OmniOS Open LDAP Client Configuration

Share on:

OmniOS can be used for OpenLDAP Client Authentication, both as a server and a client. The server stores the Directory Information Tree(DIT), that contains authentication details used by the client server. This guide will demonstrate how to configure both the server and the client.

This guide is a continuation of the OpenLDAP Quick Start Guide and assumes you have completed the tasks outlined in this guide.

Note: that by default, the slapd database grants read access to everybody excepting the super-user (as specified by the rootdn configuration directive). It is highly recommended that you establish controls to restrict access to authorized users. Access controls are discussed in the Access Control chapter of the OpenLDAP Administrator's Guide. You are also encouraged to read the Security Considerations, Using SASL and Using TLS sections.

Setup OpenLDAP Client Authentication Server

First, let's do some further configuration on the OpenLDAP server, to allow LDAP Client Authentication.

LDAP Client authentication relies on the nis.schema, which is located under /etc/opt/ooce/openldap/schema/ directory. Further, nis.schema relies on the cosine.schema and inetOrgPerson.schema, therefore these will also be imported as follows:

 1root@ldap:#  /opt/ooce/bin/ldapadd -D "cn=config" -W -f /etc/opt/ooce/openldap/schema/cosine.ldif
 2Enter LDAP Password:
 3adding new entry "cn=cosine,cn=schema,cn=config"
 4
 5root@ldap:# /opt/ooce/bin/ldapadd -D "cn=config" -W -f /etc/opt/ooce/openldap/schema/inetorgperson.ldif
 6Enter LDAP Password:
 7adding new entry "cn=inetorgperson,cn=schema,cn=config"
 8
 9root@ldap:# /opt/ooce/bin/ldapadd -D "cn=config" -W -f /etc/opt/ooce/openldap/schema/nis.ldif
10Enter LDAP Password:
11adding new entry "cn=nis,cn=schema,cn=config"
12

Adding Groups and Users to the system

In order to populate the DIT with users and groups for the client, "Organizational Units"(ou) need to be created to store these. Therefore we create the following "ou"'s, group and user.

Add the Organizational Unit: group

First, create an ldif text file that can be used to import the data into the DIT.

1root@ldap:# cat << EOF > ou-group.ldif
2dn: ou=group,dc=omnios,dc=org
3objectClass: organizationalUnit
4ou: group
5EOF

This can now be added to the DIT with the ldapadd command as follows:

1root@ldap:# /opt/ooce/bin/ldapadd -D "cn=Manager,dc=omnios,dc=org" -W -f ou-group.ldif
2Enter LDAP Password:
3adding new entry "ou=group,dc=omnios,dc=org"

This ou represents groups for users. The same as what you have with /etc/group with traditional Unix authentication.

Add the Organizational Unit: user

Again, create an ldif text file that can be used to import the data into the DIT.

1root@ldap:# cat << EOF > ou-user.ldif
2dn: ou=user,dc=omnios,dc=org
3objectClass: organizationalUnit
4ou: user
5EOF

This can now be added to the DIT with the ldapadd command as follows:

1root@ldap:# /opt/ooce/bin/ldapadd -D "cn=Manager,dc=omnios,dc=org" -W -f ou-user.ldif
2Enter LDAP Password:
3adding new entry "ou=user,dc=omnios,dc=org"

This ou represents users that will access systems via OpenLDAP Client Authentication. Again, this is the same as what you have with /etc/passwd with traditional Unix authentication.

Add the other group to the ou=group

Within this organizational unit we will add the first group, other, the same as the default group when setting up a new user on OmniOS.

Again, we follow the standard procedure of creating an ldif text file and then import with ldapadd.

1root@ldap:# cat  << EOF > group-other.ldif
2dn: cn=other,ou=group,dc=omnios,dc=org
3objectClass: posixGroup
4cn: other
5gidNumber: 1
6EOF
7root@ldap:# /opt/ooce/bin/ldapadd -D "cn=Manager,dc=omnios,dc=org" -W -f group-other.ldif
8Enter LDAP Password:
9adding new entry "cn=other,ou=group,dc=omnios,dc=org"

Add a user to the ou=user

Now we will add our first user. This will be the user that we test the LDAP Client Authentication, on the client system.

Again, we follow the standard procedure of creating an ldif text file and then import with ldapadd.

 1root@ldap:# cat << EOF > user-rigby.ldif
 2dn: uid=rigby,ou=user,dc=omnios,dc=org
 3objectClass: account
 4objectClass: posixAccount
 5objectClass: shadowAccount
 6cn: Rigby
 7uid: rigby
 8uidNumber: 101
 9gidNumber: 1
10homeDirectory: /home/rigby/
11loginShell: /usr/bin/bash
12userPassword: {SSHA}WjKBvaM5QYtyzrpQDs2NHtOTbLwYizxe
13EOF
14root@ldap:# /opt/ooce/bin/ldapadd -D "cn=Manager,dc=omnios,dc=org" -W -f user-rigby.ldif
15Enter LDAP Password:
16adding new entry "uid=rigby,ou=user,dc=omnios,dc=org"

This completes the configuration of the OpenLDAP Client Authentication server. OpenLDAP should be running, the DIT is populated, and is now ready to authenticate against clients stored in the DIT.

Setup Client

On a different OmniOS system, I will configure the client. No LDAP software needs to be installed, as OmniOS comes with the ldapclient(1) program that takes care of configuration and authentication.

Allow use of DNS for host lookups in ldap.

By default the nsswitch.ldap file does not permit dns lookups so this needs to be changed before we run the ldapclient command.

Change the following line in /etc/nsswitch.ldap:

1hosts:      files ldap

to the following:

1hosts:      files dns ldap

Configure ldapclient

The following is sufficient to configure ldapclient to allow authentication with the server, that has been configured previously. The defaultServerList directive should point to a Fully Qualified Domain Name that you manage (e.g. the server that has been configured in the previous section). Consult the manpage for full details of the ldapclient command.

Issue the following command to manually create the configuration for the LDAP client.

 1root@client:# ldapclient manual \
 2-a credentialLevel=proxy \
 3-a authenticationMethod=simple \
 4-a defaultSearchBase=dc=omnios,dc=org \
 5-a domainName=omnios.org \
 6-a defaultServerList=ldap.omnios.org \
 7-a proxyDN=cn=Manager,dc=omnios,dc=org \
 8-a proxyPassword=secret \
 9-a attributeMap=group:gidnumber=gidNumber \
10-a attributeMap=passwd:gidnumber=gidNumber \
11-a attributeMap=passwd:uidnumber=uidNumber \
12-a attributeMap=passwd:homedirectory=homeDirectory \
13-a attributeMap=passwd:loginshell=loginShell \
14-a attributeMap=shadow:userpassword=userPassword \
15-a objectClassMap=group:posixGroup=posixgroup \
16-a objectClassMap=passwd:posixAccount=posixaccount \
17-a objectClassMap=shadow:shadowAccount=posixaccount \
18-a serviceSearchDescriptor=passwd:ou=user,dc=omnios,dc=org \
19-a serviceSearchDescriptor=group:ou=group,dc=omnios,dc=org \
20-a serviceSearchDescriptor=shadow:ou=user,dc=omnios,dc=org
21Stopping sendmail failed with (1). You may need to restart it manually for changes to take effect.
22System successfully configured

On success, this will create two files under /var/ldap/, ldap_client_cred and ldap_client_file. These should not be hand edited, instead all changes should be made with the ldapclient command. However, feel free to browse the contents of these files with cat or your favorite editor.

Update /etc/pam.conf:

One last step is needed, we need to tell the Pluggable Authentication Module (PAM) to allow for client authentication via LDAP. This can be achieved by changing the following line:

1login   auth required           pam_unix_auth.so.1

to the following two lines:

1login   auth binding            pam_unix_auth.so.1  server_policy
2login   auth required           pam_ldap.so.1

Now you have fully configured LDAP Client Authentication for your system that will act as the client. Reboot this system to make sure all changes are in effect.

On reboot, you should now be able to login in with the new user that has been created.

This is demonstrated as follows:

1Hostname: client
2LDAP domain name is omnios.org
3
4client console login: rigby
5Password:
6OmniOS r151036  omnios-r151036-4a32ffb911       November 2020
7rigby@client:~$

A Note on Error Messages on Reboot

One minor annoyance at the time of writing this is the error message as follows:

1Nov 17 13:19:41 svc.startd[44]: libsldap: Status: 2  Mesg: Unable to load configuration '/var/ldap/ldap_client_file' ('').
2Nov 17 13:19:41 svc.startd[44]: libsldap: Status: 2  Mesg: Unable to load configuration '/var/ldap/ldap_client_file' ('').

There has been a bug filed for this behaviour https://www.illumos.org/issues/487. Further, under the official Solaris documentation, the advice is to ignore these messages.

Looking forward

You are strongly advised to implement full security before using OpenLDAP Client Authentication in a production system. Access controls are discussed in the Access Control chapter of the OpenLDAP Administrator's Guide. You are also encouraged to read the Security Considerations, Using SASL and Using TLS sections.