HowTos/Using OpenLDAP for password management
Scalix Wiki -> How-Tos -> OpenLDAP
Contents
Installing OpenLDAP
The following how-to shows how to integrate Scalix and OpenLDAP 2.2 on Suse 10 for password management.
The references to scalix.com in this how-to should be replaced with your domain information!
Say you have a central directory based on OpenLDAP and you want to benefit from centralized password management. With Release 10 of Scalix we have introduced pam_ldap support, which means your users can not only use their OpenLDAP password for authentication, they can also _change_ their passwords.
First, make sure you have OpenLDAP installed. Double make sure you also have pam_ldap installed - they are separate downloads. Once you have installed OpenLDAP, let's go ahead and configure a basic server:
Open /etc/openldap/slapd.conf and make sure
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema
are included.
Next, change the suffix for your local install:
suffix "dc=scalix,dc=com"
rootdn "cn=Manager,dc=scalix,dc=com"
rootpw {SSHA}W6c7QR3NJQteNRuvuWhLsbfoFXXM08Kh
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
To allow each user to change his own password from Microsoft Outlook or SWA interface, also add:
access to attrs=userPassword
by anonymous auth
by self write
by * none
access to *
by self write
by * none
How do you generate the SHA password? Easy, use the slappasswd command:
/usr/sbin/slappasswd
or this perl script:
#!/usr/bin/perl
use Digest::SHA1;
use MIME::Base64;
if ($ARGV[0] eq "") {
printf STDERR "usage: ssha.pl PASSWORD\n";
exit 1;
}
$pass = Digest::SHA1->new;
$pass->add($ARGV[0]);
$pass->add('salt');
print '{SSHA}' . encode_base64($pass->digest . 'salt' ,'') . "\n";
OK, so once this basic configuration is done, we can start the OpenLDAP server using
rcldap start
or
service ldap start
If the slapd.conf file was edited correctly, OpenLDAP should now be running. To verify the domain was entered correctly, execute the following command:
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
That should output the following:
# # filter: (objectclass=*) # requesting: namingContexts # # dn: namingContexts: dc=scalix,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
where the namingContexts should contain your domain.
Next, create a file called load.ldif file for importing. The references to scalix.com should be replaced with your domain information. In addition, you’ll need to change the user information for Helmut Kohl to be valid information for one of your users.
Try this ldif file:
dn: dc=scalix,dc=com
dc: scalix
objectClass: top
objectClass: domain
dn: ou=People,dc=scalix,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: uid=hkohl, ou=people, dc=scalix, dc=com
objectclass: top
objectclass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: hkohl
userPassword: {SSHA}yI6cZwQadOA1e+/f+T+H3eCQQhRzYWx0
cn: Helmut Kohl
sn: Kohl
gn: Helmut
Now, import the initial .ldif file using the ldapadd command:
ldapadd -x -D "cn=Manager,dc=scalix,dc=com" -W -f load.ldif
Next, perform an ldapsearch, to verify that the user was imported.
ldapsearch -xh pdxsrv.scalix.com -b dc=scalix,dc=com
The output should yield the ldap entry loaded above. You now have one user loaded in OpenLDAP with whatever password you chose. If the user is not already in Scalix, you should add it now. The Scalix Authentication ID needs to match the LDAP uid field. To add the user to Scalix, use the omaddu command as follows:
omaddu -n "Helmut Kohl/mailnode" -p password hkohl
If the user already exists in Scalix, you can verify the Authentication ID using the omshowu command:
omshowu –n “Helmut Kohl/mailnode”
the output will look something like:
pdxsrv01:/var/opt/scalix/sys/pam.d # omshowu "Helmut Kohl" Authentication ID: hkohl User Name : Helmut Kohl /CN=Helmut Kohl MailNode : pdxsrv01 Internet Address : "Helmut Kohl" <Helmut.Kohl@scalix.com> System Login : 60535 Password : set Admin Capabilities : NO Mailbox Admin Capabilities : NO Language : C Virtual Vault : Enabled (default) Mail Account: Unlocked Last Signon : 02.10.06 11:13:50 Receipt of mail : ENABLED Service level : 0 Excluded from Tidying : NO User Class : Limited pdxsrv01:/var/opt/scalix/sys/pam.d #
If the Authentication ID is not the same as the uid, you will need to use the ommodu command to change it:
ommodu –o “Helmut Kohl/mailnode” –authid hkohl
Configuring PAM
On your Scalix server you will need to edit /etc/ldap.conf to configure pam_ldap. Edit the file and change the following entries:
# Your LDAP server. Must be resolvable without using LDAP. host pdxsrv.scalix.com # The distinguished name of the search base. base dc=scalix,dc=com # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3 # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn cn=Manager,dc=scalix,dc=com # The credentials to bind with. # Optional: default is no credential. bindpw password
Pretty important is that if you do not have SSL configured for your LDAP server, you must disable it in ldap.conf:
# OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 #ssl start_tls #ssl on
Configuring Scalix
Here are the Scalix files that you will need to change for a typical SWA / Outlook setup. Create any that do not exist.
/var/opt/scalix/sys/om_ldap.conf /var/opt/scalix/sys/pam.d/ual.remote /var/opt/scalix/sys/pam.d/pamcheck /var/opt/scalix/sys/pam.d/smtpd.auth /var/opt/scalix/sys/pam.d/pop3 /var/opt/scalix/sys/pam.d/omslapdeng
Typically, all files should have the same contents with the exception of om_ldap.conf and pamcheck
auth required om_om2authid auth sufficient /lib/security/pam_ldap.so ignore_unknown_user auth sufficient om_auth use_first_pass auth required pam_deny account sufficient om_auth account required /lib/security/pam_ldap.so password required om_auth preauth password required om_om2authid password required /lib/security/pam_ldap.so session required /lib/security/pam_ldap.so
/var/opt/scalix/sys/om_ldap.conf contains the OpenLDAP configuration data, e.g.:
host=pdxsrv.scalix.com search=subtree base=ou=people,dc=scalix,dc=com filter=uid=%s tls=off
The "tls=off" is pretty important, we'll get to that later.
sxpamauth
Next, cd to /var/opt/scalix/sys/pam.d and edit pamcheck:
auth required om_debug account required om_debug session required om_debug password required om_debug auth required om_om2authid auth required /lib/security/pam_ldap.so account required /lib/security/pam_ldap.so password required om_om2authid password required /lib/security/pam_ldap.so session required /lib/security/pam_ldap.so
This configuration will allow you to use both Scalix password authentication and LDAP password authentication.Additionally, it will give you error logging that is helpful when trying to find configuration mistakes.
NOTE: Not fully tested solution
If you want to use only openldap authentications for pop3 access just remove these lines
auth sufficient om_auth use_first_pass account sufficient om_auth
from pop3, and line
auth sufficient om_auth use_first_pass
from file ual.remote
Ensure that the file /lib/security/pam_ldap.so exists. If it doesn't, you forgot to install the pam_ldap package and/or nssldap package as mentioned at the top.
OK, once you have edited all configuration files, restart the server using
omshut omrc
After the server has come back up, try using a client to connect to the server or use sxpamauth to check authentication:
pamcheck is used in conjunction with a great debugging tool that is also new in Scalix 10: sxpamauth.
pdxsrv01:/var/opt/scalix/sys/pam.d # sxpamauth -vvv kohl
pam_start_om("pamcheck", "kohl")
pam_authenticate()
Password:
pam_acct_mgmt()
Authenticated
pdxsrv01:/var/opt/scalix/sys/pam.d #
For MAPI and IMAP users, copy pamcheck over ual.remote and make sure both files contain the same configuration as above.
sxpampasswd
The companion to sxpamauth is sxpampasswd. This nifty utility will allow you to change a users password thru LDAP, e.g.:
pdxsrv01:/var/opt/scalix/sys/pam.d # sxpampasswd -vvv kohl
pam_start_om("pamcheck", "kohl")
pam_chauthtok()
AUTHTOK not set
OLDAUTHTOK not set
Enter login(LDAP) password:
AUTHTOK not set
OLDAUTHTOK set
New password:
AUTHTOK not set
OLDAUTHTOK set
Re-enter new password:
AUTHTOK not set
OLDAUTHTOK set
LDAP password information changed for hkohl
Password changed
pdxsrv01:/var/opt/scalix/sys/pam.d #
pdxsrv01:/var/opt/scalix/sys/pam.d # sxpamauth -vvv kohl
pam_start_om("pamcheck", "kohl")
pam_authenticate()
Password:
pam_acct_mgmt()
Authenticated
So this looked like a perfect authentication!
Common issues with SSL
If your LDAP server is not SSL enabled, you will see entries similar to this one in the log:
Oct 2 11:00:21 pdxsrv slapd[23666]: conn=55 fd=11 ACCEPT from IP=10.0.0.7:45643 (IP=0.0.0.0:389) Oct 2 11:00:21 pdxsrv slapd[23666]: conn=55 fd=11 closed
No LDAP communication is happening here. A "good" log looks like this:
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 fd=11 ACCEPT from IP=10.0.0.7:40201 (IP=0.0.0.0:389) Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 BIND dn="cn=Manager,dc=scalix,dc=com" method=128 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 BIND dn="cn=Manager,dc=scalix,dc=com" mech=SIMPLE ssf=0 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 RESULT tag=97 err=0 text= Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=1 SRCH base="dc=scalix,dc=com" scope=2 deref=0 filter="(uid=hkohl)" Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND anonymous mech=implicit ssf=0 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND dn="uid=hkohl,ou=people,dc=scalix,dc=com" method=128 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND dn="uid=hkohl,ou=people,dc=scalix,dc=com" mech=SIMPLE ssf=0 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 RESULT tag=97 err=0 text= Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND anonymous mech=implicit ssf=0 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND dn="cn=Manager,dc=scalix,dc=com" method=128 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND dn="cn=Manager,dc=scalix,dc=com" mech=SIMPLE ssf=0 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 RESULT tag=97 err=0 text= Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=4 UNBIND Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 fd=11 closed
Congratulations, you have successfully installed OpenLDAP password support.
