Difference between revisions of "HowTos/Using OpenLDAP for password management"
From Scalix Wiki
(→OpenLDAP 2.2 integration with Scalix 10) |
(→OpenLDAP 2.2 integration with Scalix 10) |
||
| Line 18: | Line 18: | ||
are included. | are included. | ||
| + | |||
| + | Next, change the suffix for your local install: | ||
| + | |||
| + | <pre> | ||
| + | suffix "dc=siekmann,dc=com" | ||
| + | rootdn "cn=Manager,dc=siekmann,dc=com" | ||
| + | # Cleartext passwords, especially for the rootdn, should | ||
| + | # be avoid. See slappasswd(8) and slapd.conf(5) for details. | ||
| + | # Use of strong authentication encouraged. | ||
| + | rootpw {SSHA}W6c7QR3NJQteNRuvuWhLsbfoFXXM08Kh | ||
| + | # The database directory MUST exist prior to running slapd AND | ||
| + | # should only be accessible by the slapd and slap tools. | ||
| + | # Mode 700 recommended. | ||
| + | directory /var/lib/ldap | ||
| + | # Indices to maintain | ||
| + | index objectClass,uid,uidNumber,gidNumber,memberUid eq | ||
| + | index cn,mail,surname,givenname eq,subinitial | ||
| + | </pre> | ||
| + | |||
| + | How do you generate the SHA password? Easy: Use this perl script: | ||
| + | |||
| + | <pre> | ||
| + | #!/usr/bin/perl | ||
| + | use Digest::SHA1; | ||
| + | use MIME::Base64; | ||
| + | if ($ARGV[0] eq "") { | ||
| + | printf STDERR "usage: ssha.pl PASSWORD\n"; | ||
| + | exit 1; | ||
| + | } | ||
| + | $pass = Digest::SHA1->new; | ||
| + | $pass->add($ARGV[0]); | ||
| + | $pass->add('salt'); | ||
| + | print '{SSHA}' . encode_base64($pass->digest . 'salt' ,'') . "\n"; | ||
| + | |||
| + | </pre> | ||
== Password management with OpenLDAP == | == Password management with OpenLDAP == | ||
Revision as of 23:40, 2 October 2006
Contents
OpenLDAP 2.2 integration with Scalix 10
The following how-to shows how to integrate Scalix and OpenLDAP 2.2 on Suse 10 for password management.
Say you have a central directory based on OpenLDAP and you want to benefit from centralized password management. With Release 10 of Scalix we have introduced pam_ldap support, which means your users can not only use their OpenLDAP password for authentication, they can also _change_ their passwords.
First, make sure you have OpenLDAP installed. Double make sure you also have pam_ldap installed - they are separate downloads. Once you have installed OpenLDAP, let's go ahead and configure a basic server:
Open /etc/openldap/slapd.conf and make sure
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema
are included.
Next, change the suffix for your local install:
suffix "dc=siekmann,dc=com"
rootdn "cn=Manager,dc=siekmann,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}W6c7QR3NJQteNRuvuWhLsbfoFXXM08Kh
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
How do you generate the SHA password? Easy: Use this perl script:
#!/usr/bin/perl
use Digest::SHA1;
use MIME::Base64;
if ($ARGV[0] eq "") {
printf STDERR "usage: ssha.pl PASSWORD\n";
exit 1;
}
$pass = Digest::SHA1->new;
$pass->add($ARGV[0]);
$pass->add('salt');
print '{SSHA}' . encode_base64($pass->digest . 'salt' ,'') . "\n";
Password management with OpenLDAP
OpenLDAP installation
At the end of the How-To, this is what you want to see:
pdxsrv01:/var/opt/scalix/sys/pam.d # sxpamauth -vvv kohl
pam_start_om("pamcheck", "kohl")
pam_authenticate()
Password:
pam_acct_mgmt()
Authenticated
pdxsrv01:/var/opt/scalix/sys/pam.d # sxpampasswd -vvv kohl
pam_start_om("pamcheck", "kohl")
pam_chauthtok()
AUTHTOK not set
OLDAUTHTOK not set
Enter login(LDAP) password:
AUTHTOK not set
OLDAUTHTOK set
New password:
AUTHTOK not set
OLDAUTHTOK set
Re-enter new password:
AUTHTOK not set
OLDAUTHTOK set
LDAP password information changed for hkohl
Password changed
pdxsrv01:/var/opt/scalix/sys/pam.d #
Common issues with SSL
If your LDAP server is not SSL enabled, you will see entries similar to this one in the log:
Oct 2 11:00:21 pdxsrv slapd[23666]: conn=55 fd=11 ACCEPT from IP=10.0.0.7:45643 (IP=0.0.0.0:389) Oct 2 11:00:21 pdxsrv slapd[23666]: conn=55 fd=11 closed
No LDAP communication is happening here. A "good" log looks like this:
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 fd=11 ACCEPT from IP=10.0.0.7:40201 (IP=0.0.0.0:389) Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 BIND dn="cn=Manager,dc=scalix,dc=com" method=128 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 BIND dn="cn=Manager,dc=scalix,dc=com" mech=SIMPLE ssf=0 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 RESULT tag=97 err=0 text= Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=1 SRCH base="dc=scalix,dc=com" scope=2 deref=0 filter="(uid=hkohl)" Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND anonymous mech=implicit ssf=0 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND dn="uid=hkohl,ou=people,dc=scalix,dc=com" method=128 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND dn="uid=hkohl,ou=people,dc=scalix,dc=com" mech=SIMPLE ssf=0 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 RESULT tag=97 err=0 text= Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND anonymous mech=implicit ssf=0 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND dn="cn=Manager,dc=scalix,dc=com" method=128 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND dn="cn=Manager,dc=scalix,dc=com" mech=SIMPLE ssf=0 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 RESULT tag=97 err=0 text= Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=4 UNBIND Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 fd=11 closed
