Difference between revisions of "HowTos/Using OpenLDAP for password management"

Revision as of 00:24, 3 October 2006

OpenLDAP 2.2 integration with Scalix 10

The following how-to shows how to integrate Scalix and OpenLDAP 2.2 on Suse 10 for password management.

Say you have a central directory based on OpenLDAP and you want to benefit from centralized password management. With Release 10 of Scalix we have introduced pam_ldap support, which means your users can not only use their OpenLDAP password for authentication, they can also _change_ their passwords.

First, make sure you have OpenLDAP installed. Double make sure you also have pam_ldap installed - they are separate downloads. Once you have installed OpenLDAP, let's go ahead and configure a basic server:

Open /etc/openldap/slapd.conf and make sure

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/inetorgperson.schema

are included.

Next, change the suffix for your local install:

suffix          "dc=scalix,dc=com"
rootdn          "cn=Manager,dc=scalix,dc=com"
rootpw  {SSHA}W6c7QR3NJQteNRuvuWhLsbfoFXXM08Kh
index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname                       eq,subinitial

How do you generate the SHA password? Easy: Use this perl script:

#!/usr/bin/perl
use Digest::SHA1;
use MIME::Base64;
if ($ARGV[0] eq "") {
printf STDERR "usage: ssha.pl PASSWORD\n";
exit 1;
}
$pass = Digest::SHA1->new;
$pass->add($ARGV[0]);
$pass->add('salt');
print '{SSHA}' . encode_base64($pass->digest . 'salt' ,'') . "\n";

OK, so once this basic configuration is done, we can start the OpenLDAP server using

rcldap start

or

service ldap start

If the slapd.conf file was edited correctly, OpenLDAP should now be running. To verify the domain was entered correctly, execute the following command:

ldapsearch -x -b -s base '(objectclass=*)' namingContexts

That should output the following:

#
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=scalix,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
where the namingContexts should contain your domain.

Next, create a file called load.ldif file for importing. The references to scalix.com should be replaced with your domain information. In addition, you’ll need to change the user information for Helmut Kohl to be valid information for one of your users.

Try this ldif file:

dn: dc=scalix,dc=com
dc: scalix
objectClass: top
objectClass: domain

dn: ou=People,dc=scalix,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: uid=hkohl, ou=people, dc=scalix, dc=com
objectclass: top
objectclass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: hkohl
userPassword: {SSHA}yI6cZwQadOA1e+/f+T+H3eCQQhRzYWx0
cn: Helmut Kohl
sn: Kohl
gn: Helmut

Now, import the initial.ldif file using the ldapadd command:

ldapadd -x -D "cn=Manager,dc=scalix,dc=com" -W -f load.ldif

Next, perform an ldapsearch, to verify that the user was imported.

ldapsearch -xh pdxsrv.scalix.com -b dc=scalix,dc=com

The output should yield the ldap entry loaded above. You now have one user loaded in OpenLDAP with whatever password you chose. If the user is not already in Scalix, you should add it now. The Scalix Authentication ID needs to match the LDAP uid field. To add the user to Scalix, use the omaddu command as follows:

omaddu -n "Helmut Kohl/mailnode" -p password hkohl

If the user already exists in Scalix, you can verify the Authentication ID using the omshowu command:

omshowu –n “Helmut Kohl/mailnode”

the output will look something like:
pdxsrv01:/var/opt/scalix/sys/pam.d # omshowu "Helmut Kohl"
Authentication ID: hkohl
User Name : Helmut Kohl /CN=Helmut Kohl
MailNode : pdxsrv01
Internet Address : "Helmut Kohl" <Helmut.Kohl@siekmann.com>
System Login : 60535
Password : set
Admin Capabilities : NO
Mailbox Admin Capabilities : NO
Language : C
Virtual Vault : Enabled (default)
Mail Account: Unlocked
Last Signon : 02.10.06 11:13:50
Receipt of mail : ENABLED
Service level : 0
Excluded from Tidying : NO
User Class : Limited
pdxsrv01:/var/opt/scalix/sys/pam.d #

Password management with OpenLDAP

Here are the Scalix files that you will need to change for a typical SWA / Outlook setup:

/var/opt/scalix/sys/om_ldap.conf
/var/opt/scalix/sys/pam.d/ual.remote
/var/opt/scalix/sys/pam.d/pamcheck
/var/opt/scalix/sys/pam.d/smtpd.auth

/var/opt/scalix/sys/om_ldap.conf contains the OpenLDAP configuration data, e.g.:

host=pdxsrv.scalix.com
search=subtree
base=ou=people,dc=scalix,dc=com
filter=uid=%s
tls=off

The "tls=off" is pretty important, we'll get to that later.

sxpamauth

Next, cd to /var/opt/scalix/sys/pam.d and edit pamcheck:

auth required om_debug
account required om_debug
session required om_debug
password required om_debug
auth    required om_om2authid
auth    required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so
password required om_om2authid
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so
pdxsrv01:/var/opt/scalix/sys/pam.d #

This configuration will allow you to use both Scalix password authentication and LDAP password authentication.Additionally, it will give you error logging that is helpful when trying to find configuration mistakes.

pamcheck is used in conjunction with a great debugging tool that is also new in Scalix 10: sxpamauth.

pdxsrv01:/var/opt/scalix/sys/pam.d # sxpamauth -vvv kohl
pam_start_om("pamcheck", "kohl")
pam_authenticate()
Password:
pam_acct_mgmt()

Authenticated
pdxsrv01:/var/opt/scalix/sys/pam.d #

For MAPI and IMAP users, copy pamcheck over ual.remote and make sure both files contain the same configuration:

auth required om_debug
account required om_debug
session required om_debug
password required om_debug
auth    required om_om2authid
auth    required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so
password required om_om2authid
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so
pdxsrv01:/var/opt/scalix/sys/pam.d #

sxpampasswd

The companion to sxpamauth is sxpampasswd. This nifty utility will allow you to change a users password thru LDAP, e.g.:

pdxsrv01:/var/opt/scalix/sys/pam.d # sxpampasswd -vvv kohl
pam_start_om("pamcheck", "kohl")
pam_chauthtok()
AUTHTOK not set
OLDAUTHTOK not set
Enter login(LDAP) password:
AUTHTOK not set
OLDAUTHTOK set
New password:
AUTHTOK not set
OLDAUTHTOK set
Re-enter new password:
AUTHTOK not set
OLDAUTHTOK set
LDAP password information changed for hkohl

Password changed
pdxsrv01:/var/opt/scalix/sys/pam.d #

At the end of the How-To, this is what you want to see:

pdxsrv01:/var/opt/scalix/sys/pam.d # sxpamauth -vvv kohl
pam_start_om("pamcheck", "kohl")
pam_authenticate()
Password:
pam_acct_mgmt()

Authenticated

== Common issues with SSL ==

If your LDAP server is not SSL enabled, you will see entries similar to this one in the log:

<pre>
Oct  2 11:00:21 pdxsrv slapd[23666]: conn=55 fd=11 ACCEPT from IP=10.0.0.7:45643 (IP=0.0.0.0:389)
Oct  2 11:00:21 pdxsrv slapd[23666]: conn=55 fd=11 closed

No LDAP communication is happening here. A "good" log looks like this:

Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 fd=11 ACCEPT from IP=10.0.0.7:40201 (IP=0.0.0.0:389)
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 BIND dn="cn=Manager,dc=scalix,dc=com" method=128
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 BIND dn="cn=Manager,dc=scalix,dc=com" mech=SIMPLE ssf=0
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 RESULT tag=97 err=0 text=
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=1 SRCH base="dc=scalix,dc=com" scope=2 deref=0 filter="(uid=hkohl)"
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND anonymous mech=implicit ssf=0
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND dn="uid=hkohl,ou=people,dc=scalix,dc=com" method=128
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND dn="uid=hkohl,ou=people,dc=scalix,dc=com" mech=SIMPLE ssf=0
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 RESULT tag=97 err=0 text=
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND anonymous mech=implicit ssf=0
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND dn="cn=Manager,dc=scalix,dc=com" method=128
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND dn="cn=Manager,dc=scalix,dc=com" mech=SIMPLE ssf=0
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 RESULT tag=97 err=0 text=
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=4 UNBIND
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 fd=11 closed