LDAP server for Solaris and Linux clients
Few months ago I received a task to set up LDAP authentication for Solaris 10, Solaris 11 and Linux machines in Customer’s infrastructure. As LDAP server was chosen OpenLDAP 2.4.x in Master-Slave configuration with SSL/TLS support. Servers was installed on Virtual Machines with CentOS 6.7.
I will not describe LDAP installation, because on modern Linuxes it’s simple like:
$ sudo yum install openldap-servers
Directory Information Tree configuration is also set during installation. I will use dc=mycompany,dc=com in this document. I will also use “o=mycompany” and “o=customer” as branches in my DIT to separate users and groups.
There are lot of manuals how to configure Master-Slave replication in OpenLDAP, so this is out of scope, you’ll need to find one and configure it by yourself. I used dynamic configuration which is not well documented, but there is possibility (and sometimes the only way) to prepare static slapd.conf and convert it to dynamic configuration with ‘slaptest’. My recommendation is to use this method.
Apart from ‘syncrepl’ overlay, I’m also using ‘memberof’ and ‘refint’ overlays (here is HOWTO) and ‘unique’. Overlays description you can find here: http://www.openldap.org/doc/admin24/overlays.html
There is a list of enabled modules in my configuration:
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModuleLoad: {0}memberof.la
olcModuleLoad: {1}syncprov.la
olcModuleLoad: {2}refint.la
olcModuleLoad: {3}unique
olcModulePath: /usr/lib64/openldap
and overlays configuration:
dn: olcOverlay={0}memberof,olcDatabase={2}bdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
olcOverlay: {0}memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: FALSE
dn: olcOverlay={1}syncprov,olcDatabase={2}bdb,cn=config
objectClass: olcSyncProvConfig
objectClass: olcOverlayConfig
olcOverlay: {1}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 200
dn: olcOverlay={2}refint,olcDatabase={2}bdb,cn=config
objectClass: top
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
olcOverlay: {2}refint
olcRefintAttribute: member memberof
dn: olcOverlay={3}unique,olcDatabase={2}bdb,cn=config
objectClass: olcUniqueConfig
objectClass: olcOverlayConfig
olcOverlay: {3}unique
olcUniqueURI: ldap:///dc=mycompany,dc=com?gidNumber?sub?(objectClass=posixGroup)
olcUniqueURI: ldap:///dc=mycompany,dc=com?uid,uidNumber?sub?(objectClass=posixAccount)
When LDAP server(s) is configured and running, we can focus on Solaris Profiles. Why to use Profiles? Because it’s faster and simpler to make a change in single LDAP entry than reconfigure every client connected to LDAP. I didn’t hear about Linux LDAP Profiles, but with Solaris 10 and 11 it works fine.
To configure profiles you need to extend LDAP schema with Attributes and ObjectClasses defined in DUAConfigProfile:
DUAConfigProfile
Just download it, rename to ‘duaconfig.schema’ and put into ‘schema’ directory under your LDAP server configuration directory, download also:
NIS Domain schema extension and put as ‘nisdomain.schema’ in this directory (default: /etc/openldap/schema).
Include these files in ‘slapd.conf’ with ‘include’ directive and convert to dynamic config with ‘slaptest’ if you use dynamic configuration.
Exemplary profile for Solaris clients looks as follows:
dn: cn=dev,ou=profile,dc=mycompany,dc=com objectClass: DUAConfigProfile objectClass: top cn: dev attributeMap: shadow:userpassword=userPassword attributeMap: passwd:loginshell=loginShell attributeMap: passwd:homedirectory=homeDirectory attributeMap: passwd:uidnumber=uidNumber attributeMap: passwd:gidnumber=gidNumber attributeMap: group:gidnumber=gidNumber attributeMap: automount:automountKey=cn attributeMap: automount:automountInformation=nisMapEntry attributeMap: automount:automountMapName=nisMapName authenticationMethod: tls:simple credentialLevel: proxy defaultSearchBase: dc=mycompany,dc=com defaultServerList: ldapsrvp01 ldapsrvp02 objectclassMap: shadow:shadowAccount=posixaccount objectclassMap: passwd:posixAccount=posixaccount objectclassMap: group:posixGroup=posixgroup objectclassMap: automount:automount=nisObject objectclassMap: automount:automountMap=nisMap profileTTL: 300 serviceSearchDescriptor: passwd:ou=people,o=mycompany,dc=mycompany,dc=com?su b?(|(memberof=cn=uxadmin,ou=groups,o=mycompany,dc=mycompany,dc=com)(membero f=cn=dev,ou=groups,o=mycompany,dc=mycompany,dc=com));ou=people,o=cu stomer,dc=mycompany,dc=com?sub?memberof=cn=dev,ou=groups,o=customer ,dc=mycompany,dc=com serviceSearchDescriptor: group:ou=groups,o=mycompany,dc=mycompany,dc=com;ou= groups,o=customer,dc=mycompany,dc=com serviceSearchDescriptor: shadow:ou=people,o=mycompany,dc=mycompany,dc=com?su b?(|(memberof=cn=uxadmin,ou=groups,o=mycompany,dc=mycompany,dc=com)(membero f=cn=dev,ou=groups,o=mycompany,dc=mycompany,dc=com));ou=people,o=cu stomer,dc=mycompany,dc=com?sub?memberof=cn=dev,ou=groups,o=customer ,dc=mycompany,dc=com serviceSearchDescriptor: auto_master:ou=service,dc=mycompany,dc=com?sub?nisM apName=auto_master serviceSearchDescriptor: auto_home:ou=service,dc=mycompany,dc=com?sub?nisMap Name=auto_home
I know that this profile may look complex, especially serviceSearchDescriptor filters, but I want to show you, how to search for users/groups when they are defined in different LDAP branches.
This Profile is called ‘cn=dev’, and using MemberOf overlay, to allows access to system for members of ‘uxadmin’ and ‘dev’ groups from ‘o=mycompany,dc=mycompany,dc=com’ and members of ‘dev’ group from ‘o=customer,dc=mycompany,dc=com’.
Of course you can define as many profiles as you need. Description of parameters you will find in documentation on Oracle website.
I did not hear about profiles for Linux systems, and I didn’t define any on LDAP servers.
How to connect Linux and Solaris clients I will describe in separate post.
