Usper 2011-04-04
每个系统都需要对用户进行认证Authentication和鉴权Authorization,用户集中管理只需要一份用户信息,简化了管理。通过PAM能够对不同的认证系统进行动态配置,如Radius,LDAP。
PAM LDAP on Linux RedHat5
1 Configure OpenLDAP
OpenLDAP is installed at /usr/local/, the LDAP server configuration file is /usr/local/etc/openldap/slapd.conf, and including the following setting which will be modified according the specific context.
#access control
access to * by * read
atabase bdb
suffix "dc=cisco,dc=com"
rootdn "cn=root,dc=cisco,dc=com"
rootpw Crdc%123
#if log is needed, and add “local4.* /var/log/ldap/ldap.log” into /etc/syslog.conf
LDAP client configuration file is etc/openldap/ldap.conf.
Then start LDAP server:
# /usr/local/libexec/slapd
2 Import user accounts
Create the ldif file to include all the user accounts information. One binding user is required to send binding request to LDAP before authentication start.
users.ldif :
dn: uid=testbind,dc=cisco,dc=com
uid: testbind
cn: testbind
sn: testbind
userPassword: testbind
uidNumber: 1104
gidNumber: 1100
homeDirectory: /home/testbind
loginShell: /bin/bash
objectClass: inetOrgPerson
objectClass: posixAccount
dn: uid=test,dc=cisco,dc=com
uid: test
cn: test
sn: test
userPassword: test
uidNumber: 1105
gidNumber: 1100
homeDirectory: /home/test
loginShell: /bin/bash
objectClass: inetOrgPerson
objectClass: posixAccount
….
Use the following command to add and search the user accounts:
#ldapadd -x -D "cn=root,dc=cisco,dc=com" -W -f users.ldif
#ldapsearch -x -D "cn=root,dc=cisco,dc=com" -W -b "cn=test,dc=cisco,dc=com"
#ldapdelete -x -D "cn=root,dc=cisco,dc=com" -W "ou=people,dc=cisco,dc=com"
3 PAM setting
There are many different PAM modules which communicate with different AAA server, these PAM library files are located in /lib64/security(for Linux 64). Use /etc/pam.d/<yourservice-jpam > to relay the authentication to LDAP or other AAA, for instance Radius, modify the ppm-jpam with the following lines:
auth sufficient /lib64/security/pam_ldap.so config=/etc/ldap.conf
account sufficient /lib64/security/pam_ldap.so config=/etc/ldap.conf
PAM_LDAP service will use /etc/ldap.conf file to create the connection with LDAP server and verify the users.
# Your LDAP server.
host 10.74.125.39
# The distinguished name of the search base.
base dc=cisco,dc=com
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn uid=testbind,dc=cisco,dc=com
# The credentials to bind with.
# Optional: default is no credential.
bindpw testbind
# The port.
# Optional: default is 389.
port 389
# The search scope.
scope sub
# The user ID attribute (defaults to uid)
pam_login_attribute uid
4 Verify
PAM LDAP on Solaris 10
1 Configure OpenLDAP
OpenLDAP is installed at /usr/local/, the LDAP server configuration file is /usr/local/etc/openldap/slapd.conf, and including the following setting which will be modified according the specific context.
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/gehua.schema
include /usr/local/etc/openldap/schema/duaconf.schema
include /usr/local/etc/openldap/schema/solaris.schema
#include /usr/local/etc/openldap/schema/DUAConfigProfile.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_hdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
access to * by * read
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=cisco,dc=com"
# suffix "DC=mbaruch, DC=local"
rootdn "cn=root,dc=cisco,dc=com"
# rootdn "CN=root,DC=mbaruch, DC=local"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
rootpw Crdc%123
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
sizelimit 1000
loglevel any
#TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
#TLSCertificateFile /etc/openldap/cacerts/server.cert
#TLSCertificateKeyFile /etc/openldap/cacerts/server.key
TLSCACertificateFile /usr/local/etc/openldap/ca/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/ca/servercrt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/ca/serverkey.pem
TLSVerifyClient never
#ssl start_tls
2 Import user accounts
Create the ldif file to include all the user accounts information. One binding user is required to send binding request to LDAP before authentication start.
Use the following command to import base.ldif, groups.ldif and passwd.ldif into LDAP server.
#ldapadd -x -D "cn=root,dc=cisco,dc=com" -W -f ***.ldif
base.ldif
dn: ou=People,dc=cisco,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=cisco,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
group.ldif
dn: cn=root,ou=Group,dc=cisco,dc=com
objectClass: posixGroup
objectClass: top
cn: root
gidNumber: 0
dn: cn=other,ou=Group,dc=cisco,dc=com
objectClass: posixGroup
objectClass: top
cn: other
gidNumber: 1
memberUid: root
passwd.ldif
dn: uid=testbind,dc=cisco,dc=com
uid: testbind
cn: testbind
sn: testbind
userPassword: testbind
uidNumber: 1104
gidNumber: 1100
homeDirectory: /home/testbind
loginShell: /bin/bash
objectClass: inetOrgPerson
objectClass: posixAccount
dn: uid=nmtgtest,ou=People,dc=cisco,dc=com
uid: nmtgtest
cn: nmtgtest
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: nmtgtest
shadowLastChange: 15064
loginShell: /bin/sh
uidNumber: 1315
gidNumber: 1
homeDirectory: /home/nmtg
3 PAM setting
There are many different PAM modules which communicate with different AAA server, Solaris has the native PAM LDAP library, use /etc/pam.conf to relay the authentication to LDAP or other AAA, for instance LDAP:
<serive name> auth required pam_ldap.so
<service name> account required pam_ldap.so
Run the following command to configure Solaris native LDAP:
ldapclient -v manual -a defaultSearchBase=dc=cisco,dc=com -a serviceSearchDescriptor=passwd:ou=People,dc=cisco,dc=com -a serviceSearchDescriptor=shadow:ou=People,dc=cisco,dc=com -a defaultServerList=10.74.125.39 -a domainName=cisco.com -a authenticationMethod=simple -a defaultSearchScope=sub -a credentialLevel=proxy -a proxyDN=uid=testbind,dc=cisco,dc=com -a proxyPassword=testbind
To verify if the LDAP client is working well, run the following command:
# getent passwd <username>
# ldaplist -l passwd <username>
To Verify the following to file with correct parameters:
/var/ldap/ldap_client_file
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 10.74.125.39
NS_LDAP_SEARCH_BASEDN= dc=cisco,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=cisco,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=cisco,dc=com
/var/ldap/ldap_client_cred
NS_LDAP_BINDDN= uid=testbind,dc=cisco,dc=com
NS_LDAP_BINDPASSWD= {NS1}4a3788e834634411
6 Verify