PAM LDAP在RedHat Linux 5和Solaris 10系统上的用户认证

每个系统都需要对用户进行认证Authentication和鉴权Authorization，用户集中管理只需要一份用户信息，简化了管理。通过PAM能够对不同的认证系统进行动态配置，如Radius，LDAP。

PAM LDAP on Linux RedHat5

1 Configure OpenLDAP

OpenLDAP is installed at /usr/local/, the LDAP server configuration file is /usr/local/etc/openldap/slapd.conf, and including the following setting which will be modified according the specific context.

#access control

access to * by * read

atabase        bdb

suffix          “dc=cisco,dc=com”

rootdn          “cn=root,dc=cisco,dc=com”

rootpw               Crdc%123

#if log is needed, and add “local4.* /var/log/ldap/ldap.log” into /etc/syslog.conf

loglevel any   www.linuxidc.com

LDAP client configuration file is etc/openldap/ldap.conf.

Then start LDAP server:

# /usr/local/libexec/slapd

2 Import user accounts

Create the ldif file to include all the user accounts information. One binding user is required to send binding request to LDAP before authentication start.

users.ldif :

dn: uid=testbind,dc=cisco,dc=com

uid: testbind

cn: testbind

sn: testbind

userPassword: testbind

uidNumber: 1104

gidNumber: 1100

homeDirectory: /home/testbind

loginShell: /bin/bash

objectClass: inetOrgPerson

objectClass: posixAccount

dn: uid=test,dc=cisco,dc=com

uid: test

cn: test

sn: test

userPassword: test

uidNumber: 1105

gidNumber: 1100

homeDirectory: /home/test

loginShell: /bin/bash

objectClass: inetOrgPerson

objectClass: posixAccount

….

Use the following command to add and search the user accounts:

#ldapadd -x -D “cn=root,dc=cisco,dc=com” -W -f users.ldif

#ldapsearch -x -D “cn=root,dc=cisco,dc=com” -W -b “cn=test,dc=cisco,dc=com”

#ldapdelete -x -D “cn=root,dc=cisco,dc=com” -W “ou=people,dc=cisco,dc=com”

3 PAM setting

There are many different PAM modules which communicate with different AAA server, these PAM library files are located in /lib64/security(for Linux 64). Use /etc/pam.d/<yourservice-jpam > to relay the authentication to LDAP or other AAA, for instance Radius, modify the ppm-jpam with the following lines:

auth        sufficient  /lib64/security/pam_ldap.so config=/etc/ldap.conf

account     sufficient   /lib64/security/pam_ldap.so config=/etc/ldap.conf

PAM_LDAP service will use /etc/ldap.conf file to create the connection with LDAP server and verify the users.

# Your LDAP server.

host 10.74.125.39

# The distinguished name of the search base.

base dc=cisco,dc=com

ldap_version 3

# The distinguished name to bind to the server with.

# Optional: default is to bind anonymously.

binddn uid=testbind,dc=cisco,dc=com

# The credentials to bind with.

# Optional: default is no credential.

bindpw testbind

# The port.

# Optional: default is 389.

port 389

# The search scope.

scope sub

# The user ID attribute (defaults to uid)

pam_login_attribute uid

4 Verify
 

PAM LDAP on Solaris 10

1 Configure OpenLDAP

OpenLDAP is installed at /usr/local/, the LDAP server configuration file is /usr/local/etc/openldap/slapd.conf, and including the following setting which will be modified according the specific context.

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /usr/local/etc/openldap/schema/core.schema

include         /usr/local/etc/openldap/schema/corba.schema

include         /usr/local/etc/openldap/schema/cosine.schema

include         /usr/local/etc/openldap/schema/inetorgperson.schema

include         /usr/local/etc/openldap/schema/misc.schema

include         /usr/local/etc/openldap/schema/openldap.schema

include         /usr/local/etc/openldap/schema/nis.schema

include         /usr/local/etc/openldap/schema/gehua.schema

include         /usr/local/etc/openldap/schema/duaconf.schema

include         /usr/local/etc/openldap/schema/solaris.schema

#include        /usr/local/etc/openldap/schema/DUAConfigProfile.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org

pidfile         /usr/local/var/run/slapd.pid

argsfile        /usr/local/var/run/slapd.args

# Load dynamic backend modules:

# modulepath    /usr/local/libexec/openldap

# moduleload    back_bdb.la

# moduleload    back_hdb.la

# moduleload    back_ldap.la

# Sample security restrictions

#       Require integrity protection (prevent hijacking)

#       Require 112-bit (3DES or better) encryption for updates

#       Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:

#       Root DSE: allow anyone to read it

#       Subschema (sub)entry DSE: allow anyone to read it

#       Other DSEs:

#               Allow self write access

#               Allow authenticated users read access

#               Allow anonymous users to authenticate

#       Directives needed to implement policy:

# access to dn.base=”” by * read

# access to dn.base=”cn=Subschema” by * read

# access to *

#       by self write

#       by users read

#       by anonymous auth

access to * by * read

#

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn.  (e.g., “access to * by * read”)

#

# rootdn can always read and write EVERYTHING!

#######################################################################

# BDB database definitions

#######################################################################

database        bdb

suffix          “dc=cisco,dc=com”

# suffix                “DC=mbaruch, DC=local”

rootdn          “cn=root,dc=cisco,dc=com”

# rootdn                “CN=root,DC=mbaruch, DC=local”

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

# rootpw                secret

rootpw               Crdc%123

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory       /usr/local/var/openldap-data

# Indices to maintain

index   objectClass     eq

sizelimit 1000

loglevel any

#TLSCACertificateFile /etc/openldap/cacerts/cacert.pem

#TLSCertificateFile /etc/openldap/cacerts/server.cert

#TLSCertificateKeyFile /etc/openldap/cacerts/server.key

TLSCACertificateFile /usr/local/etc/openldap/ca/cacert.pem

TLSCertificateFile /usr/local/etc/openldap/ca/servercrt.pem

TLSCertificateKeyFile /usr/local/etc/openldap/ca/serverkey.pem

TLSVerifyClient never

#ssl start_tls

2 Import user accounts

Create the ldif file to include all the user accounts information. One binding user is required to send binding request to LDAP before authentication start.

Use the following command to import base.ldif, groups.ldif and passwd.ldif into LDAP server.

#ldapadd -x -D “cn=root,dc=cisco,dc=com” -W -f ***.ldif

base.ldif

dn: ou=People,dc=cisco,dc=com

ou: People

objectClass: top

objectClass: organizationalUnit

dn: ou=Group,dc=cisco,dc=com

ou: Group

objectClass: top

objectClass: organizationalUnit

group.ldif

dn: cn=root,ou=Group,dc=cisco,dc=com

objectClass: posixGroup

objectClass: top

cn: root

gidNumber: 0

dn: cn=other,ou=Group,dc=cisco,dc=com

objectClass: posixGroup

objectClass: top

cn: other

gidNumber: 1

memberUid: root

passwd.ldif

dn: uid=testbind,dc=cisco,dc=com

uid: testbind

cn: testbind

sn: testbind

userPassword: testbind

uidNumber: 1104

gidNumber: 1100

homeDirectory: /home/testbind

loginShell: /bin/bash

objectClass: inetOrgPerson

objectClass: posixAccount

dn: uid=nmtgtest,ou=People,dc=cisco,dc=com

uid: nmtgtest

cn: nmtgtest

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword: nmtgtest

shadowLastChange: 15064

loginShell: /bin/sh

uidNumber: 1315

gidNumber: 1

homeDirectory: /home/nmtg

3 PAM setting

There are many different PAM modules which communicate with different AAA server, Solaris has the native PAM LDAP library, use /etc/pam.conf to relay the authentication to LDAP or other AAA, for instance LDAP:

<serive name>   auth       required    pam_ldap.so

<service name>  account    required    pam_ldap.so

Run the following command to configure Solaris native LDAP:

ldapclient -v manual -a defaultSearchBase=dc=cisco,dc=com -a serviceSearchDescriptor=passwd:ou=People,dc=cisco,dc=com -a serviceSearchDescriptor=shadow:ou=People,dc=cisco,dc=com -a defaultServerList=10.74.125.39 -a domainName=cisco.com -a authenticationMethod=simple -a defaultSearchScope=sub -a credentialLevel=proxy -a proxyDN=uid=testbind,dc=cisco,dc=com -a proxyPassword=testbind

To verify if the LDAP client is working well, run the following command:

# getent passwd <username>
# ldaplist -l passwd <username>

To Verify the following to file with correct parameters:

/var/ldap/ldap_client_file

NS_LDAP_FILE_VERSION= 2.0

NS_LDAP_SERVERS= 10.74.125.39

NS_LDAP_SEARCH_BASEDN= dc=cisco,dc=com

NS_LDAP_AUTH= simple

NS_LDAP_SEARCH_SCOPE= sub

NS_LDAP_CACHETTL= 0

NS_LDAP_CREDENTIAL_LEVEL= proxy

NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=cisco,dc=com

NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=cisco,dc=com
 

/var/ldap/ldap_client_cred

NS_LDAP_BINDDN= uid=testbind,dc=cisco,dc=com

NS_LDAP_BINDPASSWD= {NS1}4a3788e834634411

6 Verify