Authenticating Linux users with IBM Directory Server

This article describes how to use the IBM Directory Server to authenticate Linux users. The author explains step-by-step how to configure Directory Server, and Linux, to build a basic configuration to use Directory Server to authenticate Linux users.

Ming Xia (gclprj3@cn.ibm.com), Software Engineer, IBM

Ming Xia works as a system tester on the IBM WebSphere Application Server Community Edition team. He is interested in Java EE development and testing.



10 February 2005

Introduction

Lightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, especially those that are X.500 based. IBM Directory Server is a mature product that implements the LDAP protocol. Linux, which is increasingly popular, provides several system user authentication methods, including local files, NIS, LDAP, and the PAM mechanism. Linux is able to use different authentication methods for its various services.

This article describes how to authenticate Linux users with the IBM Directory Server. I won't cover related concepts; for background information see Resources.

I used RedHat Linux 7.3 as the target Linux system, and chose the IBM Directory Server 5.1 as the LDAP server. See the RedHat and IBM Web sites for installation information for Linux and Directory Server 5.1, if necessary.


Configuring the Directory Server 5.1 server

Before you start to use Directory Server to store your Linux system user information, you need to plan your system user structure. For example, in my setup the Directory Server 5.1 server is installed on a separate Windows 2000 server, and a structure is planned as follows:

o=ibm,c=cn
|-ou=csdl,o=ibm,c=cn
  |-ou=gcl,ou=csdl,o=ibm,c=cn
     |-uid=user1,ou=gcl,ou=csdl,o=ibm,c=cn
     |-uid=user2,ou=gcl,ou=csdl,o=ibm,c=cn

To build the structures, use the following steps:

  1. Add a suffix. This stops the Directory Server server, and uses ldapxcfg to add a new suffix called o=ibm,c=cn, as shown in Figure 1.
    Figure 1. Adding a new suffix
    Adding a new suffix
  2. Import the LDAP Data Interchange Format (LDIF) file, including the basic structure. Edit the LDIF file, which defines the root distinguished name (DN) and basic structure DNs, as shown below.
        version: 1 
            
        dn: o=IBM,c=CN
        objectclass: top
        objectclass: organization
        o: ibm
                
        dn: ou=CSDL,o=ibm,c=cn
        ou: CSDL
        objectclass: organizationalUnit
        objectclass: top
        description: China Software Development Lab
        businessCategory: R&D
               
        dn: ou=GCL,ou=CSDL,o=ibm,c=cn
        ou: GCL
        objectclass: organizationalUnit
        objectclass: top
        description: Globalization Certification Lab

    Use ldapxcfg to import the LDIF, as shown in Figure 2.

    Figure 2.
  3. Use the Web tool ldif2db to add users. To create a new user entry, you can use two different methods:
    Web tool
    Directory Server 5.1 provides a Web application that could be deployed to a certain application server. By default, it uses WebSphere Application Server 5.0 express. This tool provides a user friendly GUI to help you manage the LDAP information.
    Command line tool
    Use ldif2db to import entries. For example,
    ldif2db -i oneEntry.ldif

    The example below shows how to use the command tool to add a new user.

    #oneEntry.ldif
             
    dn: uid=user1,ou=GCL,ou=CSDL,o=ibm,c=cn
    loginShell: /bin/bash
    memberUid: 900
    gidNumber: 800
    objectclass: posixGroup
    objectclass: top
    objectclass: posixAccount
    objectclass: shadowAccount
    uid: user1
    uidNumber: 900
    cn: user1
    description: One user of system
    homeDirectory: /home/user1
    userpassword: password
    ownerpropagate: TRUE
    entryowner: access-id:UID=USER1,OU=GCL,OU=CSDL,O=IBM,C=CN

    For Linux user information, the object class should be posixAccount. Set entryowner of this entry to the user "self," so the user will be able to change the password. For more information about Directory Server ACL, refer to the Directory Server documents.

After adding some users, start the Directory Server server to be ready to serve for Linux users authentication.


Configuration on Linux

On RedHat Linux 7.3, logon as root, and make sure these two packages are installed:

  • openldap-2.0.23-4
  • nss_ldap-185-1

Use the #rpm -qa|grep ldap command to check the installed RPM. If those two packages are not installed, mount the RedHat installation image and use the following commands:

  #rpm -ivh <PathToPkgs>/openldap-2.0.23-4.rpm
  #rpm -ivh <PathToPkgs>/nss_ldap-185-1.rpm

When the two packages are installed, open /etc/ldap.conf to do some configurations. Below are some of the key directives to configure.

hostspecify the LDAP server IP/Hostname
basespecify the LDAP client search base
port specify LDAP server port
pam_filterspecify LDAP client search filter
pam_login_attributespecify login attribute of one user entry
pam_passwordspecify client password hash method

The following example is part of ldap.conf. Pay special attention to those directives in bold.

      # @(#)$Id: ldap.conf,v 1.24 2001/09/20 14:12:26 lukeh Exp $
      #
      # This is the configuration file for the LDAP nameservice
      # switch library and the LDAP PAM module.
      #
      # PADL Software
      # http://www.padl.com
      #
      # Your LDAP server. Must be resolvable without using LDAP.
      #host 127.0.0.1
      host 192.168.0.188
      
      # The distinguished name of the search base.
      #base dc=example,dc=com
      base o=IBM,c=CN
      
      # Another way to specify your LDAP server is to provide an
      # uri with the server name. This allows to use
      # Unix Domain Sockets to connect to a local LDAP Server.
      #uri ldap://127.0.0.1/
      #uri ldaps://127.0.0.1/ 
      #uri ldapi://%2fvar%2frun%2fldapi_sock/
      # Note: %2f encodes the '/' used as directory separator
      # The LDAP version to use (defaults to 3
      # if supported by client library)
      #ldap_version 3
      
      # The distinguished name to bind to the server with.
      # Optional: default is to bind anonymously.
      #binddn cn=proxyuser,dc=example,dc=com
     
      # The credentials to bind with. 
      # Optional: default is no credential.
      
      # The distinguished name to bind to the server with
      # if the effective user ID is root. Password is
      # stored in /etc/ldap.secret (mode 600)
      #rootbinddn cn=manager,dc=example,dc=com
      
      # The port.
      # Optional: default is 389.
      port 389
      
      # The search scope.
      #scope sub
      #scope one
      #scope base
      # Search timelimit
      #timelimit 30
      # Bind timelimit
      #bind_timelimit 30
      # Idle timelimit; client will close connections
      # (nss_ldap only) if the server has not been contacted
      # for the number of seconds specified below.
      #idle_timelimit 3600
      
      # Filter to AND with uid=%s
      pam_filter objectclass=posixAccount
      
      # The user ID attribute (defaults to uid)
      pam_login_attribute uid
      
      # Search the root DSE for the password policy (works
      # with Netscape Directory Server)
      #pam_lookup_policy yes
      # Check the 'host' attribute for access control
      # Default is no; if set to yes, and user has no
      # value for the host attribute, and pam_ldap is
      # configured for account management (authorization)
      # then the user will not be allowed to login.
      #pam_check_host_attr yes
      # Group to enforce membership of
      #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
      # Group member attribute
      #pam_member_attribute uniquemember
      # Specify a minium or maximum UID number allowed
      #pam_min_uid 0
      #pam_max_uid 0
      # Template login attribute, default template user
      # (can be overriden by value of former attribute
      # in user's entry)
      #pam_login_attribute userPrincipalName
      #pam_template_login_attribute uid
      #pam_template_login nobody
      # HEADS UP: the pam_crypt, pam_nds_passwd,
      # and pam_ad_passwd options are no
      # longer supported.
      
      # Do not hash the password at all; presume
      # the directory server will do it, if
      # necessary. This is the default.
      #pam_password md5
     pam_password clear
      ssl no
      ... 
      ...

Save changes, and use authconfig to enable LDAP authentication with #authconfig.

On the User Information Configuration panel, as shown in Figure 3, check Cache Information and Use LDAP.

Figure 3. User Information Configuration
User Information Configuration

On the Authentication Configuration panel, check Use LDAP Authentication, as shown in Figure 4.

Figure 4. Authentication Configuration
Authentication Configuration

Then enter Ok. The Linux sytem will be enabled to use LDAP authentication.

This tool will change the directive pam_password value to md5. To make users change their passwords successfully, you need to manually change this directive value to "clear."

Now we could logon as the user whose information is stored in the Directory Server server. For example, logon as user1 as follows:

Because there is no home directory of user1, the login shell automatically changed path to "/". We could manually add user home directory to make things better:

  #mkdir /home/user1
  #cp /etc/skel/.* /home/user1
  #chown -R user1:user1 /home/user1

Now logon as user1 again, and no warning appears:

OK, that's great! We've built a basic configuration that could leverage Directory Server to authenticate the Linux system users. Because Linux and Directory Server both support Secure Sockets Layer (SSL), so we could do further configuration to enhance system security. For more information about SSL configuration, see Resources.

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Linux on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Linux
ArticleID=13052
ArticleTitle=Authenticating Linux users with IBM Directory Server
publish-date=02102005