:
http://docs.sun.com/source/817-7611/index.html
· SUN Java System/Directory Server 5.2 / 2005Q4 release notes
http://docs.sun.com/source/819-2405/index.html
· SUN Java System/Directory Server 5.2 / 2005Q1 release notes for Compressed Archive
http://docs.sun.com/source/819-1815/index.html
· SUN Java System/Directory Server 5.2 / 2005Q4 release notes for Patchzip
http://docs.sun.com/source/819-4290/index.html
· SUN Java System/Directory Server 5.2 Log File Access Log Content:
http://docs.sun.com/source/817-7616/fileref.html#wp20452
· OpenSSH LDAP Public Key Patch
http://www.opendarwin.org/projects/openssh-lpk/
· LDAP Error and Status Codes
http://www.directory-info.com/LDAP/LDAPErrorCodes.html
· BIND9.NET LDAP Page
· SUN ONE Directory Server Error Code Reference:
http://docs.sun.com/source/816-6699-10/ax_errcd.html
· Automating LDAP Client Installation (JumpStart)
http://www.sun.com/blueprints/0701/LDAPinstall.pdf
· LDAP Client Login Authentication
http://yolinux.com/TUTORIALS/LDAP_Authentication.html
· Integrating AIX into Heterogenous LDAP Environments
http://www.redbooks.ibm.com/redbooks/pdfs/sg247165.pdf
· Integrating UNIX/Linux LDAP Clients into Active Directory – ad4unix
http://sourceforge.net/projects/ad4unix/
· Integrating Windows Clients into UNIX/Linux LDAP Server - pGina
http://sourceforge.net/projects/pgina/
· SUN Directory Server Resource Kit
http://www.sun.com/software/products/directory_srvr_ee/get.jsp
Freeware tools used:
· OpenSSL 0.9.7e or later – http://www.openssl.org
· LDAP Browser/Editor: http://www-unix.mcs.anl.gov/~gawor/ldap/
· BIND9.NET LDAP Tools: http://www.bind9.net/ldap-tools
· JXplorer Java LDAP Browser/Editor: http://pegacat.com/jxplorer/ (can do SSL connection)
· Other Graphical LDAP Tools: http://en.tldp.org/HOWTO/LDAP-HOWTO/graphicaltools.html
· Novell LDAP CoolTools: http://www.novell.com/coolsolutions/tools/bycategory/168.html
· LDAP Account Manager: http://lam.sf.net
· Softerra LDAP Administrator: http://www.ldapadministrator.com/
· SUN Directory Editor: http://www.sun.com/software/products/directory_srvr_ee/get.jsp
Example used:
· MASTER LDAP Server: ldap1.example.com, 192.168.1.168
· SLAVE LDAP Server: ldap2.example.com, 192.168.1.178
· RedHat EL3 LDAP Client: client1.example.com, 192.168.1.188
· Solaris8 LDAP Client: client2.example.com, 192.168.1.198
· Solaris9 LDAP Client: client3.example.com, 192.168.1.208
It is highly recommended that OS level Security Hardening be applied to all LDAP Servers.
Preparation Steps:
Please ensure that IP addresses of LDAP Server(s) are defined in DNS and/or /etc/hosts
It is important that the Fully Qualified Domain Name (eg: ldap1.example.com) be listed as the first entry right after the IP address, as shown below:
192.168.1.168 ldap1.example.com ldap1
Please ensure that LDAP domain example.com is defined in /etc/resolv.conf, in case of Solaris LDAP clients and servers, /etc/defaultdomain should contain "example.com" as the LDAP domain.
If this is an Upgrade of old iDS 5.0 or 5.1 Server to latest 5.2, it is always very wise to backup all *.db TLS security files in $IDS5_PATH/alias before proceeding.
The procedures in this document are also applicable to Solaris8 provided that patch 108993 has been applied, note that Solaris8 has different syntax for “ldapclient” command. For Solaris9, LDAP library patch 112960 are highly recommended. See also the following URL if you are using SJES/DS5.2.
http://docs.sun.com/source/817-7611/index.html#wp33336
Please refer to Appendix for a useful script to check patches.
The prcocedures are also applicable to Solaris10, there is specific step for “crle” command, you may like to refer to this URL:
http://www.sunmanagers.org/pipermail/summaries/2005-August/006688.html
For Solaris10 LDAP Client, it is noted that the entry “ipnodes: files ldap” in /etc/nsswitch.conf should be replaced with just “ipnodes: files” or else ldapclient initialization will hang.
This step is for LDAP Server(s) only.
Log in as root.
# cd /var/tmp
# tar xvf ds.5.2.P4.Solaris.SPARC.full.tar
IMPORTANT NOTE: If you have previous version of iDS5 (5.0/ 5.1) installed, please shutdown its slapd process, uninstall its software components, and remove any references of 5.0/5.1 (eg: /usr/iplanet/ds5/lib) in LD_LIBRARY_PATH in /etc/profile and/or current login shells, as well as disable iDS5.0/5.1 startup script (cd /etc/rc2.d; mv S72directory s72directory; ./s72directory stop), before proceeding to run "setup"
# ./setup
or
# ./setup -nodisplay
Enter default value for each prompt is usually good for a testing LDAP Server.
For SJES/DS5.2:
# jar xvf
java_es_05Q1_directory-ga-solaris-sparc.zip
# cd java_es_05Q1_directory
# chmod -R a+x *
# cd Solaris_sparc
# ./installer
or
# ./installer -nodisplay
Enter default value for each and every prompt is usually good for a testing LDAP Server.
Note 1: after running “installer”and if you encounter error and wish to re-run “setup”, simply perform the following “uninstall” actions (Applicable to SJES/DS5.2):
In CDE X-Windows terminal, run “prodreg” to uninstall components.
# prodreg
If “prodreg” does not work, manual “clean-up”
may be performed:
# rm –f /var/sadm/install/productregistry
# rm –f /var/sadm/install/logs/*_install*
# cd /var/sadm/pkg
# rm –rf SUNWdsv* SUNWasv* SUNWcomds
Then unset the “installed?” flag(s) in /etc/ds/versions:
#version|command path|installed?|default?
5.1|//usr/iplanet/ds5/sbin/directoryserver|YES|NO
5.2|//usr/ds/v5.2/sbin/directoryserver|NO|YES
Note 2: if some of the scripts extracted out from the tar file do not have execution permissions, perform the following action prior to running setup.
# chmod -R a+x
*
Now start admin server and slapd if they are not started.
# ps –ef | egrep “admin-serv|slapd”
# /var/Sun/mps/start-admin
# /var/Sun/mps/slapd-`hostname`/start-slapd
Please note that the Solaris SPARC version of SJES/DS5.2 is already at Patch_4 level, it can be confirmed by looking /var/Sun/mps/slapd-`hostname`/errors while restarting ns-slapd, there will be banner saying it is Patch_4, if it is not at Patch_4, it is advisable to download and apply 117665-03.
117665-03: for Solaris8/9 SPARC
117666-03: for Solaris8/9 x86
117667-03: for Windows
117668-03: for Linux
117669-03: for HP-UX
117670-03: For AIX
Now run "idsconfig", note that this command is NOT searchable by $PATH.
NOTE: if SJES/DS5.2 is used and if the LDAP domain you are trying to setup is NOT “dc=example,dc=com”, the following hack to “idsconfig” is required to fix a road block issue: “ERROR: Can not determine the top of tree”.
# cd /usr/lib/ldap
# mv idsconfig idsconfig.orig
# cp idsconfig.orig idsconfig
# vi idsconfig
Replace line:
grep -i -v NetscapeRoot > ${TMPDIR}/treeTOP
with:
grep -i -v NetscapeRoot | grep -i -v dc=example >
${TMPDIR}/treeTOP
Note: in some latest version of “idsconfig”, you would see “{GREP}” in place of “grep”.
Otherwise, please proceed.
# /usr/lib/ldap/idsconfig
It is strongly recommended that you BACKUP the directory server
before running idsconfig.
Hit Ctrl-C at any time before the final confirmation to exit.
Do you wish to continue with server setup (y/n/h)? [n] y
Enter the iPlanet Directory Server's (iDS) hostname to setup: ldap1
Enter the directory manager DN: [cn=Directory Manager]
Enter passwd for cn=Directory Manager :
Enter the domainname to be served (h=help): [example.com]
Enter LDAP Base DN (h=help): [dc=example,dc=com]
Enter the profile name (h=help): [default]
Default server list (h=help): [192.168.1.168] ldap1.example.com ldap2.example.com
Preferred server list (h=help):
Choose desired search scope (one, sub, h=help): [one]
The following are the supported credential levels:
1 anonymous
2 proxy
3 proxy anonymous
Choose Credential level [h=help]: [1] 2
The following are the supported Authentication Methods:
1 none
2 simple
3 sasl/DIGEST-MD5
4 tls:simple
5 tls:sasl/DIGEST-MD5
Choose Authentication Method (h=help): [1] 2
Current authenticationMethod: simple
Do you want to add another Authentication Method? n
Do you want the clients to follow referrals (y/n/h)? [n]
Do you want to modify the server timelimit value (y/n/h)? [n]
Do you want to store passwords in "crypt" format (y/n/h)? [n] y
Do you want to setup a Service Authentication Methods (y/n/h)? [n]
Client search time limit in seconds (h=help): [30]
Profile Time To Live in seconds (h=help): [43200]
Bind time limit in seconds (h=help): [10]
Do you wish to setup Service Search Descriptors (y/n/h)? [n] y
D Delete a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit] A
Enter the service id: passwd
Enter the base: ou=People,dc=example,dc=com
Enter the scope: one
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit] A
Enter the service id: group
Enter the base: ou=group,dc=example,dc=com
Enter the scope: one
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Enter menu choice: [Quit] A
Enter the service id: shadow
Enter the base: ou=People,dc=example,dc=com
Enter the scope: one
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
X Clear all SSD's
Enter menu choice: [Quit] A
Enter the service id: netgroup
Enter the base: ou=netgroup,dc=example,dc=com
Enter the scope: one
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit]
Summary of Configuration
1 Domain to serve : example.com
2 Base DN to setup : dc=example,dc=com
3 Profile name to create : default
4 Default Server List : ldap1.example.com ldap2.example.com
5 Preferred Server List :
6 Default Search Scope : one
7 Credential Level : proxy
8 Authentication Method : simple
9 Enable Follow Referrals : FALSE
10 iDS Time Limit :
11 iDS Size Limit :
12 Enable crypt password storage : TRUE
13 Service Auth Method pam_ldap :
14 Service Auth Method keyserv :
15 Service Auth Method passwd-cmd:
16 Search Time Limit : 30
17 Profile Time to Live : 43200
18 Bind Limit : 10
Enter config value to change: (1-19 0=commit changes) [0] 19
Do you wish to setup Service Search Descriptors (y/n/h)? [n] y
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit] P
Current Service Search Descriptors:
==================================
passwd:ou=People,dc=example,dc=com?one
group:ou=group,dc=example,dc=com?one
shadow:ou=People,dc=example,dc=com?one
netgroup:ou=netgroup,dc=example,dc=com?one
Hit return to continue.
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit]
Summary of Configuration
1 Domain to serve : example.com
2 Base DN to setup : dc=example,dc=com
3 Profile name to create : default
4 Default Server List : ldap1.example.com ldap2.example.com
5 Preferred Server List :
6 Default Search Scope : one
7 Credential Level : proxy
8 Authentication Method : simple
9 Enable Follow Referrals : FALSE
10 iDS Time Limit :
11 iDS Size Limit :
12 Enable crypt password storage : TRUE
13 Service Auth Method pam_ldap :
14 Service Auth Method keyserv :
15 Service Auth Method passwd-cmd:
16 Search Time Limit : 30
17 Profile Time to Live : 43200
19 Service Search Descriptors Menu
Enter config value to change: (1-19 0=commit changes) [0]
Enter DN for proxy agent: [cn=proxyagent,ou=profile,dc=example,dc=com]
Enter passwd for proxyagent: password
Re-enter passwd: password
1. Changed passwordstoragescheme to "crypt" in cn=config.
2. Schema attributes have been updated.
3. Schema objectclass definitions have been added.
4. NisDomainObject added to dc=example,dc=com.
5. Top level "ou" containers complete.
6. automount maps: auto_home auto_direct auto_master auto_shared processed.
7. ACI for dc=example,dc=com modified to disable self modify.
8. Add of VLV Access Control Information (ACI).
9. Proxy Agent cn=proxyagent,ou=profile,dc=example,dc=com added.
10. Give cn=proxyagent,ou=profile,dc=example,dc=com read permission for
password.
11. Generated client profile and loaded on server.
12. Processing eq,pres indexes:
ipHostNumber (eq,pres) Finished indexing.
uidNumber (eq,pres) Finished indexing.
ipNetworkNumber (eq,pres) Finished indexing.
gidnumber (eq,pres) Finished indexing.
oncrpcnumber (eq,pres) Finished indexing.
automountKey (eq,pres) Finished indexing.
13. Processing eq,pres,sub indexes:
membernisnetgroup (eq,pres,sub) Finished indexing.
nisnetgrouptriple (eq,pres,sub) Finished indexing.
14. Processing VLV indexes:
example.com.getgrent vlv_index Entry created
example.com.gethostent vlv_index Entry created
example.com.getnetent vlv_index Entry created
example.com.getpwent vlv_index Entry created
example.com.getrpcent vlv_index Entry created
example.com.getspent vlv_index Entry created
idsconfig: Setup of iDS server ldap1 is complete.
Note: idsconfig has created entries for VLV indexes. Use the
directoryserver(1m) script on ldap1 to stop
the server and then enter the following vlvindex
sub-commands to create the actual VLV indexes:
directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge
tgrent
directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge
thostent
directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge
tnetent
directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge
tpwent
directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge
trpcent
directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge
tspent
IMPORTANT NOTE: DO NOT USE "directoryserver –s <server-instance> vlvindex …" to create vlvindex, as /usr/sbin/directoryserver may be pointing to Solaris OLD built-in iDS 5.0 or 5.1 executable, use the following short script instead.
# cat ids52_vlvindex.sh
/var/Sun/mps/slapd-ldap1/stop-slapd
/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getgrent
/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.gethostent
/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getnetent
/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getpwent
/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getrpcent
/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getspent
/var/Sun/mps/slapd-ldap1/start-slapd
# ./ids52_vlvindex.sh
[24/Feb/2005:00:00:09 -0500] - userRoot: Indexing VLV: example.com.getgrent
[24/Feb/2005:00:00:09 -0500] - userRoot: Finished indexing.
[24/Feb/2005:00:00:12 -0500] - userRoot: Indexing VLV: example.com.gethostent
[24/Feb/2005:00:00:12 -0500] - userRoot: Indexed search unsuccessful, will perfo
rm unindexed search instead.
[24/Feb/2005:00:00:12 -0500] - userRoot: Finished indexing.
[24/Feb/2005:00:00:14 -0500] - userRoot: Indexing VLV: example.com.getnetent
[24/Feb/2005:00:00:14 -0500] - userRoot: Indexed search unsuccessful, will perfo
rm unindexed search instead.
[24/Feb/2005:00:00:14 -0500] - userRoot: Finished indexing.
[24/Feb/2005:00:00:17 -0500] - userRoot: Indexing VLV: example.com.getpwent
[24/Feb/2005:00:00:17 -0500] - userRoot: Finished indexing.
[24/Feb/2005:00:00:19 -0500] - userRoot: Indexing VLV: example.com.getrpcent
[24/Feb/2005:00:00:19 -0500] - userRoot: Indexed search unsuccessful, will perfo
rm unindexed search instead.
[24/Feb/2005:00:00:19 -0500] - userRoot: Finished indexing.
[24/Feb/2005:00:00:21 -0500] - userRoot: Indexing VLV: example.com.getspent
[24/Feb/2005:00:00:21 -0500] - userRoot: Finished indexing.
Note 1: you may also use SUN ONE Console “Create Browsing Index” function (right click object) to do the same for the above.
Note 2: Initially when there is no data under ou=People and ou=group, the vlv index creation will failur, this is normal.
Congratulation!!! You have just successfully completed the installation of SUN ONE Directory Server.
This step is for BOTH LDAP Server(s) as well as Clients which require SSL_TLS support for LDAP connection.
IMPORTANT NOTE 2: For Solaris8, Patch 112438 is required if /dev/random instead of prngd is used to support OpenSSL.
Prepare the following short script "cr_ssl_certs_ids5ldap.sh", content as follow, please customize the details of the Certificate,
IMPORTANT NOTE: Please note that the self-signed server certicate created is PURELY for TESTING and DEMONSTRATION PURPOSES ONLY, in production environment please create a Certificate Signing Request (CSR) using iPlanet Administration Console and contact trusted commercial vendors like Verisign to sign the certificate request and pay for the service fee. The Signed certificate can then be merged into current server using the iPlanet Administration Console. SUN ONE DS5.2 (iDS 5.2) already comes built-in with a list of popular Certificate Authority Certificates including Verisign.
Tips: if you interested in an ONE-BUTTON productivity script that creates SSL Certificates for both slapd and admin-serv, please consult “Configuring Solaris Native LDAP Client for Fedora Directory Server” from my Home Page, for a script called “cr_ssl_certs.sh”, this script works for BOTH SUN ONE Directory Server as well as Fedora Directory Server.
#! /bin/sh
#
# cr_ssl_certs_ids5ldap.sh
#
# Gary Tay, 07-Jan-2005, written
#
# Ref. URL is http://docs.sun.com/source/816-5542-10/certutil.htm#13305
#
# Customize location of iDS5
IDS5_PATH=/var/Sun/mps; export IDS5_PATH
# Customize the followings
PATH=$PATH:$IDS5_PATH/shared/bin; export PATH
LD_LIBRARY_PATH=/var/Sun/mps/lib:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
DOW=`date | cut -d' ' -f1`
HOST=`hostname`
DOMAIN=`domainname`
FQDN="$HOST.$DOMAIN"
ORG="Example Companies"
LOCALITY="NewYork City"
STATE="NewYork"
COUNTRY="US"
cd $IDS5_PATH/alias
echo "Backing up $IDS5_PATH/alias/*.db to $IDS5_PATH/alias/backup_$DOW..."
mkdir -p $IDS5_PATH/alias/backup_$DOW >/dev/null 2>/dev/null
cp $IDS5_PATH/alias/*.db $IDS5_PATH/alias/backup_$DOW
rm -f $IDS5_PATH/alias/slapd-$HOST-*.db
# Please read "certutil" help information
# http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
echo "Creating Key and Certificate databases..."
certutil -N -d $IDS5_PATH/alias -P "slapd-$HOST-"
# -S = Standalone certificate, -s = Subject
# -t = trust attributes, -x = self-signed, -v 12 = valid for 12 months
# -P = Prefixed with string, -5 = prompt for type of certificate
echo "Creating a self-signed Server Certificate..."
certutil -S -d $IDS5_PATH/alias -n "$FQDN" -s "CN=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -t "CTPu,CTPu,CTPu" -x -v 12 -P "slapd-$HOST-" -5
echo "Listing the certificate..."
certutil -L -d $IDS5_PATH/alias -P "slapd-$HOST-"
certutil -L -d $IDS5_PATH/alias -P "slapd-$HOST-" -n $FQDN
echo "Verifying the certificate..."
certutil -V -d $IDS5_PATH/alias -P "slapd-$HOST-" -n $FQDN -u V -e -l
Run this script:
# ./cr_ssl_certs_ids5ldap.sh
Backing up /var/Sun/mps/alias/*.db to /var/Sun/mps/alias/backup_Thu...
Creating Key and Certificate databases...
In order to finish creating your database, you
must enter a password which will be used to
encrypt this key and any future keys.
The password must be at least 8 characters long,
and must contain at least one non-alphabetic character.
Enter new password: secret
Re-enter password: secret
Creating a self-signed Server Certificate...
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Enter Password or Pin for "NSS Certificate DB": secret
Generating key. This may take a few moments...
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for futuer use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
1
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for futuer use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
9
Is this a critical extension [y/n]?
y
Listing the certificate...
Certificate Name Trust Attributes
ldap1.example.com CTPu,CTPu,CTPu
p Valid peer
P Trusted peer (implies p)
c Valid CA
T Trusted CA to issue client certs (implies c)
C Trusted CA to certs(only server certs for ssl) (implies c)
u User cert
w Send warning
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
00:cb:4f:a8:2b
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Issuer: CN=ldap1.example.com, O=Example Companies, L=NewYork City, ST=NewYork, C=US
Validity:
Not Before: Thu Feb 24 06:19:43 2005
Not After: Wed May 24 06:19:43 2006
Subject: CN=ldap1.example.com, O=Example Companies, L=NewYork City, ST=NewYork, C=US
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
00:b0:79:44:72:b7:61:84:d9:c1:17:4d:a1:05:48:
0e:4b:3d:c8:02:52:9d:4e:de:9e:6b:b9:7e:2b:5b:
a4:40:d0:d4:e3:1c:3f:93:02:19:d7:5b:68:85:b6:
a9:d8:ef:85:ae:9b:09:33:ae:52:d6:78:d5:a9:de:
c8:bf:ce:f6:c7:d7:12:74:aa:21:fa:1a:9d:5d:45:
20:d9:4d:47:6c:1d:88:de:d9:c2:2b:bc:76:80:a6:
f5:8a:0d:fc:48:f6:fc:c0:38:e3:69:4a:3f:15:11:
b5:dc:a7:9f:1b:59:56:c8:3a:68:a4:9f:41:be:e9:
33:7b:e3:e3:89:39:0a:77:b5
Exponent: 65537 (0x10001)
Signed Extensions:
Name:
Certificate Type
Critical:
True
Data: <SSL Server>
Fingerprint (MD5):
D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E
Fingerprint (SHA1):
DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Signature:
01:c7:8a:1d:55:7f:25:3d:fd:dd:db:5e:04:ac:de:16:7f:b2:
07:c9:27:e0:c6:03:90:16:f9:3e:7d:8a:55:27:43:d1:d9:db:
90:4c:38:1e:c1:14:2f:99:be:d4:46:90:f7:9c:64:f2:8c:f2:
af:0e:62:da:55:9c:66:72:24:9f:46:52:46:ac:3a:73:a3:0d:
31:b1:4e:36:86:f0:3d:8c:3d:09:14:71:15:30:ca:4b:41:cd:
e5:4c:bf:4b:5d:8a:81:e2:fb:c4:51:72:c4:48:50:ba:02:d4:
bc:bb:00:2c:a9:43:dc:80:e4:90:8b:c0:2c:55:7d:94:b4:63:
59:d4
Certificate Trust Flags:
SSL Flags:
Valid Peer
Trusted
Valid CA
Trusted CA
User
Trusted Client CA
Email Flags:
Valid Peer
Trusted
Valid CA
Trusted CA
User
Trusted Client CA
Object Signing Flags:
Valid Peer
Trusted
Valid CA
Trusted CA
User
Trusted Client CA
Verifying the certificate...
Enter Password or Pin for "NSS Certificate DB": secret
certutil: certificate is valid
The above run will create slapd-ldap1-key3.db and slapd-ldap1-cert7.db in $LDAP_ROOT/alias directory.
Now we have to configure iDS 5.2 to use SSL encryption.
Start the iPlanet Administration Server if it is not started.
# /var/Sun/mps/start-admin
Run the local iPlanet Administation Console (/var/Sun/mps/startconsole) or run Windows based "SUN ONE Server Console".
# /var/Sun/mps/startconsole
Login as cn=Directory Manager
Go to Directory Server Tasks/Manage Certificates tab, notice that there is a certificate created called "ldap1.example.com" issued to "ldap1.example.com" and by itself "ldap1.example.com", valid for use as SSL Server Certificate for 12+3=15 months.
Go to Directory Server Configuration/Encryption tab, check "Enable SSL for this server" and also "Use this cipher family: RSA", ensure that the "Certificate" field is referencing the slapd-ldap1-cert7.db we have created, i.e. it is called ldap1.example.com
Click Save
Go to Directory Server Configuration/Network tab, ensure that LDAP server will be run to listen on "Both secure and non-secure ports", i.e. port 389 as well as 636.
Go to Directory Server Tasks, stop the LDAP Server, when you try to restart it, you would notice it will need a password file.
You can EITHER start it using command line or try to create this password file for slapd-ldap1-key3.db we have created, it MUST be in this format: $LDAP_ROOT/alias/slapd-ldap1-pin.txt
# echo "Internal (Software) Token:secret" >/var/Sun/mps/alias/slapd-ldap1-pin.txt
IMPORTANT NOTE: DO NOT LEAVE ANY SPACES after the "Token:" and at the end of the line or else the password will not be recognized by "start-slapd".
# chmod 400 /var/Sun/mps/alias/slapd-ldap1-pin.txt
If ns-slapd is run of non-root user, example “nobody” or “ns-slapd” or “ldap”, make sure the pin file is readable by the slapd owner.
# chown $NS-SLAPD_OWNER /var/Sun/mps/alias/slapd-ldap1-pin.txt
Restart LDAP Server now.
# /var/Sun/mps/slapd-ldap1/start-slapd
Congratulation!!! You have configured a LDAP Server with SSL/TLS support.
You may now try to retrieve the directory data:
# /usr/bin/ldapsearch -b "dc=example,dc=com" -L "objectclass=*"
Log in as root and install OpenSSL and supporting LibGCC, both of which could be downloaded from http://www.sunfreeware.com.
# pkgadd -d openssl-0.9.7X-sol9-sparc-local
# pkgadd d libgcc-3.X.X-sol9-sparc-local
This will install OpenSSL into the standard /usr/local/ssl directory, and supporting libgcc into /usr/local/lib.
You may now try to test SSL_TLS locally using the following command:
# env LD_LIBRARY_PATH=/usr/local/ssl/lib:/usr/local/lib /usr/local/ssl/bin/openssl s_client -connect localhost:636 -showcerts
CONNECTED(00000003)
depth=0 /C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com
i:/C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com
-----BEGIN CERTIFICATE-----
MIICfjCCAeegAwIBAgIFAMtPqCswDQYJKoZIhvcNAQEEBQAwdjELMAkGA1UEBhMC
VVMxEDAOBgNVBAgTB05ld1lvcmsxFTATBgNVBAcTDE5ld1lvcmsgQ2l0eTEaMBgG
A1UEChMRRXhhbXBsZSBDb21wYW5pZXMxIjAgBgNVBAMTGW55cHBsZGV2MjEucGxh
dHRzLm1obS5taGMwHhcNMDUwMjI0MDYxOTQzWhcNMDYwNTI0MDYxOTQzWjB2MQsw
CQYDVQQGEwJVUzEQMA4GA1UECBMHTmV3WW9yazEVMBMGA1UEBxMMTmV3WW9yayBD
aXR5MRowGAYDVQQKExFFeGFtcGxlIENvbXBhbmllczEiMCAGA1UEAxMZbnlwcGxk
ZXYyMS5wbGF0dHMubWhtLm1oYzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
sHlEcrdhhNnBF02hBUgOSz3IAlKdTt6ea7l+K1ukQNDU4xw/kwIZ11tohbap2O+F
rpsJM65S1njVqd7Iv872x9cSdKoh+hqdXUUg2U1HbB2I3tnCK7x2gKb1ig38SPb8
wDjjaUo/FRG13KefG1lWyDpopJ9Bvukze+PjiTkKd7UCAwEAAaMYMBYwFAYJYIZI
AYb4QgEBAQH/BAQDAgZAMA0GCSqGSIb3DQEBBAUAA4GBAAHHih1VfyU9/d3bXgSs
3hZ/sgfJJ+DGA5AW+T59ilUnQ9HZ25BMOB7BFC+ZvtRGkPecZPKM8q8OYtpVnGZy
JJ9GUkasOnOjDTGxTjaG8D2MPQkUcRUwyktBzeVMv0tdioHi+8RRcsRIULoC1Ly7
ACypQ9yA5JCLwCxVfZS0Y1nU
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com
issuer=/C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com
---
Acceptable client certificate CA names
/C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com
---
SSL handshake has read 909 bytes and written 342 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 4CBF01674425A9E455393A843FA6AEA8838372F7DC13531168B9B3C9AF5857FE
Session-ID-ctx:
Master-Key: D04984C9F325DD4CBEBE8A4BD63A182C98CB2C0AE3CD9F0A8FF6102A4C499512E757D996F2F80C9906288673BF52E0D7
Key-Arg : None
Start Time: 1109232085
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
^C#
<Ctrl-C or Ctrl-Break to exit>
IMPORTANT NOTE: please ensure that the FQDN (Fully Qualified Domain Name) as shown by CN=<FQDN> is defined in /etc/hosts file.
This step is for LDAP Server(s).
Prepare People.ldif and group.ldif and add them into directory data. You may also manually add directory data using iPlanet Console.
Tips 1: when you use iPlanet Console to add People entry, remember to check the “posix” user (posixAccount) option, so that uidNumber and gidNumber could be entered.
Tips 2: Use $LDAP_ROOT/slapd-ldap1/getpwenc command to find the encrypted format of LDAP userPassword.
# cd /var/Sun/mps/slapd-ldap1
# ./getpwenc CRYPT testpassword
{crypt}GFOZa/ZLlDdng
A sample People.ldif with only two entries is shown here
dn: uid=gtay, ou=People, dc=example,dc=com
givenName: Gary
sn: Tay
loginShell: /bin/bash
uidNumber: 6167
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: gtay
cn: Gary Tay
homeDirectory: /home/gtay
shadowLastChange: -1
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
gecos: Gary Tay
userPassword: {CRYPT}U8bo2twhJ9Kkg
dn: uid=tuser, ou=People, dc=example,dc=com
givenName: Test
sn: User
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: tuser
cn: Test User
homeDirectory: /home/tuser
shadowLastChange: -1
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
gecos: Test User
userPassword: {SHA}MWxHz/4F3kXGXlfK4EvIJUo2C2U=
A sample group.ldif with only one entry is shown here
dn: cn=Users,ou=group,dc=example,dc=com
cn: Users
gidNumber: 102
objectClass: top
objectClass: posixGroup
memberUid: gtay
memberUid: tuser
If you need SSL/TLS to protect the LDAP connection sessions, prepare tls_profile.ldif.
dn: cn=tls_profile,ou=profile,dc=example,dc=com
ObjectClass: top
ObjectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example,dc=com
authenticationMethod: tls:simple
followReferrals: FALSE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
bindTimeLimit: 10
cn: tls_profile
credentialLevel: proxy
serviceSearchDescriptor: passwd: ou=People,dc=example,dc=com?one
serviceSearchDescriptor: group: ou=group,dc=example,dc=com?one
serviceSearchDescriptor: shadow: ou=People,dc=example,dc=com?one
serviceSearchDescriptor: netgroup: ou=netgroup,dc=example,dc=com?one
# /usr/bin/ldapadd -c -D "cn=Directory Manager" -f People.ldif
Bind Password:
adding new entry uid=gtay, ou=People, dc=example,dc=com
adding new entry uid=tuser, ou=People, dc=example,dc=com
# /usr/bin/ldapadd -c -D "cn=Directory Manager" -f group.ldif
Bind Password:
adding new entry cn=Users,ou=group,dc=example,dc=com
# /usr/bin/ldapadd -c -D "cn=Directory Manager" -f tls_profile.ldif
Bind Password:
adding new entry cn=tls_profile,ou=profile,dc=example,dc=com
For massive import of People and group entries, you may use “/usr/sbin/ldapaddent” command, see “man ldapaddent” for more details, or you may use PADL’s MigrationTools.
http://www.padl.com/OSS/MigrationTools.html
Examples of ldapaddent are listed below, note the sequences, passwd DB first then shadow, note also the use of “-p” to create userPassword attribute and the CRYPT password is only added when the DB is shadow.
# cat test.txttest9991:x:9991:102:test9991:/var/tmp:/bin/sh # ldapaddent -v -f test.txt -D "cn=Directory Manager" -p passwdEnter password:SERVICE = passwdAdding entry : test99911 entries added # cat tests.txttest9991:ElnMr/iU805dA:12881:::::: # ldapaddent -v -f tests.txt -D "cn=Directory Manager" shadowEnter password:SERVICE = shadowAdding entry : test99911 entries added#
IMPORTANT NOTE ABOUT LDIF IMPORT FILES:
When you copy and paste the content of People.ldif and group.ldif, or any other .ldif files from this document for preparation of LDAP data import using ldapadd command, please make sure that ALL LEADING AND TRAILING SPACES at every line in the .ldif files be removed or else “ldapadd” command will throw errors.
Create iDS5 LDAP server start/stop script /etc/init.d/ids5ldap.server, modify Run Control startup script as needed.
# touch /etc/init.d/ids5ldap.server
# chmod 744 /etc/init.d/ids52.server
# mv /etc/rc2.d/S72directory /etc/rc2.d/s72directory
# ln -s /etc/init.d/ids5ldap.server /etc/rc2.d/S72directory
# vi /etc/init.d/ids5ldap.server
#! /bin/sh
#
# ids5ldap.server – iDS5 LDAP Server start script
#
# Gary Tay, 19-Feb-2005
#
IDS5_PATH=/var/Sun/mps
SERVER_ID=`hostname`
SERVER_OWNER="root"
SERVER_GROUP="root"
LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/usr/local/ssl/lib:/var/Sun/mps/lib:/usr/lib/mps
case "$1" in
'start')
echo 'SUN ONE Directory Server service starting.'
$IDS5_PATH/slapd-$SERVER_ID/start-slapd
chown $SERVER_OWNER:$SERVER_GROUP
$SERVER_ROOT/alias/*.db
su - $SERVER_OWNER -c
$SERVER_ROOT/start-admin
;;
'stop')
echo 'SUN ONE Directory Server service stopping.'
$IDS5_PATH/slapd-$SERVER_ID/stop-slapd
$IDS5_PATH/stop-admin
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
Try stopping and starting LDAP server
# /etc/init.d/ids5ldap.server stop
# /etc/init.d/ids5ldap.server start
To verify:
# ps -ef | grep ns-slapd
root 19647 1 0 02:46:26 ? 0:03 ./ns-slapd -D /var/Sun/mps/slapd-ldap1 -i /var/Sun/mps/slapd-ldap1/lo
root 20286 16953 0 03:47:46 pts/1 0:00 grep ns-slapd
Tips: whenever you have problem starting LDAP server, i.e. it is not shown in process status, check the errors log file in /var/Sun/mps/slapd-ldap1/logs directory.
Try to list the LDAP content locally at the server by binding "anonymous"ly (without "-D" option), note that userPassword never get listed.
# /usr/bin/ldapsearch –h ldap1.example.com -b "dc=example,dc=com" -L "objectclass=*"
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
objectClass: nisDomainObject
nisDomain: example.com
dn: cn=Directory Administrators, dc=example,dc=com
objectClass: top
objectClass: groupofuniquenames
cn: Directory Administrators
dn: ou=Groups, dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: Groups
dn: ou=People, dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: People
dn: ou=Special Users,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Special Users
description: Special Administrative Accounts
dn: cn=Accounting Managers,ou=groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: Accounting Managers
ou: groups
description: People who can manage accounting entries
dn: cn=HR Managers,ou=groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: HR Managers
ou: groups
description: People who can manage HR entries
dn: cn=QA Managers,ou=groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: QA Managers
ou: groups
description: People who can manage QA entries
dn: cn=PD Managers,ou=groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: PD Managers
ou: groups
description: People who can manage engineer entries
dn: ou=group,dc=example,dc=com
ou: group
objectClass: top
objectClass: organizationalUnit
dn: ou=rpc,dc=example,dc=com
ou: rpc
objectClass: top
objectClass: organizationalUnit
dn: ou=protocols,dc=example,dc=com
ou: protocols
objectClass: top
objectClass: organizationalUnit
dn: ou=networks,dc=example,dc=com
ou: networks
objectClass: top
objectClass: organizationalUnit
dn: ou=netgroup,dc=example,dc=com
ou: netgroup
objectClass: top
objectClass: organizationalUnit
dn: ou=aliases,dc=example,dc=com
ou: aliases
objectClass: top
objectClass: organizationalUnit
dn: ou=hosts,dc=example,dc=com
ou: hosts
objectClass: top
objectClass: organizationalUnit
dn: ou=services,dc=example,dc=com
ou: services
objectClass: top
objectClass: organizationalUnit
dn: ou=ethers,dc=example,dc=com
ou: ethers
objectClass: top
objectClass: organizationalUnit
dn: ou=profile,dc=example,dc=com
ou: profile
objectClass: top
objectClass: organizationalUnit
dn: ou=printers,dc=example,dc=com
ou: printers
objectClass: top
objectClass: organizationalUnit
dn: automountMapName=auto_home,dc=example,dc=com
automountMapName: auto_home
objectClass: top
objectClass: automountMap
dn: automountMapName=auto_direct,dc=example,dc=com
automountMapName: auto_direct
objectClass: top
objectClass: automountMap
dn: automountMapName=auto_master,dc=example,dc=com
automountMapName: auto_master
objectClass: top
objectClass: automountMap
dn: automountMapName=auto_shared,dc=example,dc=com
automountMapName: auto_shared
objectClass: top
objectClass: automountMap
dn: cn=proxyagent,ou=profile,dc=example,dc=com
cn: proxyagent
sn: proxyagent
objectClass: top
objectClass: person
dn: cn=default,ou=profile,dc=example,dc=com
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example,dc=com
authenticationMethod: simple
followReferrals: FALSE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
cn: default
credentialLevel: proxy
serviceSearchDescriptor: passwd:ou=People,dc=example,dc=com?one
serviceSearchDescriptor: group:ou=group,dc=example,dc=com?one
serviceSearchDescriptor: shadow:ou=People,dc=example,dc=com?one
serviceSearchDescriptor: netgroup:ou=netgroup,dc=example,dc=com?one
bindTimeLimit: 10
dn: uid=gtay, ou=People, dc=example,dc=com
givenName: Gary
sn: Tay
loginShell: /bin/bash
uidNumber: 6167
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: gtay
cn: Gary Tay
homeDirectory: /home/gtay
shadowLastChange: -1
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
gecos: Gary Tay
dn: uid=tuser, ou=People, dc=example,dc=com
givenName: Test
sn: User
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: tuser
cn: Test User
homeDirectory: /home/tuser
shadowLastChange: -1
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
gecos: Test User
dn: cn=Users,ou=group,dc=example,dc=com
cn: Users
gidNumber: 102
objectClass: top
objectClass: posixGroup
memberUid: gtay
memberUid: tuser
dn: cn=tls_profile,ou=profile,dc=example,dc=com
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example,dc=com
authenticationMethod: tls:simple
followReferrals: FALSE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
bindTimeLimit: 10
cn: tls_profile
credentialLevel: proxy
serviceSearchDescriptor: passwd: ou=People,dc=example,dc=com?one
serviceSearchDescriptor: group: ou=group,dc=example,dc=com?one
serviceSearchDescriptor: shadow: ou=People,dc=example,dc=com?one
serviceSearchDescriptor: netgroup: ou=netgroup,dc=example,dc=com?one
Congratulation!!! You have created a LDAP server capable for answering name service (uid) lookup requests from any LDAP Client.
You may repeat Step 1, 2 and 3 to install a SLAVE LDAP Server, ldap2.example.com, assuming you are not using LDAP Replication feature in iDS 5.2, but instead deleveloping your own script to regularly replicate the People and group data from MASTER to SLAVE.
This step is for RedHat Linux LDAP Clients only
Assuming client1.example.com is a RedHat Linux OpenLDAP Client.
Login as root.
These lines should be present in /etc/openldap/ldap.conf of the RedHat Linux LDAP Client
# List two or more LDAP servers if failover is required
HOST ldap1.example.com ldap2.example.com
# URI ldap://ldap1.example.com ldap://ldap2.example.com
BASE dc=example, dc=com
TLS_CACERT /etc/openldap/cert7.pem
In the above file, how do you obtain cert7.pem?
In production environment it is provided by your SSL Certificate commercial provider in .pem (ASCII) format, in our testing environment it MAY contain the slapd-<server_id>-cert7.db in ASCII format from BOTH the MASTER and SLAVE LDAP Server.
Use the following script to extract the ASCII format for slapd-<server_id>-cert7.db.
# cat list_cert7_db_in_ascii.sh
#! /bin/sh
#
# list_cert7_db_in_ascii.sh
#
# Gary Tay, 08-Jan-2005, written
#
# Ref. URL is http://docs.sun.com/source/816-5542-10/certutil.htm#13305
#
# Customize location of iDS5
IDS5_PATH=/var/Sun/mps; export IDS5_PATH
# Customize the followings
PATH=$PATH:$IDS5_PATH/shared/bin; export PATH
LD_LIBRARY_PATH=$IDS5_PATH/lib:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
HOST=`hostname`
DOMAIN=`domainname`
FQDN="$HOST.$DOMAIN"
cd $IDS5_PATH/alias
certutil -L -d $IDS5_PATH/alias -P "slapd-$HOST-" -n $FQDN -a
Note that this script is to be executed at LDAP Server end, not LDAP Client.
Login as root at ldap1.example.com
# ./list_cert7_db_in_ascii.sh >cert7.pem
# cat cert7.pem
-----BEGIN CERTIFICATE-----
MIICfjCCAeegAwIBAgIFAMtPqCswDQYJKoZIhvcNAQEEBQAwdjELMAkGA1UEBhMC
VVMxEDAOBgNVBAgTB05ld1lvcmsxFTATBgNVBAcTDE5ld1lvcmsgQ2l0eTEaMBgG
A1UEChMRRXhhbXBsZSBDb21wYW5pZXMxIjAgBgNVBAMTGW55cHBsZGV2MjEucGxh
dHRzLm1obS5taGMwHhcNMDUwMjI0MDYxOTQzWhcNMDYwNTI0MDYxOTQzWjB2MQsw
CQYDVQQGEwJVUzEQMA4GA1UECBMHTmV3WW9yazEVMBMGA1UEBxMMTmV3WW9yayBD
aXR5MRowGAYDVQQKExFFeGFtcGxlIENvbXBhbmllczEiMCAGA1UEAxMZbnlwcGxk
ZXYyMS5wbGF0dHMubWhtLm1oYzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
sHlEcrdhhNnBF02hBUgOSz3IAlKdTt6ea7l+K1ukQNDU4xw/kwIZ11tohbap2O+F
rpsJM65S1njVqd7Iv872x9cSdKoh+hqdXUUg2U1HbB2I3tnCK7x2gKb1ig38SPb8
wDjjaUo/FRG13KefG1lWyDpopJ9Bvukze+PjiTkKd7UCAwEAAaMYMBYwFAYJYIZI
AYb4QgEBAQH/BAQDAgZAMA0GCSqGSIb3DQEBBAUAA4GBAAHHih1VfyU9/d3bXgSs
3hZ/sgfJJ+DGA5AW+T59ilUnQ9HZ25BMOB7BFC+ZvtRGkPecZPKM8q8OYtpVnGZy
JJ9GUkasOnOjDTGxTjaG8D2MPQkUcRUwyktBzeVMv0tdioHi+8RRcsRIULoC1Ly7
ACypQ9yA5JCLwCxVfZS0Y1nU
-----END CERTIFICATE-----
If SLAVE LDAP is built, login as root at ldap2.example.com, run list_cert7_db_in_ascii.sh again and APPEND the output to cert7.pem.
Copy this cert7.pem over to all RedHat Linux LDAP Clients, at /etc/openldap/cert7.pem.
Now go back to root session of RedHat Linux LDAP Client.
Run “authconfig”, select LDAP Authentication with TLS, specify “ldap1.example.com ldap2.example.com” as LDAP Servers , note that this may just generate a rather basic /etc/ldap.conf (NSS_LDAP) file. So manual editing is required to further specify TLS and other parameters.
Do not confuse NSS_LDAP’s (shared with PAM_LDAP’s) configuration file /etc/ldap.conf with OpenLDAP client configuration file, in our case, /etc/openldap/ldap.conf.
Edit /etc/ldap.conf, below is a well-commented sample, the lines in GREEN are usually changed
# List two or more LDAP servers if failover is required
host ldap1.example.com ldap2.example.com
# “host” directive may be deprecated in future releases,
# you may wish to use ‘uri’ directive to replace “host” directive
# uri ldap://ldap1.example.com ldap://ldap2.example.com
base dc=example,dc=com
ldap_version 3
binddn cn=proxyagent,ou=profile,dc=example,dc=com
bindpw password
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn “cn=Directory Manager”
port 389
# The search scope.
#scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
# Bind timelimit
#bind_timelimit 30
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
# Filter to AND with uid=%s
#pam_filter objectclass=account
pam_filter objectclass=posixAccount
# The user ID attribute (defaults to uid)
pam_login_attribute uid
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
# Group member attribute
#pam_member_attribute uniquemember
pam_member_attribute memberUid
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
pam_password crypt
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_shadow ou=People,dc=example,dc=com?one
nss_base_group ou=group,dc=example,dc=com?one
#nss_base_hosts ou=Hosts,dc=example,dc=com?one
#nss_base_services ou=Services,dc=example,dc=com?one
#nss_base_networks ou=Networks,dc=example,dc=com?one
#nss_base_protocols ou=Protocols,dc=example,dc=com?one
#nss_base_rpc ou=Rpc,dc=example,dc=com?one
#nss_base_ethers ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=example,dc=com?one
#nss_base_aliases ou=Aliases,dc=example,dc=com?one
nss_base_netgroup ou=netgroup,dc=example,dc=com?one
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
# configure --enable-nds is no longer supported.
# For NDS now do:
#nss_map_attribute uniqueMember member
# configure --enable-mssfu-schema is no longer supported.
# For MSSFU now do:
#nss_map_objectclass posixAccount User
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
# configure --enable-authpassword is no longer supported
# For authPassword support, now do:
#nss_map_attribute userPassword authPassword
#pam_password nds
# For IBM SecureWay support, do:
#nss_map_objectclass posixAccount aixAccount
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear
# Netscape SDK LDAPS
#ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
tls_cacertfile /etc/openldap/cert7.pem
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
Now from RedHat Linux LDAP Client, we could test again the openssl “CAfile“ command:
# openssl s_client -connect ldap1.example.com:636 -CAfile /etc/openldap/cert7.pem -debug
---
<Ctrl-C or Ctrl-Break to exit> it should not display verification error
IMPORTANT NOTE: please ensure that the FQDN (Fully Qualified Domain Name) as shown by CN=<FQDN> match the “host” entry (or entries) in /etc/ldap.conf (nss_ldap) and $ETC_OPENLDAP/ldap.conf (LDAP Client), its IP address MUST be defined in /etc/hosts file.
You should test if RedHat Linix OpenLDAP client could connect to LDAP Server (slapd) by using simple authentication (-x), without or with START_TLS (-ZZ).
# ldapsearch -x -LLL
# ldapsearch -x -LLL -ZZ
# grep ldap /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
# /etc/init.d/nscd stop; /etc/init.d/nscd start
# id tuser
uid=99999(tuser) gid=102(Users)
# getent passwd gtay
…
This step is for Solaris8 and Solaris9 Native LDAP Clients only.
Assuming client2.example.com and client3.example.com are Solaris8 and Solaris9 Native LDAP Clients respectively.
Please note that for Solaris8 LDAP Client, lastest kernel patch and ldapv2 Patch 108993-XX must be installed, for Solaris9 LDAP Client, latest kernel patch abd ldap Patch 112960-XX must be installed.
Log in to client2 or client3 as ‘root’.
We would first need to generate two files /var/ldap/cert7.db and /var/ldap/key3.db such that cert7.db contains self-signed SSL Web Server certificate(s).
Run "netscape" browser locally, or from a remote Windows PC, and capture the self-signed SSL Server certificates from ldap1.example.com and ldap2.example.com into $HOME/.netscape/cert7.db or c:\Program Files\Netscape\users\user_name\cert7.db.
The URL to capture cert7.db is https://LDAP_SERVER_FQDN:636/, ignore "The document contained no data" message. FQDN means Fully Qualified Domain Name.
https://ldap1.example.com:636/
https://ldap2.example.com:636/
To view the content of cert7.db in Netscape Browser, click Communicator/Tools/Security Info/Web Sites.
Copy this cert7.db and the corresponding key3.db to /var/ldap of all Solaris LDAP Clients.
Don’t forget to:
# chmod 644 /var/ldap/cert7.db
# chmod 644 /var/ldap/key3.db
To test if TLS connection is OK remotely from LDAP Client to LDAP Server, you could run "test_native_client_tls.sh" which requires /var/ldap/cert7.db.
$ cat test_native_client_tls.sh
IDS5_PATH=/var/Sun/mps
LD_LIBRARY_PATH=$IDS5_PATH/lib:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
echo "Testing MASTER LDAP Server..."
$IDS5_PATH/shared/bin/ldapsearch -h ldap1.example.com -p 636 -b "" -s base -Z -P /var/ldap/cert7.db "(objectclass=*)"
echo "Press any key"
read any_key
echo "Testing SLAVE LDAP Server..."
$IDS5_PATH/shared/bin/ldapsearch -h ldap2.example.com -p 636 -b "" -s base -Z -P /var/ldap/cert7.db "(objectclass=*)"
echo "Done"
Note 1: Please note that /usr/bin/ldapsearch DOES NOT support “-Z” and “-P” options, but $IDS5_PATH/shared/bin/ldapsearch DOES, how do you obtain this version of “ldapsearch”?
For Solaris9, $IDS_PATH is more likely already there and usually is named /usr/iplanet/ds5, you may amend the script to reflect its actual location, if it id not there, you may download and install SUN Java System Directory Server 5.2 or SUN ONE Directory Server 5.2, walk through one round of “dummy” CONSOLE ONLY installation to obtain all the supported library and client command files at $IDS5_PATH Directory, which default to /var/Sun/mps.
For Solaris8, you would have to download and install SUN Java System Directory Server 5.2 or SUN ONE Directory Server 5.2, walk through one round of “dummy” CONSOLE ONLY installation to obtain all the supported library and client command files at $IDS5_PATH Directory, which default to /var/Sun/mps.
Note 2: please note that you ONLY need to test cert7.db and key3.db by running the BASELINE test script “test_native_client_tls.sh” ONCE at ONE of the Solaris LDAP Clients to prove that the TLS connection between LDAP Client and Server is fine with the SSL Server Certificate installed at the Server end.
$ ./test_native_client_tls.sh
Testing MASTER LDAP Server...
version: 1
dn:
objectClass: top
namingContexts: dc=example,dc=com
namingContexts: o=NetscapeRoot
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
supportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.13
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: Sun Microsystems, Inc.
vendorVersion: Sun-ONE-Directory/5.2
dataversion: 020050202073550020050202073550
netscapemdsuffix: cn=ldap://dc=ldap1,dc=example,dc=com:389
vlvsearch: cn=example.com_shadow_vlv_index,cn=userRoot,cn=ldbm database,cn=
plugins,cn=config
vlvsearch: cn=example.com_rpc_vlv_index,cn=userRoot,cn=ldbm database,cn=plu
gins,cn=config
vlvsearch: cn=example.com_passwd_vlv_index,cn=userRoot,cn=ldbm database,cn=
plugins,cn=config
vlvsearch: cn=example.com_networks_vlv_index,cn=userRoot,cn=ldbm database,c
n=plugins,cn=config
vlvsearch: cn=example.com_hosts_vlv_index,cn=userRoot,cn=ldbm database,cn=p
lugins,cn=config
vlvsearch: cn=example.com_group_vlv_index,cn=userRoot,cn=ldbm database,cn=p
lugins,cn=config
Press any key
Testing SLAVE LDAP Server..
version: 1
dn:
objectClass: top
namingContexts: dc=example,dc=com
namingContexts: o=NetscapeRoot
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
supportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.13
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: Sun Microsystems, Inc.
vendorVersion: Sun-ONE-Directory/5.2
dataversion: 020050224074626020050224074626
netscapemdsuffix: cn=ldap://dc=ldap2,dc=example,dc=com:389
vlvsearch: cn=example.com_shadow_vlv_index,cn=userRoot,cn=ldbm database,cn=
plugins,cn=config
vlvsearch: cn=example.com_rpc_vlv_index,cn=userRoot,cn=ldbm database,cn=plu
gins,cn=config
vlvsearch: cn=example.com_passwd_vlv_index,cn=userRoot,cn=ldbm database,cn=
plugins,cn=config
vlvsearch: cn=example.com_networks_vlv_index,cn=userRoot,cn=ldbm database,c
n=plugins,cn=config
vlvsearch: cn=example.com_hosts_vlv_index,cn=userRoot,cn=ldbm database,cn=p
lugins,cn=config
vlvsearch: cn=example.com_group_vlv_index,cn=userRoot,cn=ldbm database,cn=p
lugins,cn=config
Done
Next we will configure LDAP Client, there are two files /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred, the first contain all parameters and the second the password of “proxyAgent”.
To do this on Solaris8, as root run ldapclient_init_tlsprofile_sol8.sh
Content of ldapclient_init_tlsprofile_sol8.sh:
#
# ldapclient_init_tlsprofile_sol8.sh
#
# Gary Tay, 28-Jul-2005, written
#
# Make sure root account is used
[ -z "`id | egrep
'uid=0|euid=0'`" ] && exit 1
echo We first initialize a
/var/ldap/ldap_client_file with "default" profile
/usr/sbin/ldapclient -v -i -a simple -b
dc=example,dc=com -c proxy \
-D
cn=proxyAgent,ou=profile,dc=example,dc=com -w password \
-S "passwd:
ou=People,dc=example,dc=com?one" \
-S "shadow:
ou=People,dc=example,dc=com?one" \
-S "group:
ou=group,dc=example,dc=com?one" \
-S "netgroup:
ou=netgroup,dc=example,dc=com?one" \
192.168.1.168
echo ...
echo As ldapclient overwrites
/etc/nsswitch.conf with /etc/nsswitch.ldap
echo which contains a bug in
"hosts:" entry, we need to repair it
sed -e '/^hosts:/s/ldap.*files$/files
dns/' \
-e '/^passwd:/a\
shadow: files
ldap' \
/etc/nsswitch.ldap
>/etc/nsswitch.work
cp /etc/nsswitch.work /etc/nsswitch.conf
echo ...
echo Refresh Name Service Cache Daemon
after repairing /etc/nsswitch.conf
/etc/init.d/nscd stop
/etc/init.d/nscd start
echo ...
echo We then overwrite
/var/ldap/ldap_client_file with "tls_profile" version
echo and refresh ldap_cachemgr
echo Please customize the NS_LDAP_XXX
parameters in this script
cat <<EOF
>/var/ldap/ldap_client_file.tls_profile
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= ldap1.example.com
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:
ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group:
ou=group,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:
ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:
ou=netgroup,dc=example,dc=com?one
NS_LDAP_BIND_TIME= 10
EOF
cp
/var/ldap/ldap_client_file.tls_profile /var/ldap/ldap_client_file
/etc/init.d/ldap.client stop
/etc/init.d/ldap.client start
echo Done.
(Note: if you are not using TLS, comment out the relevant section of the script)
IMPORTANT NOTE: if MASTER LDAP 192.168.1.168 is down for maintenance or any reason, replace “192.168.1.168” with “192.168.1.178” in the above script to download from SLAVE LDAP.
# ./ ldapclient_init_tlsprofile_sol8.sh
Arguments parsed:
domainName: example.com
proxyDN: cn=proxyagent,ou=profile,dc=example,dc=com
profileName: tls_profile
proxyPassword: password
defaultServerList: 192.168.1.168
Handling init option
About to configure machine by downloading a profile
findBaseDN: begins
findBaseDN: Stopping ldap
findBaseDN: calling __ns_ldap_default_config()
found 2 namingcontexts
findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=example.com))"
rootDN[0] dc=example,dc=com
found baseDN dc=example,dc=com for domain example.com
Proxy DN: cn=proxyagent,ou=profile,dc=example,dc=com
Proxy password: {NS1}ecfa88f3a945c411
Credential level: 1
Authentication method: 3
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
Stopping nscd
autofs not running
ldap not running
nisd not running
nis_cache not running
nispasswd not running
nis(yp) not running
Removing existing restore directory
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/etc/.rootkey)=-1
file_backup: No /etc/.rootkey file.
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "example.com"
file_backup: stat(/var/yp/binding/example.com)=-1
file_backup: No /var/yp/binding/example.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname example.com... success
start: /usr/lib/ldap/ldap_cachemgr... success
start: /etc/init.d/autofs start... success
start: /etc/init.d/nscd start... success
start: /etc/init.d/sendmail start... success
...
As ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap
which contains a bug in "hosts:" entry, we need to repair it
...
Refresh Name Service Cache Daemon after repairing /etc/nsswitch.conf
...
We then overwrite /var/ldap/ldap_client_file with "tls_profile"
version
and refresh ldap_cachemgr
Please customize the NS_LDAP_XXX parameters in this script
Done.
(Note: if you are not using TLS, comment out the relevant section of the script)
For Solaris9, run " ldapclient_init_tlsprofile_sol9.sh"
Content of ldapclient_init_tlsprofile_sol9.sh:
#! /usr/bin/sh
#
# ldapclient_init_tlsprofile_sol9.sh
#
# Gary Tay, 18-Feb-2005, written
#
# Make sure root account is used
[ -z "`id | egrep 'uid=0|euid=0'`" ] && exit 1
# Please customize the value of profileName and LDAP Server IP
ldapclient -v init \
-a profileName=tls_profile \
-a domainName=example.com \
-a proxyDn=cn=proxyagent,ou=profile,dc=example,dc=com \
-a proxyPassword=password 192.168.1.168
# As ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap
# which contains a bug in "hosts:" entry, we need to repair it
sed -e '/^hosts:/s/ldap.*files$/files dns/' \
-e '/^passwd:/a\
shadow: files ldap' \
/etc/nsswitch.ldap >/etc/nsswitch.work
cp /etc/nsswitch.work /etc/nsswitch.conf
# Refresh Name Service Cache Daemon after repairing /etc/nsswitch.conf
/etc/init.d/nscd stop
/etc/init.d/nscd start
# ./ ldapclient_init_tlsprofile_sol9.sh
Parsing profileName=tls_profile
Parsing domainName=example.com
Parsing defaultSearchBase=dc=example,dc=com
Parsing proxyDn=cn=proxyagent,ou=profile,dc=example,dc=com
Parsing proxyPassword=password
Arguments parsed:
defaultSearchBase: dc=example,dc=com
domainName: example.com
proxyDN: cn=proxyagent,ou=profile,dc=example,dc=com
profileName: tls_profile
proxyPassword: password
defaultServerList: 192.168.1.168
Handling manual option
Proxy DN: cn=proxyagent,ou=profile,dc=example,dc=com
Proxy password: {NS1}ecfa88f3a945c411
Authentication method: 0
Authentication method: 0
No proxyDN/proxyPassword required
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
Stopping nscd
Stopping autofs
Stopping ldap
nisd not running
nis_cache not running
nispasswd not running
nis(yp) not running
Removing existing restore directory
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/etc/.rootkey)=-1
file_backup: No /etc/.rootkey file.
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "example.com"
file_backup: stat(/var/yp/binding/example.com)=-1
file_backup: No /var/yp/binding/example.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname example.com... success
start: /usr/lib/ldap/ldap_cachemgr... success
start: /etc/init.d/autofs start... success
start: /etc/init.d/nscd start... success
start: /etc/init.d/sendmail start... success
System successfully configured
#
Also note that you must use ldap1.example.com in LDAP data and /var/ldap/ldap_client_file, instead of LDAP Server IP address if you want SSL/START_TLS to recognize the LDAP Server self-signed certificate, BUT for running the download/manual init scripts, LDAP Server IP is used.
In both cases, /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred will be generated, do take a look at their contents.
Coment of /var/ldap/ldap_client_file:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= ldap1.example.com, ldap2.example.com
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=example,dc=com?one
NS_LDAP_BIND_TIME= 10
Coment of /var/ldap/ldap_client_cred:
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=example,dc=com
NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411
(Tips: see Appendix for a script called cr_proyAgent_pw_in_NS1_format.sh to find out the {NS1} formatted password of proxyAgent, this script can only be run on Solaris8)
Check and change the file permission of BOTH ldap_client_file and ldap_client_cred if needed
# cd /var/ldap
# chmod 400 ldap_client_file ldap_client_cred
Edit /etc/nsswitch.conf, make sure that these lines exist:
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
Now try refreshing ldap_cachemgr and nscd
# /etc/init.d/ldap.client stop
# /etc/init.d/ldap.client start
# ps -ef | grep ldap
# /etc/init.d/nscd stop
# /etc/init.d/nscd start
# ps -ef | grep nscd
Make sure also that ldap1.example and ldap2.example.com are defined in BOTH "/etc/hosts" files and DNS, and that "hosts: files dns" instead of "host: files ldap" is defined in /etc/nsswitch.conf. If "hosts: files ldap" is used, there will be error messages during login, i.e. "unknown host or invalid literal address".
To test the name service, on top of using "id" and "getent", there is also "ldaplist" command
# /usr/lib/ldap/ldap_cachemgr -g
# id tuser
uid=9999(tuser) gid=102(Users)
# getent passwd tuser
tuser::9999:102::/home/tuser:/bin/bash
# ldaplist -l passwd tuser
dn: uid=tuser,ou=People,dc=example,dc=com
givenName: Test
sn: User
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: tuser
cn: Test User
homeDirectory: /home/tuser
shadowLastChange: -1
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
gecos: Test User
Tips 1: If there is problem looking up the LDAP entries, try to look for errors in /var/adm/messages and/or /var/log/syslog. The LDAP Server log files are also good source to pick up clues.
Tips 2: How could we prevent “userPassword” from being listed by “ldaplist -l” or “ldapaddent -d”?
In SUN ONE Console, open Directory Server, select defaultSearchBase, i.e. dc=example,dc=com and edit one of the listed ACIs, which is usually named “LDAP_Naming_Services_proxy_password_read”:
Change it.
From:
(target="ldap:///dc=example,dc=com")(targetattr="userPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,read,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";)
To:
(target="ldap:///dc=example,dc=com")(targetattr="userPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";)
Assumtions: one or more NFS Servers, eg: nfs_server and nfs_server2 have exported /home directories.
First, at the LDAP Server, modify the LDAP objects “automount” and “automountMap” in SUN ONE Console, to add optional attribute.
Open Directory Server, click "Configuration" tab, click "Schema", at "User Defined Object Classes":
Select "automount", click "Edit", add "cn" to "Allowed Attributes", click "OK".
Select "automountMap", click "Edit", add "ou" to "Allowed Attributes", click "OK"
Instead of using GUI SUN ONE Console, you may also use the following ldif file to achieve the same at command level:
# cat automount_schema_mods.ldif
dn: cn=schema
changetype: modify
objectClasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL MUST ( automountKey $ automountInformation ) MAY ( cn $ description ) X-ORIGIN 'user defined' )
dn: cn=schema
changetype: modify
objectClasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL MUST automountMapName MAY ( description $ ou ) X-ORIGIN 'user defined' )
# ldapadd -c -D "cn=Directory Manager" -f automount_schema_mods.ldif
Second, at the LDAP Server, create the automount maps for SUN ONE DS5.2, below is a sample, there are two sets, auto_* for Solaris Native LDAP Client and auto.* for RedHat LDAP Client.
# cat automount_sun1ds52.ldif
dn: automountMapName=auto_master,dc=example,dc=com
objectClass: top
objectClass: automountMap
automountMapName: auto_master
dn: automountkey=/home,automountMapName=auto_master,dc=example,dc=com
objectClass: top
objectClass: automount
automountKey: /home
automountInformation: auto_home -nobrowse
dn: automountkey=/-,automountMapName=auto_master,dc=example,dc=com
objectClass: top
objectClass: automount
automountKey: /-
automountInformation: auto_direct
dn: automountMapName=auto_home,dc=example,dc=com
objectClass: top
objectClass: automountMap
automountMapName: auto_home
dn: automountkey=*,automountMapName=auto_home,dc=example,dc=com
objectClass: top
objectClass: automount
automountKey: *
automountInformation: nfs_server:/home/&
dn: automountKey=/home2,automountMapName=auto_direct,dc=example,dc=com
objectClass: top
objectClass: automount
automountKey: /home2
automountInformation: nfs_server2:/home
dn: ou=auto.master,dc=example,dc=com
objectclass: top
objectclass: automountMap
automountmapname: auto.master
ou: auto.master
dn: cn=/home,ou=auto.master,dc=example,dc=com
objectclass: top
objectclass: automount
automountinformation: ldap:ou=auto.home,dc=example,dc=com
automountkey: /home
cn: /home
dn: ou=auto.home,dc=example,dc=com
objectclass: top
objectclass: automountMap
automountmapname: auto.home
ou: auto.home
dn: cn=/,ou=auto.home,dc=example,dc=com
objectclass: top
objectclass: automount
automountinformation: nfs_server:/home/&
automountkey: /
cn: /
And add it into the DIT.
# ldapadd -c -D "cn=Directory Manager" –f automount_sun1ds52.ldif
Third, at LDAP Server, create cn=tls_automount_profile under ou=profile,dc=example,dc=com
# cat tls_automount_profile
dn: cn=tls_automount_profile,ou=profile,dc=example,dc=com
ObjectClass: top
ObjectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example,dc=com
authenticationMethod: tls:simple
followReferrals: FALSE
defaultSearchScope: sub
searchTimeLimit: 30
profileTTL: 43200
bindTimeLimit: 10
cn: tls_automount_profile
credentialLevel: proxy
serviceSearchDescriptor: passwd: ou=People,dc=example,dc=com?one
serviceSearchDescriptor: group: ou=group,dc=example,dc=com?one
serviceSearchDescriptor: shadow: ou=People,dc=example,dc=com?one
serviceSearchDescriptor: netgroup: ou=netgroup,dc=example,dc=com?one
serviceSearchDescriptor: auto.master:
nisMapName=auto.master,dc=example,dc=com?one
serviceSearchDescriptor: auto.home: nisMapName=auto.home,dc=example,dc=com?one
serviceSearchDescriptor: auto_master:
automountMapName=auto_master,dc=example,dc=com?one
serviceSearchDescriptor: auto_home:
automountMapName=auto_home,dc=example,dc=com?one
serviceSearchDescriptor: auto_direct:
automountMapName=auto_direct,dc=example,dc=com?one
objectclassMap: automount: automount=nisObject
objectclassMap: automount: automountMap=nisMap
attributeMap: automount: automountInformation=nisMapEntry
attributeMap: automount: automountKey=cn
attributeMap: automount: automountMapName=nisMapName
Note: either line of below is OK
attributeMap: automount: automountMapName=nisMapName
OR
attributeMap: automount: automountMapName=ou
# ldapadd -c -D "cn=Directory Manager" –f tls_automount_profile.ldif
# cat ldap_client_file
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= ldap1.example.com ldap2.example.com
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_automount_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto.master: nisMapName=auto.master,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto.home: nisMapName=auto.home,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_master: automountMapName=auto_master,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_home: automountMapName=auto_home,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_direct: automountMapName=auto_direct,dc=example,dc=com?one
NS_LDAP_BIND_TIME= 10
NS_LDAP_ATTRIBUTEMAP= automount: automountMapName=nisMapName
NS_LDAP_ATTRIBUTEMAP= automount: automountKey=cn
NS_LDAP_ATTRIBUTEMAP= automount: automountInformation=nisMapEntry
NS_LDAP_OBJECTCLASSMAP= automount: automountMap=nisMap
NS_LDAP_OBJECTCLASSMAP= automount: automount=nisObject
Note: either line of below is OK
NS_LDAP_ATTRIBUTEMAP= automount: automountMapName=nisMapName
OR
NS_LDAP_ATTRIBUTEMAP= automount: automountMapName=ou
# /etc/init.d/ldap.client stop (For Solaris only)
# /etc/init.d/ldap.client start (For Solaris only)
Make sure that /etc/nsswitch.conf contains “automount: files ldap” (optional if it is “automount: files” and local /etc/auto_xxx files contain +auto_xxx directives)
# /etc/init.d/nscd stop
# /etc/init.d/nscd start
To verify:
# ldaplist -l auto_master; ldaplist -l auto_home; ldaplist -l auto_irect (For Solaris only)
# ldaplist -l auto.master; ldaplist -l auto.home (For Solaris only)
# ldapsearch -x -LLL -ZZ "objectclass=automountMap" (For RedHat)
Fifth, create /etc/auto_master, /etc/auto_home and /etc/auto_direct for Solaris, create /etc/auto.master and /etc/auto.home for RedHat and restart autofs/automountd.
IMPORTANT NOTE 1: RedHat autofs/automountd has bug, please download and install the latest autofs rpm from Fedora Core3 download site: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/i386/autofs-4.1.3-114.i386.rpm
IMPORTANT NOTE 2: For RedHat autofs/automountd to work, please ensure that $ETC_OPENLDAP/ldap.conf (usually /etc/openldap.conf contains “host” and “base” statements for automountd to read, please note that RedHat automountd does not read /etc/ldap.conf)
Sample contents for Solaris Native LDAP Client:
# cat /etc/auto_master
# Master map for automounter
#
+auto_master
/net -hosts -nosuid,nobrowse
/home auto_home -nobrowse
/xfn -xfn
/- auto_direct
# cat /etc/auto_home
# Home directory map for automounter
#
+auto_home
# cat /etc/auto_direct
+auto_direct
Sample contents for RedHat LDAP Client, note that RedHat does not have auto.direct.
# cat /etc/auto.master
+auto.master
# cat /etc/auto.home
+auto.home
# /etc/init.d/auto.fs stop
# /etc/init.d/auto.fs start
Sixth, test autofs/automount by logging in as “uid”, check “df –k” to see if /home/uid is mounted, do a “cd /home/uid2” and check again.
$ pwd
/home/uid
$ df -k
Filesystem kbytes used avail capacity Mounted on
…
nfs_server:/home/uid
355069743 160782087 190736959 46% /home/uid
nfs_server2:/home
… 28% /home2
$ cd /home/uid2
$ df -k
(i.e. controlling user access to host using netgroup LDAP maps)
Pre-requisites:
. For Solaris8/9, latest kernel and LDAP Patch 108993 (Solaris8) or 112960 (Solaris9) must be applied
. For RedHat, RHFC3 or RHEL4 clients are recommended
. “shadowAccount” objectClass must be defined for People entries in LDAP DIT, on top of “posixAccount”
. Make sure Step 4X Tips 2: How could we prevent “userPassword” from being listed by “ldaplist -l” or “ldapaddent -d”? Which is an ACI to deny “read” access to userPassword by proxyAgent, is setup.
At the RedHat or Solaris LDAP Client, edit /etc/nsswitc.conf, change the following lines.
From:
passwd: files ldap
netgroup: files
To:
passwd: compat
passwd_compat: ldap
netgroup: ldap
Restart nscd.
# /etc/init.d/nscd stop
# /etc/init.d/nscd start
Add the following sample lines to the end of /etc/passwd, note that there are SIX semi-colons (6 ‘:’s) and only the first two colons enclose a ‘x’ character.
+@netgroup1:x:::::
+@netgroup2:x:::::
IMPORTANT NOTE: DO NOT RUN “pwconv” as root, as it will add something like below, a ‘x’ in 2nd field and a 5-digit number in 3rd field of the +netgroupX lines at the end of /etc/shadow, and this WILL BREAK a DS5.2 password policy feature called “User must change password after a reset”, i.e. it WON’T WORK for user who is a member of any of the following Netgroups:
+@netgroup1:x:13091::::::
+@netgroup2:x:13091::::::
Add the CORRESPONDING lines to the end of /etc/shadow, note that there are EIGHT semi-colons (8 ‘:’s) and between them there are NULL content:
+@netgroup1::::::::
+@netgroup2::::::::
At the LDAP Server, add these netgroup entries. Assuming these People entries (gtay, tuser, tuser2) already exist, assuming ou=netgroup already exists.
# cat netgroup.ldif
dn: cn=netgroup1,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
cn: netgroup1
nisNetgroupTriple: (,gtay,)
nisNetgroupTriple: (,tuser,)
dn: cn=netgroup2,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
cn: netgroup2
nisNetgroupTriple: (,tuser2,)
# ldapadd -c -D “cn=Directory Manager” -W -f netgroup.ldif
For advance netgroup usage, see the following examples:
# nisNetgroupTriple Examples: (host,user,domain)
# jdoe is in the appusers netgroup for all servers, all domains.
# scarter is in the appusers netgroup only on the server mars.
# all users are in the appusers netgroup on the server pluto.
dn: cn=appusers,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
nisNetgroupTriple: (,jdoe,)
nisNetgroupTriple: (mars,scarter,)
nisNetgroupTriple: (pluto,,)
cn: appusers
dn: cn=prod_appservers,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
memberNisNetgroup: appusers
memberNisNetgroup: unixadmin
memberNisNetgroup: security
memberNisNetgroup: architecture
cn: prod_appservers
At the LDAP Client, login as ‘root” and test the following commands:
# getent passwd tuser
# id tuser
# su - tuser
The above commands should all work for users in netgroup1 and netgroup2, but not others.
Assuming “test” is a user account exists in LDAP (as shown by ldaplist command) and not belonged to either netgroup1 and netgroup2.
# ldaplist -l passwd test
something
# getent passwd test
nothing
# id test; su - test
Solaris will say:
id: invalid user name:
"userid"
su: unknown id: userid
RedHat will say:
id: userid: No such user
su: user userid does not exist
Now try logging in using user accounts in netgroup1 or netgroup2, eg: “tuser” or “tuser2”, they should all succeed, others will always fail, of course “root” is not affected by netgroup host access feature.
# ssh -v tuser@localhost
Congratulation!!! You have managed to use netgroup LDAP maps to control user access to host.
Login as “root” at the LDAP Server.
# cd /var/Sun/mps/slapd-`hostname`/config/schema
Prepare 99sudo.ldif
# vi 99sudo.ldif
dn: cn=schema
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may
run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may
run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s)
to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX
1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s)
impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s)
followed by sudo' EQUALITY caseExactIA5Match SYNTAX
1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $
sudoRunAs $ sudoOption $ description ) X-ORIGIN 'SUDO' )
(The above is provided by README.LDAP from sudo source, note that there is no
blank line between all the lines)
Restart DS5.2 to load the schema.
In SUN ONE Console or using a LDAP GUI based editor eg:JXplorer wor LDAP
Browser/Editor, edit the client profile(s) to provide SSD Service Search
Descriptor for “sudoers”.
serviceSearchDescriptor: sudoers:
ou=sudoers,dc=example,dc=com
Login as “root” at the LDAP Client.
For BOTH Solaris8/9 Native LDAP Client and RedHat OpenLDAP+PADL LDAP Client
Use gcc 3.2.1 or later to compile sudo source code with BOTH LDAP and PAM support, please note that the “sudo” RPM provided by RedHat does not
have LDAP support compiled in, this could be easily verified by the fact that
“ldd `which sudo`” will not show “libldap-2.2.so.7”.
# ldd `which sudo`
To compile and build sudo:
# cd /var/tmp
# tar xvf sudo-1.6.8p9.tar
# cd /var/tmp/sudo-1.6.8p9
# ./configure --with-ldap=/usr --with-pam
(For SUN Solaris Native LDAP Client or RedHat OpenLDAP+PADL LDAP
Client where LDAP library directory prefix is /usr/lib)
OR
# ./configure --with-ldap=/usr/local --with-pam
(For OpenLDAP+PADL LDAP Client or any Linux/UNIX LDAP Client built from source
where LDAP library directory prefix is /usr/local/lib)
# make clean
# make
If there are already previous version of sudoers configuration files, please back them up
# mv /etc/sudoers /etc/sudoers.orig
For RedHat:
# mv /etc/pam.d/sudo /etc/pam.d/sudo.orig
# mv /usr/bin/sudo
/usr/bin/sudo.orig
# make install
For RedHat:
# cp sample.pam /etc/pam.d/sudo
For BOTH RedHat and Solaris
# ln -s /usr/local/bin/sudo /usr/bin/sudo
# sudo -V | head
Sudo version 1.6.8p9
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: local2
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if the user is not in sudoers
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Prepare sample sudoers.ldif using:
Method 1) sudoers2ldif.sh which will
call the sudoers2ldif tool provided by sudo build (it is in the build
directory, copy it to /usr/bin or any shared area that can be referenced by
$PATH), and convert existing /etc/sudoers.
Content of sudoers2ldif.sh:
#! /bin/sh
SUDOERS_BASE=ou=sudoers,dc=example,dc=com
export SUDOERS_BASE
[ -n "$1" ] && INPUT_FILE=$1
[ -z "$1" ] && INPUT_FILE=/etc/sudoers
sudoers2ldif $INPUT_FILE
Below shows the content of a text file /etc/sudoers.orig and how it is
converted to ldif, the example here shows no additional sudoRole entry.
# cat /etc/sudoers.orig
root ALL=(ALL) ALL
# sudoers2ldif.sh /etc/sudoers.orig
dn: cn=defaults,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
dn: cn=root,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoCommand: ALL
Method 2) By hand using vi, the example
here shows some sample sudoRole entries.
# vi sudoers.ldif
dn: ou=sudoers,dc=example,dc=com
objectclass: organizationalUnit
ou: sudoers
dn: cn=defaults,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: logfile=/var/log/sudolog
dn: cn=root,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoCommand: ALL
# Everyone can "su - tuser" without giving password
dn: cn=su_tuser_wo_pw,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: su_tuser_wo_pw
sudoUser: ALL
sudoHost: ALL
sudoCommand: /bin/su - tuser
sudoOption: !authenticate
# tuser2 can reboot host1 server as default RunAs is "root"
dn: cn=tuser2_can_reboot_host1,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: tuser2_can_reboot_host1
sudoUser: tuser2
sudoHost: host1
sudoCommand: /usr/sbin/shutdown -y -g0 -i6
sudoOption:
Populate LDAP Server.
For against OpenLDAP Server
# ldapadd -c -D
"cn=Manager,dc=example,dc=com" -f sudoers.ldif
For against SUN ONE DS5.2 Server
# ldapadd -c -D "cn=Directory Manager” -f
sudoers.ldif
For Solaris Natvive LDAP Client, prepare a /etc/ldap.conf
(mode 644 is OK as no sensitive info) containing the following THREE lines, for RedHat, only the LAST LINE needs to be added as the
FIRST TWO LINES are most likely present.
host ldap1.example.com
base dc=example,dc=com
sudoers_base ou=sudoers,dc=example,dc=com
For Solaris Native LDAP Client, edit /var/ldap/ldap_client_file to add:
NS_LDAP_SERVICE_SEARCH_DESC=
sudoers: ou=sudoers,dc=example,dc=com
Don’t forget to add ADDITIONAL SSD (Service Search
Descriptor) for sudoers LDAP maps lookup in LDAP DIT, using SUN ONE DS5.2
Administration Console.
Restarte ldap_cachemgr /etc/init.d/ldap.client and name service daemon /etc/init.d/nscd.
(note that README.LDAP says the "sudoers: files ldap" statement
in /etc/nsswitch.conf is RESERVED but NOT YET implemented, so this line
is optional)
Try the following commands to verify LDAP query OK.
For Solaris:
# ldaplist -l sudoers
# ldaplist -l sudoers root
# ldaplist -l sudoers su_tuser_wo_pw
For RedHat:
# ldapsearch -x -LLL
objectclass=sudoRole
Note that “getent sudoers root” won't work but that does not matter.
Make sure there is a /etc/pam.d/sudo, if there isn't copy sample.pam
from sudo source build to it, the difference between
sample.pam and the original /etc/pam.d/sudo is most likely additional commented
lines.
To REALLY TEST if sudo+LDAP is working you MUST
have EITHER an EMPTY /etc/sudoers or leaving the ORIGINAL /etc/sudoers file
which contains effectively only ONE DEFAULT LINE “root ALL=(ALL) ALL”.
Now try to login as "gtay" and try both "su - tuser" and
"sudo su - tuser"
$ su - tuser
Password:
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
$ id
uid=9999(tuser) gid=102(Users)
$ exit
$ sudo -l
$ sudo su - tuser (No password
required)
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
$ id
uid=9999(tuser) gid=102(Users)
Now try to login as "tuser2" and try to reboot the server
$ id
uid=9998(tuser2) gid=102(Users)
$ /usr/sbin/shutdown -y -g0 -i6
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Password:
Shutdown started. Fri May 20 15:23:20 SGT 2005
Changing to init state 6 - please wait
Broadcast Message from root (pts/3) on host1 Fri May 20 15:23:20...
THE SYSTEM sins001u5 IS BEING SHUT DOWN NOW ! ! !
Log off now or risk your files being damaged
Congratulation!!! You have successfully setup
sudo+LDAP.
IMPORTANT NOTES:
1) With the absence of /etc/sudoers, "sudo -l" will complain and it
will not retrieve sudo LDAP maps
sudo: can't stat /etc/sudoers: No such file or directory
2) "sudo -L" shows one option related to LDAP
…
ignore_local_sudoers: If LDAP directory is up, do we ignore local sudoers file
...
3) Don't forget to set LDAP Object Access permission to all objects under
ou=sudoers,dc=example,dc=com using ACI in SUN ONE DS5.2 or ACL in OpenLDAP
The auth_ldap modules built-into Apache 2 is “experiemental” and may not be stable, you may use:
Apache 1.X: http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html
Apache 2.X: http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html
Apache must be built with .so (shared object) support and
SSL support if StartTLS is used.
To configure Apache2 with shared object and SSL support:
./configure --enable-so --enable-ssl
--with-ssl-dir=/usr/local/ssl
(Refer to the URL above for Apache 1.X syntax)
IMPORTANT NOTE: DO NOT add --enable-ldap or
--enable-auth-ldap or --with-ldap, to the above, they are for the
"experiemental" ldap module support built-into Apache 2.x, and they
DID NOT work for me, no sure of experience of others.
To configure “mod_auth_ldap” from muquit.com:
# OpenLDAP
./configure --with-apxs=/usr/local/apache2/bin/apxs --with-ldap-dir=/usr/local
# iPlanet LDAP
./configure --with-apxs=/usr/local/apache2/bin/apxs --with-ldap-dir=/usr
After that, modify httpd.conf, add the following lines in GREEN for testing purposes.
LoadModule auth_ldap_module
modules/mod_auth_ldap.so
Alias /syslog "/var/log/"
<Directory "/var/log/">
Options Indexes FollowSymLinks MultiViews IncludesNoExec ExecCGI
AddOutputFilter Includes html
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<Location /syslog>
AuthType Basic
AuthName "syslog"
require valid-user
#LDAP_Debug On
#LDAP_StartTLS On
LDAP_Server ldap1.example.com
# Add SLAVE LDAP Server for failover
LDAP_Server ldap2.example.com
LDAP_Port 389
Base_DN dc=example,dc=com
UID_Attr uid
</Location>
Restart httpd, and test this URL:
http://apache.example.com/syslog/
Appendix:
Appendix 1: Content of chk_patches_sjes_ds52.sh:
#! /bin/sh
#
# chk_patches_sjes_ds52.sh
#
# Gary Tay, 1-Apr-2005 written
#
# Pls customize the patches you are checking, use blank to separate
# multiple patch ids, eg: 5.9:112345 113456
#
# Pls refer to:
# http://docs.sun.com/source/817-7611/index.html#wp33336
#
#114677-08 SunOS 5.9: International Components for Unicode Patch
#117724-10 SunOS 5.8: NSPR 4.5.1 / NSS 3.9.5 / JSS 4.0
#115342-01 SunOS 5.9: Simple Authentication and Security Layer (2.01)
#115610-18 SunOS 5.9_sparc: Administration Server 5.2 patch
#115614-20 SunOS 5.9: Directory Server 5.2 patch
#117015-16 Patch for localized Solaris packages
#116837-02 LDAP CSDK - SUNWldk, SUNWldkx
#
# Solaris 8: (DS 5.2 Patch3 for the package version)
#115610 SunOS 5.9 : Sun Java(TM) System Directory Server 5.2 patch 3 (Adminserv)
#115614 SunOS 5.9 : Sun Java(TM) System Directory Server 5.2 patch 3 (DS)
#117722 SunOS 5.8: NSPR 4.5.1 / NSS 3.9.5 / JSS 4.0...
#118615 LDAP Java Development Kit 4.17 SunOS 5.8 5.9 _x86: genesis patch
#
# Solaris 8: LDAP-Client
#108993 LDAP-Client for Solaris 8 (phase II)
#108808 LDAP-Client for Solaris 8 (man-pages)
#
# And at your choice for for JES 114045
cat >/tmp/chk_patches$$.tmp <<EOF
5.8:108993 115610 115614 117722 118615 108808 114045
5.9:114677 117724 115342 115610 115614 117015 116837
EOF
SOLARIS_VER=`uname -r`
PATCH_IDS=`grep "$SOLARIS_VER" /tmp/chk_patches$$.tmp | cut -d: -f2`
for i in `echo $PATCH_IDS`
do
RESULT=`showrev -p | grep "^Patch: $i-"`
[ -n "$RESULT" ] && echo $RESULT
[ -z "$RESULT" ] && echo PATCH $i not found...
done
/bin/rm -f /tmp/chk_patches$$.tmp
Example of running chk_patches_sjes_ds52.sh:
# ./chk_patches_sjes_ds52.sh
Patch: 114677-08 Obsoletes:
Requires: Incompatibles: Packages: SUNWicu, SUNWicux
Patch: 117724-10 Obsoletes:
115926-10 Requires: Incompatibles: Packages: SUNWtls, SUNWtlsx, SUNWpr,
SUNWjss, SUNWprx
Patch: 115342-01 Obsoletes:
Requires: Incompatibles: Packages: SUNWsasl, SUNWsaslx
Patch: 115610-17 Obsoletes:
Requires: Incompatibles: Packages: SUNWasvc, SUNWasvu, SUNWasvr, SUNWasvcp
Patch: 115614-19 Obsoletes:
117907-02 Requires: 115610-17 Incompatibles: Packages: SUNWdsvr, SUNWdsvcp,
SUNWdsvh, SUNWdsvhx, SUNWdsvu, SUNWdsvx, SUNWdsvpl
PATCH 117015 not found...
Patch: 116837-02 Obsoletes: Requires: Incompatibles: Packages: SUNWldk
#
Appendix 2: Troubleshooting LDAP Search issue in access log
(From Fedora Directory Server mail list archive)
Look in the access log on the FDS server for connections from that
workstation (grep on the IP of that workstations, or one of the user
id's that are trying to auth, etc). When you find it, grep out conn=xxx
(where xxx is the connection # from that IP) so you get the complete
connection from start to finish.
- Look at the BIND lines to see what that workstation is binding as.
- Look at the SRCH lines, to see what basedn and filter is being used.
- Look at the result line (right after the SRCH line) to see what the
results are (though you'll probably just see err=32, which is no such
object). If there are multiple SRCH lines, check each one.
- Check the ACI's set on your suffix - in console, click on the
Directory tab then right click on the top entry in your tree, and select
"set permissions" (something like that - doing this from memory). Make
sure the appropriate access is set.
You may have to look throughout your tree for aci's to be sure you find everything.
(ldapsearch -D cn=directory manager -w - ... -b "your basedn" "(aci=*)"
"aci" to find 'em all.)
Appendix 3: Troubleshooting “Unable to log into Directory Console” due to admin-serv-`hostname` password expired out of the blue.
Pls refer to:
http://swforum.sun.com/jive/thread.jspa?threadID=48144&tstart=0
Appendix 4: Troubleshooting “pam_ldap” using debugging mode
Pls refer to:
Pls read useful info w.r.t. pam_unix and pam_ldap at:
http://www.informit.com/articles/article.asp?p=30339&seqNum=3&rl=1
One of the benefits of using pam_ldap, is it does not require passwords to be stored in any specific format, so you can store passwords using SSHA, SHA, or CRYPT formats.
# cat cr_proxyAgent_pw_in_NS1_format.sh
/usr/sbin/ldap_gen_profile -P testprofile -b
"dc=example,dc=com" \
-D "cn=proxyAgent,ou=profiLe,dc=example,dc=com" -w
password \
192.168.1.168
# ./cr_proxyAgent_pw_in_NS1_format.sh
dn: cn=testprofile,ou=profile,dc=example,dc=com
SolarisBindDN:
cn=proxyAgent,ou=profiLe,dc=example,dc=com
SolarisBindPassword: {NS1}ecfa88f3a945c411
SolarisLDAPServers: 192.168.1.168
SolarisSearchBaseDN:
dc=example,dc=com
SolarisAuthMethod: NS_LDAP_AUTH_NONE
SolarisTransportSecurity:
NS_LDAP_SEC_NONE
SolarisSearchReferral:
NS_LDAP_FOLLOWREF
SolarisSearchScope:
NS_LDAP_SCOPE_ONELEVEL
SolarisSearchTimeLimit: 30
SolarisCacheTTL: 43200
cn: testprofile
SolarisBindTimeLimit: 30
ObjectClass: top
ObjectClass: SolarisNamingProfile