Authenticating Linux users with IBM Directory Server
Lightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, especially those that are X.500 based. IBM Directory Server is a mature product that implements the LDAP protocol. Linux, which is increasingly popular, provides several system user authentication methods, including local files, NIS, LDAP, and the PAM mechanism. Linux is able to use different authentication methods for its various services.
This article describes how to authenticate Linux users with the IBM Directory Server. I won't cover related concepts; for background information see Related topics.
I used RedHat Linux 7.3 as the target Linux system, and chose the IBM Directory Server 5.1 as the LDAP server. See the RedHat and IBM Web sites for installation information for Linux and Directory Server 5.1, if necessary.
Configuring the Directory Server 5.1 server
Before you start to use Directory Server to store your Linux system user information, you need to plan your system user structure. For example, in my setup the Directory Server 5.1 server is installed on a separate Windows 2000 server, and a structure is planned as follows:
o=ibm,c=cn |-ou=csdl,o=ibm,c=cn |-ou=gcl,ou=csdl,o=ibm,c=cn |-uid=user1,ou=gcl,ou=csdl,o=ibm,c=cn |-uid=user2,ou=gcl,ou=csdl,o=ibm,c=cn
To build the structures, use the following steps:
- Add a suffix. This stops the Directory Server server, and uses ldapxcfg to add a new suffix called
o=ibm,c=cn, as shown in Figure 1.
Figure 1. Adding a new suffix
- Import the LDAP Data Interchange Format (LDIF) file, including the basic structure.
Edit the LDIF file, which defines the root distinguished name (DN) and basic structure DNs, as shown below.
version: 1 dn: o=IBM,c=CN objectclass: top objectclass: organization o: ibm dn: ou=CSDL,o=ibm,c=cn ou: CSDL objectclass: organizationalUnit objectclass: top description: China Software Development Lab businessCategory: R&D dn: ou=GCL,ou=CSDL,o=ibm,c=cn ou: GCL objectclass: organizationalUnit objectclass: top description: Globalization Certification Lab
Use ldapxcfg to import the LDIF, as shown in Figure 2.
- Use the Web tool ldif2db to add users.
To create a new user entry, you can use two different methods:
- Web tool
- Directory Server 5.1 provides a Web application that could be deployed to a certain application server. By default, it uses WebSphere Application Server 5.0 express. This tool provides a user friendly GUI to help you manage the LDAP information.
- Command line tool
- Use ldif2db to import entries. For example,
ldif2db -i oneEntry.ldif
The example below shows how to use the command tool to add a new user.
#oneEntry.ldif dn: uid=user1,ou=GCL,ou=CSDL,o=ibm,c=cn loginShell: /bin/bash memberUid: 900 gidNumber: 800 objectclass: posixGroup objectclass: top objectclass: posixAccount objectclass: shadowAccount uid: user1 uidNumber: 900 cn: user1 description: One user of system homeDirectory: /home/user1 userpassword: password ownerpropagate: TRUE entryowner: access-id:UID=USER1,OU=GCL,OU=CSDL,O=IBM,C=CN
For Linux user information, the object class should be
entryownerof this entry to the user "self," so the user will be able to change the password. For more information about Directory Server ACL, refer to the Directory Server documents.
After adding some users, start the Directory Server server to be ready to serve for Linux users authentication.
Configuration on Linux
On RedHat Linux 7.3, logon as root, and make sure these two packages are installed:
#rpm -qa|grep ldap command to check the installed RPM.
If those two packages are not installed, mount the RedHat installation image and use the following commands:
#rpm -ivh <PathToPkgs>/openldap-2.0.23-4.rpm #rpm -ivh <PathToPkgs>/nss_ldap-185-1.rpm
When the two packages are installed, open /etc/ldap.conf to do some configurations. Below are some of the key directives to configure.
|host||specify the LDAP server IP/Hostname|
|base||specify the LDAP client search base|
|port||specify LDAP server port|
|pam_filter||specify LDAP client search filter|
|pam_login_attribute||specify login attribute of one user entry|
|pam_password||specify client password hash method|
The following example is part of ldap.conf. Pay special attention to those directives in bold.
# @(#)$Id: ldap.conf,v 1.24 2001/09/20 14:12:26 lukeh Exp $ # # This is the configuration file for the LDAP nameservice # switch library and the LDAP PAM module. # # PADL Software # http://www.padl.com # # Your LDAP server. Must be resolvable without using LDAP. #host 127.0.0.1 host 192.168.0.188 # The distinguished name of the search base. #base dc=example,dc=com base o=IBM,c=CN # Another way to specify your LDAP server is to provide an # uri with the server name. This allows to use # Unix Domain Sockets to connect to a local LDAP Server. #uri ldap://127.0.0.1/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator # The LDAP version to use (defaults to 3 # if supported by client library) #ldap_version 3 # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=proxyuser,dc=example,dc=com # The credentials to bind with. # Optional: default is no credential. # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) #rootbinddn cn=manager,dc=example,dc=com # The port. # Optional: default is 389. port 389 # The search scope. #scope sub #scope one #scope base # Search timelimit #timelimit 30 # Bind timelimit #bind_timelimit 30 # Idle timelimit; client will close connections # (nss_ldap only) if the server has not been contacted # for the number of seconds specified below. #idle_timelimit 3600 # Filter to AND with uid=%s pam_filter objectclass=posixAccount # The user ID attribute (defaults to uid) pam_login_attribute uid # Search the root DSE for the password policy (works # with Netscape Directory Server) #pam_lookup_policy yes # Check the 'host' attribute for access control # Default is no; if set to yes, and user has no # value for the host attribute, and pam_ldap is # configured for account management (authorization) # then the user will not be allowed to login. #pam_check_host_attr yes # Group to enforce membership of #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com # Group member attribute #pam_member_attribute uniquemember # Specify a minium or maximum UID number allowed #pam_min_uid 0 #pam_max_uid 0 # Template login attribute, default template user # (can be overriden by value of former attribute # in user's entry) #pam_login_attribute userPrincipalName #pam_template_login_attribute uid #pam_template_login nobody # HEADS UP: the pam_crypt, pam_nds_passwd, # and pam_ad_passwd options are no # longer supported. # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. #pam_password md5 pam_password clear ssl no ... ...
Save changes, and use authconfig to enable LDAP authentication with
On the User Information Configuration panel, as shown in Figure 3, check Cache Information and Use LDAP.
Figure 3. User Information Configuration
On the Authentication Configuration panel, check Use LDAP Authentication, as shown in Figure 4.
Figure 4. Authentication Configuration
Then enter Ok. The Linux sytem will be enabled to use LDAP authentication.
This tool will change the directive pam_password value to md5. To make users change their passwords successfully, you need to manually change this directive value to "clear."
Now we could logon as the user whose information is stored in the Directory Server server. For example, logon as user1 as follows:
Because there is no home directory of user1, the login shell automatically changed path to "/". We could manually add user home directory to make things better:
#mkdir /home/user1 #cp /etc/skel/.* /home/user1 #chown -R user1:user1 /home/user1
Now logon as user1 again, and no warning appears:
OK, that's great! We've built a basic configuration that could leverage Directory Server to authenticate the Linux system users. Because Linux and Directory Server both support Secure Sockets Layer (SSL), so we could do further configuration to enhance system security. For more information about SSL configuration, see Related topics.
- For an intoduction to LDAP, see LDAP HowTo.
- Visit LDAP Implementation HowTo for an introduction to LDAP authentication support of Linux.
- To learn about the Linux system user authentication mechanism, see User authentication HowTo.
- IBM Directory Server library has the product manuals for IBM Directory Server 5.1.
- Users migration tools provides a series of perl-based scripts used to migrate current services users on Linux to LDAP server.
- IBM Directory Server describes all the highlights of the product.