Knowledge Base : Solaris authentification vs OpenLDAP (MacOSX Server LDAP)

Tutorial on how to integrate Solaris 10 boxes into Apple OpenDirectory authentication infrastructure

Edit /etc/nsswitchldap

hosts: dns NOTFOUND=return ldap files
ipnodes: dns NOTFOUND=return ldap files

Start resolver if not running

# svcadm enable svc:/network/dns/client:default

# ping borg.loopback.org
borg.loopback.org is alive

Generate Kerberos init on OD controller

borg:~ akira$ sudo kadmin.local
Password:
Authenticating as principal root/[email protected] with password.

kadmin.local: addprinc -randkey host/[email protected]
WARNING: no policy specified for host/[email protected]; defaulting to no policy
Principal „host/[email protected]“ created.

kadmin.local: ktadd -k /tmp/host.test.keytab host/[email protected]
Entry for principal host/[email protected] with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/tmp/host.test.keytab.
Entry for principal host/[email protected] with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/tmp/host.test.keytab.
Entry for principal host/[email protected] with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/tmp/host.test.keytab.

Copy keytab file to target host

borg# scp /tmp/host.test.keytab root@test:

Install Kerberos Conf and Keytab

borg# scp /Library/Preferences/edu.mit.Kerberos test:
test# mv edu.mit.Kerberos /etc/krb5/krb5.conf
test# mv host.test.keytab /etc/krb5/krb5.keytab

Run LdapClient

test# # ldapclient manual -a credentialLevel=proxy -a authenticationMethod=simple -a domainName=loopback.org -a serviceSearchDescriptor=passwd:cn=users,dc=loopback,dc=org -a serviceSearchDescriptor=group:cn=groups,dc=loopback,dc=org -a defaultSearchBase=dc=loopback,dc=org -a searchTimeLimit=60 -a proxyDN=uid=proxyagent,cn=users,dc=loopback,dc=org -a proxyPassword=XXX borg.loopback.org
System successfully configured

Run tests

# ldapsearch -h borg.loopback.org -b "cn=users,dc=loopback,dc=org" -o mech=gssapi -o authzid='' cn="Jan Schreiber" uidNumberversion: 1
dn: uid=jans,cn=users,dc=loopback,dc=org
uidNumber: 1234

# listusers
akira
...

Adjust home directory mountpoint

mkdir /Network
ln -s /net /Network/Servers

test# svcadm -v enable svc:/system/filesystem/autofs:default
svc:/system/filesystem/autofs:default enabled.


zion# svcs | grep auto
online 6:21:59 svc:/system/filesystem/autofs:default

= Log in with ssh key=

Adjust /etc/pam.conf for LDAP login

login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1

other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1

passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1

other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1

other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy

Test with „login“

References

http://discussions.apple.com/thread.jspa?threadID=382600

Appendix

Addendum: Make sure time is equal on all systems

Konfiguration in LDAP without Kerberos

ldapclient manual -a credentialLevel=proxy -a authenticationMethod=none -a domainName=loopback.org -a serviceSearchDescriptor=passwd:cn=users,dc=loopback,dc=org -a serviceSearchDescriptor=group:cn=groups,dc=loopback,dc=org -a defaultSearchBase=dc=loopback,dc=org -a searchTimeLimit=60 borg.loopback.org

Konfiguration without proxy

test# ldapclient manual -a credentialLevel=self -a authenticationMethod=sasl/gssapi -a domainName=loopback.org -a serviceSearchDescriptor=passwd:cn=users,dc=loopback,dc=org -a serviceSearchDescriptor=group:cn=groups,dc=loopback,dc=org -a defaultSearchBase=dc=loopback,dc=org -a searchTimeLimit=60 borg.loopback.org
System successfully configured

With this, directory information is visible(„getent passwd“), but login does not work (except with ssh/key).