Difference between revisions of "HowTos/Using OpenLDAP for password management"

From Scalix Wiki
Jump to: navigation, search
(OpenLDAP 2.2 integration with Scalix 10)
(OpenLDAP 2.2 integration with Scalix 10)
Line 44: Line 44:
 
print '{SSHA}' . encode_base64($pass->digest . 'salt' ,'') . "\n";
 
print '{SSHA}' . encode_base64($pass->digest . 'salt' ,'') . "\n";
  
 +
</pre>
 +
 +
OK, so once this basic configuration is done, we can start the OpenLDAP server using
 +
 +
<pre>
 +
rcldap start
 +
 +
or
 +
 +
service ldap start
 
</pre>
 
</pre>
  

Revision as of 23:43, 2 October 2006

OpenLDAP 2.2 integration with Scalix 10

The following how-to shows how to integrate Scalix and OpenLDAP 2.2 on Suse 10 for password management.

Say you have a central directory based on OpenLDAP and you want to benefit from centralized password management. With Release 10 of Scalix we have introduced pam_ldap support, which means your users can not only use their OpenLDAP password for authentication, they can also _change_ their passwords.

First, make sure you have OpenLDAP installed. Double make sure you also have pam_ldap installed - they are separate downloads. Once you have installed OpenLDAP, let's go ahead and configure a basic server:

Open /etc/openldap/slapd.conf and make sure 


include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/inetorgperson.schema

are included.

Next, change the suffix for your local install: 

suffix          "dc=scalix,dc=com"
rootdn          "cn=Manager,dc=scalix,dc=com"
rootpw  {SSHA}W6c7QR3NJQteNRuvuWhLsbfoFXXM08Kh
index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname                       eq,subinitial

How do you generate the SHA password? Easy: Use this perl script: 

#!/usr/bin/perl
use Digest::SHA1;
use MIME::Base64;
if ($ARGV[0] eq "") {
printf STDERR "usage: ssha.pl PASSWORD\n";
exit 1;
}
$pass = Digest::SHA1->new;
$pass->add($ARGV[0]);
$pass->add('salt');
print '{SSHA}' . encode_base64($pass->digest . 'salt' ,'') . "\n";

OK, so once this basic configuration is done, we can start the OpenLDAP server using 

rcldap start

or

service ldap start

Password management with OpenLDAP

OpenLDAP installation

At the end of the How-To, this is what you want to see: 

pdxsrv01:/var/opt/scalix/sys/pam.d # sxpamauth -vvv kohl
pam_start_om("pamcheck", "kohl")
pam_authenticate()
Password:
pam_acct_mgmt()

Authenticated
pdxsrv01:/var/opt/scalix/sys/pam.d # sxpampasswd -vvv kohl
pam_start_om("pamcheck", "kohl")
pam_chauthtok()
AUTHTOK not set
OLDAUTHTOK not set
Enter login(LDAP) password:
AUTHTOK not set
OLDAUTHTOK set
New password:
AUTHTOK not set
OLDAUTHTOK set
Re-enter new password:
AUTHTOK not set
OLDAUTHTOK set
LDAP password information changed for hkohl

Password changed
pdxsrv01:/var/opt/scalix/sys/pam.d #


Common issues with SSL

If your LDAP server is not SSL enabled, you will see entries similar to this one in the log: 

Oct  2 11:00:21 pdxsrv slapd[23666]: conn=55 fd=11 ACCEPT from IP=10.0.0.7:45643 (IP=0.0.0.0:389)
Oct  2 11:00:21 pdxsrv slapd[23666]: conn=55 fd=11 closed

No LDAP communication is happening here. A "good" log looks like this: 

Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 fd=11 ACCEPT from IP=10.0.0.7:40201 (IP=0.0.0.0:389)
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 BIND dn="cn=Manager,dc=scalix,dc=com" method=128
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 BIND dn="cn=Manager,dc=scalix,dc=com" mech=SIMPLE ssf=0
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 RESULT tag=97 err=0 text=
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=1 SRCH base="dc=scalix,dc=com" scope=2 deref=0 filter="(uid=hkohl)"
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND anonymous mech=implicit ssf=0
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND dn="uid=hkohl,ou=people,dc=scalix,dc=com" method=128
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND dn="uid=hkohl,ou=people,dc=scalix,dc=com" mech=SIMPLE ssf=0
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 RESULT tag=97 err=0 text=
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND anonymous mech=implicit ssf=0
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND dn="cn=Manager,dc=scalix,dc=com" method=128
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND dn="cn=Manager,dc=scalix,dc=com" mech=SIMPLE ssf=0
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 RESULT tag=97 err=0 text=
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 op=4 UNBIND
Oct  2 11:04:09 pdxsrv slapd[23666]: conn=59 fd=11 closed

Headline text

Retrieved from "https://www.scalix.com/wiki/index.php?title=HowTos/Using_OpenLDAP_for_password_management&oldid=2376"