Child pages
  • Solaris authentification vs OpenLDAP (MacOSX Server LDAP)
Skip to end of metadata
Go to start of metadata

Tutorial on how to integrate Solaris 10 boxes into Apple OpenDirectory authentication infrastructure

Edit /etc/nsswitchldap

hosts: dns NOTFOUND=return ldap files
ipnodes: dns NOTFOUND=return ldap files

Start resolver if not running

svcadm enable svc:/network/dns/client:default

  1. ping borg.loopback.orgborg.loopback.org is alive

Generate Kerberos init on OD controller

borg:~ akira$ sudo kadmin.local
Password:
Authenticating as principal root/admin@BORG.LOOPBACK.ORG with password.

kadmin.local: addprinc -randkey host/test.loopback.org@BORG.LOOPBACK.ORG
WARNING: no policy specified for host/test.loopback.org@BORG.LOOPBACK.ORG; defaulting to no policy
Principal "host/test.loopback.org@BORG.LOOPBACK.ORG" created.

kadmin.local: ktadd -k /tmp/host.test.keytab host/test.loopback.org@BORG.LOOPBACK.ORG

Entry for principal host/test.loopback.org@BORG.LOOPBACK.ORG with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/tmp/host.test.keytab.
Entry for principal host/test.loopback.org@BORG.LOOPBACK.ORG with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/tmp/host.test.keytab.
Entry for principal host/test.loopback.org@BORG.LOOPBACK.ORG with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/tmp/host.test.keytab.

Copy keytab file to target host

borg# scp /tmp/host.test.keytab root@test:

Install Kerberos Conf and Keytab

borg# scp /Library/Preferences/edu.mit.Kerberos test:

test# mv edu.mit.Kerberos /etc/krb5/krb5.conf

test# mv host.test.keytab /etc/krb5/krb5.keytab

Run LdapClient

test# # ldapclient manual -a credentialLevel=proxy -a authenticationMethod=simple -a domainName=loopback.org -a serviceSearchDescriptor=passwd:cn=users,dc=loopback,dc=org -a serviceSearchDescriptor=group:cn=groups,dc=loopback,dc=org -a defaultSearchBase=dc=loopback,dc=org -a searchTimeLimit=60 -a proxyDN=uid=proxyagent,cn=users,dc=loopback,dc=org -a proxyPassword=XXX borg.loopback.org
System successfully configured

Run tests

  1. ldapsearch -h borg.loopback.org -b "cn=users,dc=loopback,dc=org" -o mech=gssapi -o authzid='' cn="Jan Schreiber" uidNumberversion: 1
    dn: uid=jans,cn=users,dc=loopback,dc=org
    uidNumber: 1234
  1. listusers

    akira
    ...

Adjust home directory mountpoint

  1. mkdir /Network
  2. ln -s /net /Network/Servers

test# svcadm -v enable svc:/system/filesystem/autofs:default

svc:/system/filesystem/autofs:default enabled.

zion# svcs | grep auto

online 6:21:59 svc:/system/filesystem/autofs:default

= Log in with ssh key=

Adjust /etc/pam.conf for LDAP login

login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1

other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1

passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1

other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1

other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy

Test with "login"

References

http://discussions.apple.com/thread.jspa?threadID=382600

Appendix

Addendum: Make sure time is equal on all systems

Konfiguration in LDAP without Kerberos

ldapclient manual -a credentialLevel=proxy -a authenticationMethod=none -a domainName=loopback.org -a serviceSearchDescriptor=passwd:cn=users,dc=loopback,dc=org -a serviceSearchDescriptor=group:cn=groups,dc=loopback,dc=org -a defaultSearchBase=dc=loopback,dc=org -a searchTimeLimit=60 borg.loopback.org

Konfiguration without proxy

test# ldapclient manual -a credentialLevel=self -a authenticationMethod=sasl/gssapi -a domainName=loopback.org -a serviceSearchDescriptor=passwd:cn=users,dc=loopback,dc=org -a serviceSearchDescriptor=group:cn=groups,dc=loopback,dc=org -a defaultSearchBase=dc=loopback,dc=org -a searchTimeLimit=60 borg.loopback.org
System successfully configured

With this, directory information is visisble ("getent passwd"), but login does not work (except with ssh/key).