HowTos/Using OpenLDAP for password management
Contents
OpenLDAP 2.2 integration with Scalix 10
The following how-to shows how to integrate Scalix and OpenLDAP 2.2 on Suse 10 for password management.
Say you have a central directory based on OpenLDAP and you want to benefit from centralized password management. With Release 10 of Scalix we have introduced pam_ldap support, which means your users can not only use their OpenLDAP password for authentication, they can also _change_ their passwords.
First, make sure you have OpenLDAP installed. Double make sure you also have pam_ldap installed - they are separate downloads. Once you have installed OpenLDAP, let's go ahead and configure a basic server:
Open /etc/openldap/slapd.conf and make sure
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema
are included.
Next, change the suffix for your local install:
suffix "dc=scalix,dc=com" rootdn "cn=Manager,dc=scalix,dc=com" rootpw {SSHA}W6c7QR3NJQteNRuvuWhLsbfoFXXM08Kh index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial
How do you generate the SHA password? Easy: Use this perl script:
#!/usr/bin/perl use Digest::SHA1; use MIME::Base64; if ($ARGV[0] eq "") { printf STDERR "usage: ssha.pl PASSWORD\n"; exit 1; } $pass = Digest::SHA1->new; $pass->add($ARGV[0]); $pass->add('salt'); print '{SSHA}' . encode_base64($pass->digest . 'salt' ,'') . "\n";
OK, so once this basic configuration is done, we can start the OpenLDAP server using
rcldap start or service ldap start
Password management with OpenLDAP
Here are the Scalix files that you will need to change:
/var/opt/scalix/sys/om_ldap.conf /var/opt/scalix/sys/pam.d/ual.remote /var/opt/scalix/sys/pam.d/pamcheck
/var/opt/scalix/sys/om_ldap.conf contains the OpenLDAP configuration data, e.g.:
host=pdxsrv.scalix.com search=subtree base=ou=people,dc=scalix,dc=com filter=uid=%s tls=off
The "tls=off" is pretty important, we'll get to that later.
sxpampasswd
Next, cd to /var/opt/scalix/sys/pam.d and edit pamcheck:
auth required om_debug account required om_debug session required om_debug password required om_debug auth required om_om2authid auth required /lib/security/pam_ldap.so account required /lib/security/pam_ldap.so password required om_om2authid password required /lib/security/pam_ldap.so session required /lib/security/pam_ldap.so pdxsrv01:/var/opt/scalix/sys/pam.d #
This configuration will allow you to use both Scalix password authentication and LDAP password authentication.Additionally, it will give you error logging that is helpful when trying to find configuration mistakes.
pamcheck is used in conjunction with a great debugging tool that is also new in Scalix 10: sxpamauth.
pdxsrv01:/var/opt/scalix/sys/pam.d # sxpamauth -vvv kohl pam_start_om("pamcheck", "kohl") pam_authenticate() Password: pam_acct_mgmt() Authenticated pdxsrv01:/var/opt/scalix/sys/pam.d #
For MAPI and IMAP users, copy pamcheck over ual.remote and make sure both files contain the same configuration:
auth required om_debug account required om_debug session required om_debug password required om_debug auth required om_om2authid auth required /lib/security/pam_ldap.so account required /lib/security/pam_ldap.so password required om_om2authid password required /lib/security/pam_ldap.so session required /lib/security/pam_ldap.so pdxsrv01:/var/opt/scalix/sys/pam.d #
sxpampasswd
The companion to sxpamauth is sxpampasswd. This nifty utility will allow you to change a users password thru LDAP, e.g.:
pdxsrv01:/var/opt/scalix/sys/pam.d # sxpampasswd -vvv kohl pam_start_om("pamcheck", "kohl") pam_chauthtok() AUTHTOK not set OLDAUTHTOK not set Enter login(LDAP) password: AUTHTOK not set OLDAUTHTOK set New password: AUTHTOK not set OLDAUTHTOK set Re-enter new password: AUTHTOK not set OLDAUTHTOK set LDAP password information changed for hkohl Password changed pdxsrv01:/var/opt/scalix/sys/pam.d #
At the end of the How-To, this is what you want to see:
pdxsrv01:/var/opt/scalix/sys/pam.d # sxpamauth -vvv kohl pam_start_om("pamcheck", "kohl") pam_authenticate() Password: pam_acct_mgmt() Authenticated == Common issues with SSL == If your LDAP server is not SSL enabled, you will see entries similar to this one in the log: <pre> Oct 2 11:00:21 pdxsrv slapd[23666]: conn=55 fd=11 ACCEPT from IP=10.0.0.7:45643 (IP=0.0.0.0:389) Oct 2 11:00:21 pdxsrv slapd[23666]: conn=55 fd=11 closed
No LDAP communication is happening here. A "good" log looks like this:
Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 fd=11 ACCEPT from IP=10.0.0.7:40201 (IP=0.0.0.0:389) Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 BIND dn="cn=Manager,dc=scalix,dc=com" method=128 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 BIND dn="cn=Manager,dc=scalix,dc=com" mech=SIMPLE ssf=0 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=0 RESULT tag=97 err=0 text= Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=1 SRCH base="dc=scalix,dc=com" scope=2 deref=0 filter="(uid=hkohl)" Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND anonymous mech=implicit ssf=0 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND dn="uid=hkohl,ou=people,dc=scalix,dc=com" method=128 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 BIND dn="uid=hkohl,ou=people,dc=scalix,dc=com" mech=SIMPLE ssf=0 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=2 RESULT tag=97 err=0 text= Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND anonymous mech=implicit ssf=0 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND dn="cn=Manager,dc=scalix,dc=com" method=128 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 BIND dn="cn=Manager,dc=scalix,dc=com" mech=SIMPLE ssf=0 Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=3 RESULT tag=97 err=0 text= Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 op=4 UNBIND Oct 2 11:04:09 pdxsrv slapd[23666]: conn=59 fd=11 closed