here is how i do centralized user authentication through Openldap on solaris7,8 and redhat6.2, redhat7.0

ldap server: solaris8

ldap client: solaris7/8, redhat6.2/7.0

 server end software: openldap-stable-20020618.tar,(www.openldap.org) version2.0.25

db-4.0.14.tar,(www.sleepcat.com)

pam_ldap-152,MigrationTools.tgz(www.padl.com)

 client end software: pam_ldap-152 for solaris7/8

 

 PART ONE: <<SLAPD SERVER CONFIGURATION>>

 STEP 1: compile and make db-4.0.14

 read the docs\ref\build_unix\intro.html under source root directory

untar db package

#cd build_unix

#../dist/configure

#make; make install

the default installation path is /usr/local/BerkeleyDB.4.0

 

Note!!!: you should add /usr/local/BerkeleyDB.4.0/lib to LD_LIBRARY_PATH in your system profile and export LD_LIBRARY_PATH

LD_LIBRARY_PATH=/usr/lib:/lib:/usr/local/lib:/usr/local/BerkeleyDB.4.0/lib

export LD_LIBRARY_PATH

 

STEP 2: comile and make openldap, install and startup slapd server

untar openldap package, read INSTALLATION doc

AAAAA:

 

#env CC=gcc  CPPFLAGS=-I/usr/local/BerkeleyDB.4.0/include LDFLAGS=-L/usr/local/BerkeleyDB.4.0/lib ./configure --prefix=/usr/local/openldap

#make depend; make; make test; make install

 

>>>>>>>>>>>>>>>>>>sample of slapd.conf

 

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /usr/local/openldap/etc/openldap/schema/core.schema

include         /usr/local/openldap/etc/openldap/schema/cosine.schema

include         /usr/local/openldap/etc/openldap/schema/inetorgperson.schema

include         /usr/local/openldap/etc/openldap/schema/nis.schema

include         /usr/local/openldap/etc/openldap/schema/openldap.schema

 

# Define global ACLs to disable default read access.

 

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org

 

pidfile         /usr/local/openldap/var/slapd.pid

argsfile        /usr/local/openldap/var/slapd.args

loglevel        8

logfile         /usr/local/openldap/var/ldap.log

 

# Load dynamic backend modules:

# modulepath    /usr/local/openldap/libexec/openldap

# moduleload    back_ldap.la

# moduleload    back_ldbm.la

# moduleload    back_passwd.la

# moduleload    back_shell.la

 

#

# Sample Access Control

#       Allow read access of root DSE

#       Allow self write access

#       Allow authenticated users read access

#       Allow anonymous users to authenticate

#

#access to dn="" by * read

#access to *

#       by self write

#       by users read

#       by anonymous auth

# if no access controls are present, the default is:

#       Allow read by all

#

# rootdn can always write!

 

#######################################################################

# ldbm database definitions

#######################################################################

 

database        ldbm

suffix          "dc=sz,dc=domain.com"

#suffix         "o=My Organization Name,c=US"

rootdn          "cn=Manager,dc=sz,dc=domain.com"

#rootdn         "cn=Manager,o=My Organization Name,c=US"

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

#rootpw         secret

rootpw          {SSHA}bQkdlktPNB61pN4ak6jM3FDPtkM3O0wQ

 

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd/tools. Mode 700 recommended.

directory       /usr/local/openldap/var/openldap-ldbm

# Indices to maintain

index   objectClass     eq

 

>>>>>>>>>>>>>>>end sample of slapd.conf

 

>>>>>>>>>>>>>>>sample of client end /etc/ldap.conf or /usr/local/openldap/etc/openldap/ldap.conf

 

host    ip of slapd server

base    dc=sz,dc=domain.com

>>>>>>>>>>>>>>>end sample of client end ldap.conf

 

 

 

you clould change encript your rootpw by

#/usr/local/openldap/sbin/slappasswd -s secret > rootpw.tmp

then copy the encripted password to rootpw of slapd.conf

 

BBBB:

startup slapd server

#/usr/local/openldap/libexec/slapd -f /usr/local/openldap/etc/openldap/slapd.conf

 

 

step 3, initiate ldap database and import data(init.ldif)

>>>>>>>>>sample of init.ldif(cautious!!!, there is no whitespace at each end of line)

 

dn: dc=sz, dc=domain.com

objectclass: top

objectclass: organization

o: domain

 

dn: ou=Group, dc=sz, dc=domain.com

objectclass: top

objectclass: organizationalUnit

ou: Group

 

dn: ou=People, dc=sz, dc=domain.com

objectclass: top

objectclass: organizationalUnit

ou: People

 

>>>>>>>>>>>end sample of init.ldif

 

 Import initial attributes

#/usr/local/openldap/bin/ldapadd -x -D "cn=Manager, dc=sz, dc=domain.com" -w secret -f init.ldif

for example query people unit

#/usr/local/openldap/bin/ldapsearch -x -b "ou=people,dc=sz,dc=domain.com"

version: 2

# People, sz, domain.com

dn: ou=People, dc=sz, dc=domain.com

objectClass: top

objectClass: organizationalUnit

ou: People

 

CCCC:

 

untar MigrationTools.tgz

/usr/local/openldap/bin/MigrationTools-40

# vi migrate_common.ph

$DEFAULT_BASE = "dc=sz,dc=domain.com";

$DEFAULT_MAIL_DOMAIN = "sz.domain.com";

 

 Import groups

#/usr/local/openldap/bin/MigrationTools-40/migrate_group.pl /etc/group >group.ldif

#/usr/local/openldap/bin/ldapadd -f group.ldif -x -D "cn=Manager, dc=sz, dc=domain.com" -w secret

 

 Import passwd.  (Imports shadow automatically when run by root).

#/usr/local/openldap/bin/MigrationTools-40/migrate_passwd.pl /etc/passwd |

                 fgrep -v "shadowExpire: -" |

                 fgrep -v "shadowInactive: -" >passwd.ldif

#/usr/local/openldap/bin/ldapadd -f passwd.ldif -x -D "cn=Manager, dc=sz, dc=domain.com" -w secret

 

To test  LDAP database, I can search it for the user test:

#/usr/local/openldap/bin/ldapsearch -x -b "dc=sz,dc=domain.com" "uid=root"

To change user's password in LDAP database

#/usr/local/openldap/bin/ldappasswd -x -s root'spassword -D "cn=Manager, dc=sz, dc=domain.com" -w secret "uid=root,ou=people,dc=sz,dc=domain.com"

 

 

PART TWO: <<PAM MODULE CONFIGURATION>>

 

for solaris7/8, you must reconfigure and reinstall PAM module, for redhat6.2/7x, use the default pam module

 

STEP 1:(for solaris8)

untar pam_ldap.tar, read INSTALLATION doc

when you configure pam, error might occur, if there is some lib error, just comment the lib and reconfigure, it will work

 

if pam_ldap.so configured successfully, copy it to /usr/lib/security/ and

pam_ldap.so needs libldap.so.4,you should copy it to /usr/lib

you could use command ldd to check what libary pam_ldap.so use

 

#cp pam_ldap.so /usr/lib/security

#ln -s pam_ldap.so pam_ldap.so.1

#cp  libldap.so.4 /usr/lib

#ldd /usr/lib/security/pam_ldap.so

#cat /etc/pam.conf

>>>>>sample of pam.conf

#####auth is the real stage for password authentication

login   auth sufficient /usr/lib/security/pam_ldap.so.1

login   auth required   /usr/lib/security/pam_unix.so.1 try_first_pass

login   auth required   /usr/lib/security/pam_dial_auth.so.1

 

telnet  auth sufficient /usr/lib/security/pam_ldap.so.1

telnet  auth required   /usr/lib/security/pam_unix.so.1 try_first_pass

 

rlogin  auth sufficient /usr/lib/security/pam_rhosts_auth.so.1

rlogin  auth sufficient /usr/lib/security/pam_ldap.so.1

rlogin  auth required   /usr/lib/security/pam_unix.so.1 try_first_pass

dtlogin auth sufficient /usr/lib/security/pam_ldap.so.1

dtlogin auth required   /usr/lib/security/pam_unix.so.1 try_first_pass

 

rsh     auth required   /usr/lib/security/pam_rhosts_auth.so.1

 

other   auth sufficient /usr/lib/security/pam_ldap.so.1

other   auth required   /usr/lib/security/pam_unix.so.1 try_first_pass

 

#

# Account management

#

login   account required /usr/lib/security/pam_ldap.so.1

login   account required /usr/lib/security/pam_unix.so.1

 

dtlogin account required /usr/lib/security/pam_ldap.so.1

dtlogin account required /usr/lib/security/pam_unix.so.1

 

#other   account required /usr/lib/security/pam_ldap.so.1

other   account required /usr/lib/security/pam_unix.so.1

 

# Password management for changing password, if you use pam module, even user login in system as root, he still can't change password, wanna change password, just comment the pam module line

 

other  password required /usr/lib/security/pam_unix.so.1

#other   password required /usr/lib/security/pam_ldap.so

 

 

>>>>>end sample of pam.conf

 

!!!!!! you must place ldap.conf to /etc

 

now you can authenticat your system account through ldap server for telnet, ftp, extra

if you want authenticat user's password by ldap server for ssh, you have to reconfigure sshd service and it's client see following changes

 

#vi /etc/ssh2/sshd2_config(server)

AllowedAuthentications          [email protected],publickey,password

 

then restart you sshd service

 

#vi /etc/ssh2/ssh2_config (client)

AllowedAuthentications          [email protected],publickey,password

STEP 2: (for redhat)