Difference between revisions of "HowTos/Using OpenLDAP for password management"

From Scalix Wiki
Jump to: navigation, search
(Password management with OpenLDAP)
(Headline text)
Line 1: Line 1:
== Headline text ==
+
== OpenLDAP 2.2 integration with Scalix 10  ==
OpenLDAP integration w
+
 
 +
The following how-to shows how to integrate Scalix and OpenLDAP 2.2 on Suse 10 for password management.
 +
 
 +
Say you have a central directory based on OpenLDAP and you want to benefit from centralized password management. With Release 10 of Scalix we have introduced pam_ldap support, which means your users can not only use their OpenLDAP password for authentication, they can also _change_ their passwords.
 +
 
 +
Let's have a look at how this is done:
 +
 
 
== Password management with OpenLDAP ==
 
== Password management with OpenLDAP ==
  

Revision as of 23:07, 2 October 2006

OpenLDAP 2.2 integration with Scalix 10

The following how-to shows how to integrate Scalix and OpenLDAP 2.2 on Suse 10 for password management.

Say you have a central directory based on OpenLDAP and you want to benefit from centralized password management. With Release 10 of Scalix we have introduced pam_ldap support, which means your users can not only use their OpenLDAP password for authentication, they can also _change_ their passwords.

Let's have a look at how this is done:

Password management with OpenLDAP

OpenLDAP installation

At the end of the How-To, this is what you want to see:

pdxsrv01:/var/opt/scalix/sys/pam.d # sxpamauth -vvv kohl
pam_start_om("pamcheck", "kohl")
pam_authenticate()
Password:
pam_acct_mgmt()

Authenticated
pdxsrv01:/var/opt/scalix/sys/pam.d # sxpampasswd -vvv kohl
pam_start_om("pamcheck", "kohl")
pam_chauthtok()
AUTHTOK not set
OLDAUTHTOK not set
Enter login(LDAP) password:
AUTHTOK not set
OLDAUTHTOK set
New password:
AUTHTOK not set
OLDAUTHTOK set
Re-enter new password:
AUTHTOK not set
OLDAUTHTOK set
LDAP password information changed for hkohl

Password changed
pdxsrv01:/var/opt/scalix/sys/pam.d #


Common issues with SSL

If your LDAP server is not SSL enabled, you will see entries similar to this one in the log:

Oct  2 11:00:21 pdxsrv slapd[23666]: conn=55 fd=11 ACCEPT from IP=10.0.0.7:45643 (IP=0.0.0.0:389)
Oct  2 11:00:21 pdxsrv slapd[23666]: conn=55 fd=11 closed

No LDAP communication is happening here. A "good" log looks like this:

Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 fd=11 ACCEPT from IP=10.0.0.7:40201 (IP=0.0.0.0:389)
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 BIND dn="cn=Manager,dc=scalix,dc=com" method=128
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 BIND dn="cn=Manager,dc=scalix,dc=com" mech=SIMPLE ssf=0
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 RESULT tag=97 err=0 text=
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=1 SRCH base="dc=scalix,dc=com" scope=2 deref=0 filter="(uid=hkohl)"
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND anonymous mech=implicit ssf=0
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND dn="uid=hkohl,ou=people,dc=scalix,dc=com" method=128
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND dn="uid=hkohl,ou=people,dc=scalix,dc=com" mech=SIMPLE ssf=0
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 RESULT tag=97 err=0 text=
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND anonymous mech=implicit ssf=0
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND dn="cn=Manager,dc=scalix,dc=com" method=128
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND dn="cn=Manager,dc=scalix,dc=com" mech=SIMPLE ssf=0
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 RESULT tag=97 err=0 text=
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=4 UNBIND
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 fd=11 closed

Headline text