LDAP server for Solaris and Linux clients

LDAP-DITFew months ago I received a task to set up LDAP authentication for Solaris 10, Solaris 11 and Linux machines in Customer’s infrastructure. As LDAP server was chosen OpenLDAP 2.4.x in Master-Slave configuration with SSL/TLS support. Servers was installed on Virtual Machines with CentOS 6.7.
I will not describe LDAP installation, because on modern Linuxes it’s simple like:

$ sudo yum install openldap-servers

Directory Information Tree configuration is also set during installation. I will use dc=mycompany,dc=com in this document. I will also use “o=mycompany” and “o=customer” as branches in my DIT to separate users and groups.
There are lot of manuals how to configure Master-Slave replication in OpenLDAP, so this is out of scope, you’ll need to find one and configure it by yourself. I used dynamic configuration which is not well documented, but there is possibility (and sometimes the only way) to prepare static slapd.conf and convert it to dynamic configuration with ‘slaptest’. My recommendation is to use this method.
Apart from ‘syncrepl’ overlay, I’m also using ‘memberof’ and ‘refint’ overlays (here is HOWTO) and ‘unique’. Overlays description you can find here: http://www.openldap.org/doc/admin24/overlays.html
There is a list of enabled modules in my configuration:

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModuleLoad: {0}memberof.la
olcModuleLoad: {1}syncprov.la
olcModuleLoad: {2}refint.la
olcModuleLoad: {3}unique
olcModulePath: /usr/lib64/openldap

and overlays configuration:

dn: olcOverlay={0}memberof,olcDatabase={2}bdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
olcOverlay: {0}memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: FALSE

dn: olcOverlay={1}syncprov,olcDatabase={2}bdb,cn=config
objectClass: olcSyncProvConfig
objectClass: olcOverlayConfig
olcOverlay: {1}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 200

dn: olcOverlay={2}refint,olcDatabase={2}bdb,cn=config
objectClass: top
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
olcOverlay: {2}refint
olcRefintAttribute: member memberof

dn: olcOverlay={3}unique,olcDatabase={2}bdb,cn=config
objectClass: olcUniqueConfig
objectClass: olcOverlayConfig
olcOverlay: {3}unique
olcUniqueURI: ldap:///dc=mycompany,dc=com?gidNumber?sub?(objectClass=posixGroup)
olcUniqueURI: ldap:///dc=mycompany,dc=com?uid,uidNumber?sub?(objectClass=posixAccount)

When LDAP server(s) is configured and running, we can focus on Solaris Profiles. Why to use Profiles? Because it’s faster and simpler to make a change in single LDAP entry than reconfigure every client connected to LDAP. I didn’t hear about Linux LDAP Profiles, but with Solaris 10 and 11 it works fine.
To configure profiles you need to extend LDAP schema with Attributes and ObjectClasses defined in DUAConfigProfile:
DUAConfigProfile
Just download it, rename to ‘duaconfig.schema’ and put into ‘schema’ directory under your LDAP server configuration directory, download also:
NIS Domain schema extension and put as ‘nisdomain.schema’ in this directory (default: /etc/openldap/schema).
Include these files in ‘slapd.conf’ with ‘include’ directive and convert to dynamic config with ‘slaptest’ if you use dynamic configuration.
Exemplary profile for Solaris clients looks as follows:

dn: cn=dev,ou=profile,dc=mycompany,dc=com
objectClass: DUAConfigProfile
objectClass: top
cn: dev
attributeMap: shadow:userpassword=userPassword
attributeMap: passwd:loginshell=loginShell
attributeMap: passwd:homedirectory=homeDirectory
attributeMap: passwd:uidnumber=uidNumber
attributeMap: passwd:gidnumber=gidNumber
attributeMap: group:gidnumber=gidNumber
attributeMap: automount:automountKey=cn
attributeMap: automount:automountInformation=nisMapEntry
attributeMap: automount:automountMapName=nisMapName
authenticationMethod: tls:simple
credentialLevel: proxy
defaultSearchBase: dc=mycompany,dc=com
defaultServerList: ldapsrvp01 ldapsrvp02
objectclassMap: shadow:shadowAccount=posixaccount
objectclassMap: passwd:posixAccount=posixaccount
objectclassMap: group:posixGroup=posixgroup
objectclassMap: automount:automount=nisObject
objectclassMap: automount:automountMap=nisMap
profileTTL: 300
serviceSearchDescriptor: passwd:ou=people,o=mycompany,dc=mycompany,dc=com?su
b?(|(memberof=cn=uxadmin,ou=groups,o=mycompany,dc=mycompany,dc=com)(membero
f=cn=dev,ou=groups,o=mycompany,dc=mycompany,dc=com));ou=people,o=cu
stomer,dc=mycompany,dc=com?sub?memberof=cn=dev,ou=groups,o=customer
,dc=mycompany,dc=com
serviceSearchDescriptor: group:ou=groups,o=mycompany,dc=mycompany,dc=com;ou=
groups,o=customer,dc=mycompany,dc=com
serviceSearchDescriptor: shadow:ou=people,o=mycompany,dc=mycompany,dc=com?su
b?(|(memberof=cn=uxadmin,ou=groups,o=mycompany,dc=mycompany,dc=com)(membero
f=cn=dev,ou=groups,o=mycompany,dc=mycompany,dc=com));ou=people,o=cu
stomer,dc=mycompany,dc=com?sub?memberof=cn=dev,ou=groups,o=customer
,dc=mycompany,dc=com
serviceSearchDescriptor: auto_master:ou=service,dc=mycompany,dc=com?sub?nisM
apName=auto_master
serviceSearchDescriptor: auto_home:ou=service,dc=mycompany,dc=com?sub?nisMap
Name=auto_home

I know that this profile may look complex, especially serviceSearchDescriptor filters, but I want to show you, how to search for users/groups when they are defined in different LDAP branches.
This Profile is called ‘cn=dev’, and using MemberOf overlay, to allows access to system for members of ‘uxadmin’ and ‘dev’ groups from ‘o=mycompany,dc=mycompany,dc=com’ and members of ‘dev’ group from ‘o=customer,dc=mycompany,dc=com’.
Of course you can define as many profiles as you need. Description of parameters you will find in documentation on Oracle website.
I did not hear about profiles for Linux systems, and I didn’t define any on LDAP servers.
How to connect Linux and Solaris clients I will describe in separate post.

You may also like...

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.