Difference between revisions of "HowTos/Using OpenLDAP for password management"
(→OpenLDAP 2.2 integration with Scalix 10) |
(→Password management with OpenLDAP) |
||
| Line 58: | Line 58: | ||
== Password management with OpenLDAP == | == Password management with OpenLDAP == | ||
| − | OpenLDAP | + | Here are the Scalix files that you will need to change: |
| + | |||
| + | /var/opt/scalix/sys/om_ldap.conf | ||
| + | |||
| + | This file will have the OpenLDAP configuration data, e.g.: | ||
| − | |||
<pre> | <pre> | ||
| − | + | host=pdxsrv.scalix.com | |
| − | + | search=subtree | |
| − | + | base=ou=people,dc=scalix,dc=com | |
| − | + | filter=uid=%s | |
| − | + | tls=off | |
| + | </pre> | ||
| − | + | The "tls=off" is pretty important, we'll get to that later. | |
| + | |||
| + | Next, cd to /var/opt/scalix/sys/pam.d and change at least these two files: | ||
| + | |||
| + | -r--r--r-- 1 root scalix 336 2006-10-02 11:15 ual.remote | ||
| + | |||
| + | and | ||
| + | |||
| + | -rw-r--r-- 1 root root 234 2006-10-02 10:50 pamcheck | ||
| + | |||
| + | pamcheck is used in conjunction with a great debugging tool that is also new in Scalix 10: sxpamauth. | ||
| + | |||
| + | |||
| + | == sxpamauth == | ||
| + | |||
| + | sxpamauth is a debugging tool that will give you a sure-fire way to test your local setup. We'll use it in a minute. | ||
| + | |||
| + | The companion to sxpamauth is sxpampasswd. This nifty utility will allow you to change a users password thru LDAP, e.g.: | ||
| + | |||
| + | <pre> | ||
pdxsrv01:/var/opt/scalix/sys/pam.d # sxpampasswd -vvv kohl | pdxsrv01:/var/opt/scalix/sys/pam.d # sxpampasswd -vvv kohl | ||
pam_start_om("pamcheck", "kohl") | pam_start_om("pamcheck", "kohl") | ||
| Line 89: | Line 112: | ||
</pre> | </pre> | ||
| + | |||
| + | |||
| + | At the end of the How-To, this is what you want to see: | ||
| + | <pre> | ||
| + | pdxsrv01:/var/opt/scalix/sys/pam.d # sxpamauth -vvv kohl | ||
| + | pam_start_om("pamcheck", "kohl") | ||
| + | pam_authenticate() | ||
| + | Password: | ||
| + | pam_acct_mgmt() | ||
| + | |||
| + | Authenticated | ||
== Common issues with SSL == | == Common issues with SSL == | ||
Revision as of 23:50, 2 October 2006
Contents
OpenLDAP 2.2 integration with Scalix 10
The following how-to shows how to integrate Scalix and OpenLDAP 2.2 on Suse 10 for password management.
Say you have a central directory based on OpenLDAP and you want to benefit from centralized password management. With Release 10 of Scalix we have introduced pam_ldap support, which means your users can not only use their OpenLDAP password for authentication, they can also _change_ their passwords.
First, make sure you have OpenLDAP installed. Double make sure you also have pam_ldap installed - they are separate downloads. Once you have installed OpenLDAP, let's go ahead and configure a basic server:
Open /etc/openldap/slapd.conf and make sure
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema
are included.
Next, change the suffix for your local install:
suffix "dc=scalix,dc=com"
rootdn "cn=Manager,dc=scalix,dc=com"
rootpw {SSHA}W6c7QR3NJQteNRuvuWhLsbfoFXXM08Kh
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
How do you generate the SHA password? Easy: Use this perl script:
#!/usr/bin/perl
use Digest::SHA1;
use MIME::Base64;
if ($ARGV[0] eq "") {
printf STDERR "usage: ssha.pl PASSWORD\n";
exit 1;
}
$pass = Digest::SHA1->new;
$pass->add($ARGV[0]);
$pass->add('salt');
print '{SSHA}' . encode_base64($pass->digest . 'salt' ,'') . "\n";
OK, so once this basic configuration is done, we can start the OpenLDAP server using
rcldap start or service ldap start
Password management with OpenLDAP
Here are the Scalix files that you will need to change:
/var/opt/scalix/sys/om_ldap.conf
This file will have the OpenLDAP configuration data, e.g.:
host=pdxsrv.scalix.com search=subtree base=ou=people,dc=scalix,dc=com filter=uid=%s tls=off
The "tls=off" is pretty important, we'll get to that later.
Next, cd to /var/opt/scalix/sys/pam.d and change at least these two files:
-r--r--r-- 1 root scalix 336 2006-10-02 11:15 ual.remote
and
-rw-r--r-- 1 root root 234 2006-10-02 10:50 pamcheck
pamcheck is used in conjunction with a great debugging tool that is also new in Scalix 10: sxpamauth.
sxpamauth
sxpamauth is a debugging tool that will give you a sure-fire way to test your local setup. We'll use it in a minute.
The companion to sxpamauth is sxpampasswd. This nifty utility will allow you to change a users password thru LDAP, e.g.:
pdxsrv01:/var/opt/scalix/sys/pam.d # sxpampasswd -vvv kohl
pam_start_om("pamcheck", "kohl")
pam_chauthtok()
AUTHTOK not set
OLDAUTHTOK not set
Enter login(LDAP) password:
AUTHTOK not set
OLDAUTHTOK set
New password:
AUTHTOK not set
OLDAUTHTOK set
Re-enter new password:
AUTHTOK not set
OLDAUTHTOK set
LDAP password information changed for hkohl
Password changed
pdxsrv01:/var/opt/scalix/sys/pam.d #
At the end of the How-To, this is what you want to see:
pdxsrv01:/var/opt/scalix/sys/pam.d # sxpamauth -vvv kohl
pam_start_om("pamcheck", "kohl")
pam_authenticate()
Password:
pam_acct_mgmt()
Authenticated
== Common issues with SSL ==
If your LDAP server is not SSL enabled, you will see entries similar to this one in the log:
<pre>
Oct 2 11:00:21 pdxsrv slapd[23666]: conn=55 fd=11 ACCEPT from IP=10.0.0.7:45643 (IP=0.0.0.0:389)
Oct 2 11:00:21 pdxsrv slapd[23666]: conn=55 fd=11 closed
No LDAP communication is happening here. A "good" log looks like this:
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 fd=11 ACCEPT from IP=10.0.0.7:40201 (IP=0.0.0.0:389) Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 BIND dn="cn=Manager,dc=scalix,dc=com" method=128 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 BIND dn="cn=Manager,dc=scalix,dc=com" mech=SIMPLE ssf=0 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 RESULT tag=97 err=0 text= Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=1 SRCH base="dc=scalix,dc=com" scope=2 deref=0 filter="(uid=hkohl)" Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND anonymous mech=implicit ssf=0 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND dn="uid=hkohl,ou=people,dc=scalix,dc=com" method=128 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND dn="uid=hkohl,ou=people,dc=scalix,dc=com" mech=SIMPLE ssf=0 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 RESULT tag=97 err=0 text= Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND anonymous mech=implicit ssf=0 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND dn="cn=Manager,dc=scalix,dc=com" method=128 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND dn="cn=Manager,dc=scalix,dc=com" mech=SIMPLE ssf=0 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 RESULT tag=97 err=0 text= Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=4 UNBIND Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 fd=11 closed
