Solved

Using Openldap to authenticate Linux / NT users

Posted on 2001-06-20
3
601 Views
Last Modified: 2013-12-06
Ok, here's the deal.  I have a network consisting of 13 Linux boxes (RH and Debian), and 4 NT Servers.  I run Sendmail for e-mail, BIND for DNS, CVS, and NT / SAMBA for filesharing.  I would like to setup an LDAP server to handle (primarily) authentication to all network resources, and (secondary) as a company-wide address book, central location for  DNS Configs, and anything else that I could use it for.  I've been working on this for about 2 weeks now, and have been able to get teh OS installed (no prob), and I've been able to get slapd running.  The problem that I am having is that when I try to use RPM's (since I'm using RH, I usually try it their way first), I get a bunch of dependancy errors (liblber.so.1 and libldap.so.1), and the only source that I can find is openldap-2.0.11, which will require the new version of openssl and openssh across the board (a move I'm not ready to make yet).  At any rate, the basic question (for the 200 points) is how do I configure openldap and 1 RH Linux 7.0 client so that users can authenticate to both boxes off of the LDAP database without having an account (in /etc/passwd) on either box.  I may not have asked the question properly, and would be more than glad to offer any details that I could for some assistance on this.  Below are the packages (RPMS) that I have to work with currently, and the source that I have to work with currently.  I would prefer to either use all source, or all RPM's (except on the Debian boxes) if possible, and can download additional packages / source if necessary:

--RPMS--
openldap-1.2.11-15.rpm (I had to install this first to satisfy a dependancy)
openldap-2.07.rpm (this is the version that I can use with my current openssl / openssh config)
openldap-servers-1.2.11.rpm
openldap-clients-1.2.11.rpm
nss_ldap-85-2.rpm
auth_ldap-1.4.0-3.rpm
auth_ldap-1.4.3-2.rpm

--Source--

openldap-2.0.7.tgz
openldap-2.0.11.tgz (requires updated openssl / openssh)
pam_ldap.tgz (the version available currently from padl.com)
nss_ldap.tgz (the version available currently from padl.com)

I also have one of the Linux boxes setup as a domain controller in the NT domain, if that helps.
0
Comment
Question by:nunderwood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 

Accepted Solution

by:
grepster earned 200 total points
ID: 6232244
Hiya

We have done just that here at work and what you will need to do is install :
Kerberos5 protocol
Cyrus-SASL

get that authenticating etc etc.  There are plents of modules out there for other great things like to import
0
 

Author Comment

by:nunderwood
ID: 6232355
I still seem to be missing something.  I have the following installed via rpm (I believe this is all that I need):

openldap-clients-2.0.7-14
openldap-2.0.7-14
openldap-servers-2.0.7-14
nss_ldap-85-2
pam_krb5-1.31-1
krb5-devel-1.2.2-7
krb5-workstation-1.2.2-7
krbafs-1.0.5-1
krb5-libs-1.2.2-7
krb5-server-1.2.2-7

The test that I'm using is the following:

Created a user in the ldap tree:

uid=test,ou=employees,dc=<domain>,dc=com
(user doesn't exist in /etc/passwd)

Edited /etc/nsswitch.conf:
     passwd:     ldap files
     shadow:     ldap files
     group:      ldap files

Tried to login via SecureCRT using test & password - failed
Tried to login at terminal using test & password - failed

I'm monitoring /var/log/messages, /var/log/ldap, and /var/log/secure while I'm making these attempts.  The only log that generates an entry is /var/log/secure.  The contents are below:

Jun 27 12:58:06 ldap sshd[32118]: PAM pam_set_item: NULL pam handle passed
Jun 27 12:58:16 ldap sshd[32118]: PAM pam_set_item: NULL pam handle passed
Jun 27 12:58:16 ldap sshd[32118]: Failed password for illegal user test from 192.168.1.230 port 3317
Jun 27 12:58:25 ldap sshd[32118]: Unknown message during authentication: type 4
Jun 27 12:58:25 ldap sshd[32118]: Failed bad-auth-msg-4 for illegal user test from 192.168.1.230 port 3317
0
 

Author Comment

by:nunderwood
ID: 6235021
First off, I apologize for not figuring my mistake out sooner, once I updated the Cyrus-SASL and Kerberos packages,( and edited the /etc/nsswitch.conf on the client machine) I was able to authenticate from a remote machine, to the LDAP server.  With this in mind, I'm going to close this question, but I'll probably be opening another one soon, once I start building the LDAP directory to better suit my organizations (questions will include, how to say uid=x can log onto this server, but not that server, like on the mail server [users do not have a shell, or home directory on the mail server]).  In case anyone else is trying to figure this out, maybe the information below will lead you in the right direction:

RPMs Installed:
  (I installed all of these, with the exception of openldap-servers, on the machines that would participate in LDAP)
    openldap-2.0.7-14
    openldap-servers-2.0.7-14
    openldap-clients-2.0.7-14
    nss_ldap-149-1
    openldap-devel-2.0.7-14
    pam_krb5-1.31-1
    krb5-server-1.2.2-7
    krb5-workstation-1.2.2-7
    krb5-libs-1.2.2-7
    krb5-devel-1.2.2-7


I edited the /etc/ldap.conf, and added the BASE and HOST of my LDAP server
I edited the /etc/openldap/ldap.conf to reflect the same
I edited /etc/nsswitch.conf, and added ldap to passwd, shadow, and group
I edited the files in /etc/pam.d, and added LDAP support for the services that I will be using LDAP for
Since it's Red Hat, and becasue I was curious, I ran authconfig just to make sure that everything showed up

Hope this helps, and grepster, thanks for pointing out the two that I missed.  I hope that I can call on you if I get in another pinch trying to get the directory setup.
0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

1. Introduction As many people are interested in Linux but not as many are interested or knowledgeable (enough) to install Linux on their system, here is a safe way to try out Linux on your existing (Windows) system. The idea is that you insta…
Monitor input from a computer is usually nothing special.  In this instance it prevented anyone from using the computer.  This was a preconfiguration that didn't work.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question