Print-friendly Version

Sun Java System Directory Server 6.0 as an LDAP Naming Service: Part 3 -- Client Configurations for Red Hat Linux and AIX

Jonathan Gershater, Sun Microsystems, and Vineeth Katarki, Mascon Global Limited (MGL); October 2007

Article Contents

This article is presented in the following four parts:

• Part 1 -- Installation and Configuration
• Part 2 -- Client Configurations for the Solaris OS
• Part 3 -- Client Configurations for Red Hat Linux and AIX
• Part 4 -- Post-Configuration Tasks

Note: When you run the commands shown in the procedures of this article, replace COMPANY with a value that is appropriate for your environment.

Part 3 -- Client Configurations for Red Hat Linux and AIX

Part 3 provides instructions for configuring the UNIX native LDAP clients that run Red Hat Enterprise Linux (RHEL) Release 4 Update 4 or AIX 5.3, so you can deploy Sun Java System Directory Server 6.0 (hereafter referred to as "Directory Server") as a naming service.

Use the appropriate procedure on each Linux and AIX client.

These procedures configure each client as an LDAP client for TLS:SIMPLE authentication, which is authentication over SSL using CA signed certificates. The root CA signing certificate must exist in each native LDAP client so that the client trusts the server certificate presented by Directory Server during authentication.

Part 3 Contents

• Configuring Clients That Run RHEL Release 4 Update 4
• Configuring Clients That Run AIX 5.3

Configuring Clients That Run RHEL Release 4 Update 4

This section contains a procedure for configuring RHEL Release 4 Update 4 clients to participate in LDAP authentication and authorization services.

Note: Unless otherwise noted, the following instructions are for both full and partial participation scenarios.

1. Verify that the correct releases of the OpenLDAP, nss_ldap, and OpenSSL packages are installed on the system:

# rpm -qa | grep ldap
openldap-2.2.13-6.4E
nss_ldap-226-13
# openssl version -v
OpenSSL 0.9.7a Feb 19 2003

2. Configure SSL for communication between the Linux client and the four servers on which Directory Server is installed (hereafter referred to as "the directory servers"):

a. Copy the root CA and subordinate CA certificates in PEM format. If they are in DER format, use the following commands to convert them to PEM format, and then copy them over to the /etc/openldap/cacerts directory.

# openssl x509 -inform DER -outform PEM -in rootca.der -out
  rootca.pem
# openssl x509 -inform DER -outform PEM -in subca.der -out
  subca.pem

Note: If the root CA certificate does not begin with ...BEGIN TRUSTED CERTIFICATE, the openssl commands might fail on both the certificates or the LDAP library might not use the certificate. In such a case, you need to modify the "trust" properties of the root CA certificate using the following command:

# openssl x509 -trustout -in rootca.cer -out rootca.pem

b. As root, copy the PEM-formatted certificate files to the/etc/openldap/cacerts directory and change their permissions:

# cp rootca.pem /etc/openldap/cacerts
# cp subca.pem /etc/openldap/cacerts
# chmod 644 /etc/openldap/cacerts/*.pem

c. Run the following scripts and commands to create hashed links to these certificates:

# cat cahash.sh
HASHCA=`openssl x509 -noout -hash -in /etc/openldap/cacerts/rootca.pem`
HASHSUB=`openssl x509 -noout -hash -in /etc/openldap/cacerts/subca.pem`
echo "Please run the following commands: "
echo "cd /etc/openldap/cacerts"
echo "ln -s rootca.pem $HASHCA.0"
echo "ln -s subca.pem $HASHSUB.0"

# sh cahash.sh
Please run the following commands:
cd /etc/openldap/cacerts
ln -s rootca.pem c3c94f3b.0
ln -s subca.pem 0533a10d.0

## Note that in the above commands, the output when running the
## commands may be different from the examples shown above!
## Follow the instructions generated by the script.

3. Configure /etc/ldap.conf and /etc/openldap/ldap.conf to use SSL for communication between the Linux client and the directory servers:

a. Configure /etc/ldap.conf:

# /etc/ldap.conf
#
# Your LDAP server must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to fail over depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#
host <primary server> <failover server>
# As in: host server2.COMPANY.com server1.COMPANY.com

# The distinguished name of the search base.
base dc=COMPANY,dc=com

# The distinguished name to bind to the server with.
binddn cn=proxyagent,ou=profile,dc=COMPANY,dc=com

# The credentials to bind with.
bindpw <proxy agent password>

# The search scope.
scope sub

# Bind/connect timelimit
bind_timelimit 30

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff; soft will fail
# immediately.
bind_policy soft

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
idle_timelimit 3600

# Filter to AND with uid=%s
pam_filter objectclass=posixaccount

# The user ID attribute (defaults to uid)
pam_login_attribute uid

# Do not hash the password at all; presume
# the directory server will do it, if necessary. This is the
# default behavior.
pam_password clear

# Redirect users to a URL for password changes.
pam_password_prohibit_message Please visit http://internal to
  change your password.

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX          base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix, for example:
# nss_base_passwd       ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd         ou=people,dc=COMPANY,dc=com?one
nss_base_shadow         ou=People,dc=COMPANY,dc=com?one
nss_base_group          ou=group,dc=COMPANY,dc=com?one
nss_base_netgroup       ou=netgroup,dc=COMPANY,dc=com?sub

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS, typically 636
ssl start_tls
ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
tls_checkpeer yes

# CA certificates for server certificate verification
tls_cacertdir /etc/openldap/cacerts

b. Configure /etc/openldap/ldap.conf:

Note: The primary and backup directory servers are configured in this file along with the location of the SSL certificates.

# /etc/openldap/ldap.conf
# Required for utilities such as ldapsearch
#
HOST <primary server> <secondary server>
# As in: HOST server2.COMPANY.com server1.COMPANY.com

BASE dc=COMPANY,dc=com
TLS_CACERTDIR /etc/openldap/cacerts

4. Configure /etc/pam.d/system_auth:

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
# This file has been updated by UNIX Engineering to comply with
# the LINUX TSR, April 2006.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth
  nullok
auth        sufficient
  /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid <
  100 quiet
account    [default=bad success=ok
  user_unknown=ignore err=ignore
authinfo_unavail=ignore] /lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_unix.so
  broken_shadow
account     required      /lib/security/$ISA/pam_access.so

password    requisite     /lib/security/$ISA/pam_cracklib.so
  minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 retry=5
  type=
password    sufficient
  /lib/security/$ISA/pam_unix.so nullok use_authtok
  md5 shadow nis remember=12
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so

Note: No changes are required for /etc/pam.d/su, /etc/pam.d/login, and /etc/pam.d/sshd as long as they are configured to use system_auth, as in the following /etc/pam.d/su example.

#%PAM-1.0
auth       sufficient   /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the
  "wheel" group.
#auth       sufficient   /lib/security/$ISA/pam_wheel.so trust
  use_uid
# Uncomment the following line to require a user to be in the
  "wheel" group.
#auth       required     /lib/security/$ISA/pam_wheel.so use_uid
auth       required     /lib/security/$ISA/pam_stack.so
  service=system-auth
account    required     /lib/security/$ISA/pam_stack.so
  service=system-auth
password   required     /lib/security/$ISA/pam_stack.so
  service=system-auth
# pam_selinux.so close must be first session rule
session    required     /lib/security/$ISA/pam_selinux.so close
session    required     /lib/security/$ISA/pam_stack.so
  service=system-auth
# pam_selinux.so open and pam_xauth must be last two session
  rules
session    required     /lib/security/$ISA/pam_selinux.so
  open
session    optional     /lib/security/$ISA/pam_xauth.so

5. If you will use netgroups to limit access to systems, configure /etc/nsswitch.conf as follows:

# This documents only changes that need to made for Linux LDAP
# based authentication and authorization services
passwd:     	files ldap
shadow:      	files ldap
group:          files ldap
netgroup:       ldap

6. To use netgroups, do the following:

Note: This step describes how to configure one server. Make similar changes to other servers, as needed.

a. Add a netgroup to Directory Server, as described in the Adding Netgroups Using the Console section of Part 1.

b. Configure /etc/security/access.conf:

# This documents only changes that need to made for LDAP
# based authentication and authorization services using netgroups
# for Linux systems in full participation.
#
# The names below are cited for example purposes only. Use the
# configured netgroup names.
+:@netgroup1:ALL
+:@netgroup2:ALL

7. Configure Open SSH to use PAM by ensuring the following line is in the /etc/sshd/sshd_config configuration file:

UsePAM 	yes

Configuring Clients That Run AIX 5.3

This section contains a procedure for configuring AIX 5.3 workstations and servers as native LDAP clients. Use this procedure on each AIX 5.3 client.

1. Verify that the following required AIX 5.3 packages are installed on the system:

• ldap.max_crypto_client.rte
• ldap.max_crypto_client.adt

2. Configure SSL for communication between the AIX client and the four servers on which Directory Server is installed (hereafter referred to as "the directory servers"):

a. Download the GSKit version 7.0.3.3.31 from IBM (requires signing in).

b. Install the following packages:

• gskta.rle
• gskra.rte
• ldap.max_crypto_client.rte
• ldap.max_crypto_client.adt

c. Copy the following files to the /etc/security/ldap directory:

• Client_CACertsOnly.crl
• Client_CACertsOnly.kdb
• Client_CACertsOnly.rdb
• Client_CACertsOnly.sth

d. Review /etc/security/ldap/ldap.cfg, which shows the certificate database used and the port number of Directory Server (636):

useSSL:yes
ldapsslkeyf: /etc/security/ldap/VisaClient_CACertsOnly.kdb
ldapsslport:636

e. (Optional) Validate that SSL works by binding to Directory Server over SSL:

ldapsearch -h server1.COMPANY.com:66 -d 256 -Z -K
/etc/security/ldap/Client_CACertsOnly.kdb  -P <password>
  -b "ou=people,dc=COMPANY,dc=com"
  -D "uid=user,ou=People,dc=Company,dc=com" -w <password>
  cn=user005

3. Edit the security files as follows:

a. Change /etc/security/security to compat as follows:

default:
	admin=false
	login=true
	su = true
	daemon = true
	rlogin = true
	sugroups = ALL
	admgroups -
	ttys=ALL
	auth1=SYSTEM
	auth2=NONE
	tpath=nosak
	umask=022
	expires = 0
	SYSTEM = "compat"
	registry = compat
	logintimes = 7
	pwdwarntime = 7
	account_locked = false
	loginretries = 5
	histexpire = 52
	minage = 0
	maxexpired = 13
	minlen = 8
	dictionlis=
	pwdchecks =

b. Add options=netgroup to /usr/lib/security/methods.cfg as follows:

LDAP:
	program = /usr/lib/security/LDAP
	program_64 = /usr/lib/security/LDAP64
	options = netgroup

4. To use netgroups, do the following:

Note: This step describes how to configure one server. Make similar changes to other servers, as needed.

a. Add a netgroup to Directory Server, as described in the Adding Netgroups Using the Console section of Part 1.

b. Configure /etc/passwd:

root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1:/etc:
....other users.....
+:@dbadmin

5. Run the following command, which sets up the local system to use the LDAP server on server1.company.com:

mksecldap -c -a cn=proxyagent,ou=profile,dc=COMPANY,dc=com -p pwd
  -h server1.company.com

Note: The proxyagent user is perfectly acceptable. There is no need, nor is it advisable, to use an admin user. See the following IBM references:

• IBM Information Center: http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.doc/cmds (Search for mksecldap information here)
• IBM Redbook: Integrating AIX into Heterogeneous LDAP Environments (abstract)
• IBM Redbook: Integrating AIX into Heterogeneous LDAP Environments (full document)

Unless otherwise licensed, code in all technical manuals herein (including articles, FAQs, samples) is provided under this License.