Configuring Tivoli Netcool/OMNIbus to use PAM with LDAP

Body

Pluggable Authentication Modules (PAM) is an integrated UNIX® login framework. PAM is used by system entry components, such as the dtlogin display manager of the Common Desktop Environment, to authenticate users logging into a UNIX system.

PAM can also be used by PAM-aware applications for authentication. These applications include the ObjectServer, the process agent, and gateways. You can set up PAM authentication either by using external authentication sources, such as NIS and LDAP, or by using a single, central ObjectServer.

In this blog, I will outline the quick steps to setup ObjectServer and Process Agent to use authentication based on LDAP in the following environment:

• Netcool/OMNIbus
• Solaris 5.10

Step 1:

Update the PAM configuration file:

The PAM configuration file (/etc/pam.conf) controls the PAM stacks for PAM enabled services. The format of each entry is as follows:

<service_name> <module_type> <control_flag> <module_path> [module_options]

Where:

<service_name> is: The name of the PAM enabled service.
<module_type> is one of: auth, account, password, session
<control_flag> is one of: required, requisite, sufficient, optional
<module_path> is:The path to the module. If the field does not begin with '/' , then /usr/lib/security/ is prefixed.
[module_options] is: An optional field. Consult the specified modules documentation for valid options.

(Required for the Object Server/OMNIbus):
Service Name: nco_objserv
Module Type: auth, account, password

(Required for the Process Agent (PA)):
Service Name: netcool
Module Type: auth

Example configuration:
# PAM Configuration for the Object Server.
# service module_type control_flag module_path options
nco_objserv auth requisite pam_authtok_get.so.1
nco_objserv auth required pam_dhkeys.so.1
nco_objserv auth required pam_unix_cred.so.1
nco_objserv auth required pam_unix_auth.so.1
nco_objserv account requisite pam_roles.so.1
nco_objserv account required pam_unix_account.so.1
nco_objserv password required pam_dhkeys.so.1
nco_objserv password requisite pam_authtok_get.so.1
nco_objserv password requisite pam_authtok_check.so.1
nco_objserv password required pam_authtok_store.so.1

# PAM Configuration for the Process Agent.
# service module_type control_flag module_path options
netcool auth requisite pam_authtok_get.so.1
netcool auth required pam_dhkeys.so.1
netcool auth required pam_unix_cred.so.1
netcool auth required pam_unix_auth.so.1

 

Step 2:

Configure Object Server user using external authentication, LDAP:

From the SQL interactive interface (nco_sql), use the CREATE USER command to create user.

• The user name entered is identical to the name stored in LDAP.
• No password is specified.
• The PAM keyword is set to TRUE.

2.1. If not already started, bring up object server 'NCOMS' in background process at the host server.
$OMNIHOME/bin/nco_objserv -name NCOMS &

NOTE:
On UNIX and Linux, the default value for object server security mode is “PAM”.
Otherwise, please set below properties in the object server props file before starting the object server:
Sec.ExternalAuthentication : 'PAM'
Sec.UsePam : TRUE

2.2. Log into sql interactive interface for object server 'NCOMS' with default user root and empty password:
$OMNIHOME/bin/nco_sql -server NCOMS -user "root" -password ""

2.3. Create a user with username identical to the LDAP username.
Syntax: create user '<ldap user>' id <any id number> full name '<full name>' PAM TRUE;
Example if LDAP username is thomas:
1>create user 'thomas' id 888 full name 'Thomas Anderson' PAM TRUE;
2>go

2.4.Assign the user in default 'System' group which has the 'SuperUser' role.
'SuperUser' role has all available permissions.
1>alter group 'System' assign members 'thomas';
2>go

2.5.Check the password of LDAP username is label to NIS and enable LDAP user.
1>select UserName,Passwd from security.users;
2>go

UserName           Passwd
-----------------------------------
root
thomas                  NIS

1> alter user 'thomas' set ENABLED true;
2> go
1> exit

2.6. Again, log into sql interactive interface (nco_sql) for object server 'NCOMS'. This time, use the LDAP user created at step 2.3:
$OMNIHOME/bin/nco_sql -server NCOMS -user "thomas" -password "<actual_John_Anderson_LDAP_password>"

Login to the ObjectServer with LDAP credentials should be successful at this point.

 

Step 3:

As for Process Agent, if started successfully in PAM authentication mode, you should be able to proceed with the LDAP credentials if prompted for authentication during the following PA services execution:
nco_pa_start
nco_pa_stop
nco_pa_status
nco_pa_shutdown
nco_pa_crypt
nco_pa_addentry


Hope these quick steps help. Good luck! :-)