Re: LDAP bind authentication
- From: "Neal A. Lucier" <nlucier@xxxxxxxxxxxxxxx>
- Date: Sat, 24 Feb 2007 18:58:43 -0500
david.magda@xxxxxxxxx wrote:
On Feb 16, 5:45 pm, "Neal A. Lucier" <nluc...@xxxxxxxxxxxxxxx> wrote:Solaris doesn't need to use a proxy account. The main reason it does is
because virtual list view indexes aren't available to non-authenticated
users using Sun's Directory Server, IIRC. VLVs are designed to return
Well my situation will probably be against Windows 2000/3 Active
Directory. Not sure how much this buys us with that. It may be better
to not use SSL for GECOS look ups just to reduce load on the server.
These are my thoughts on why in general I think proxy users are good, but that they are bad when used with ADS. Since Solaris doesn't care if the client is configured to connect anonymously or via proxy, just do whatever works best for you.
In a "native" LDAP environment you put the proxy user object in the directory information tree (DIT) such that your OSes cannot see that user, thus the user is only an LDAP user and is not a logon user for any of your OSes. Then using access control instructions (ACIs) you limit explicitly what attributes/objects that user has rights to. Because of this, you can treat the proxy user just as an authenticated anonymous user from a security stand-point; yet, they are still very useful for accounting and other management tasks. It also allows you to lock down anonymous even tighter if you are super paranoid.
In the ADS world there is a single ou for Users and Groups (and proxy users), and these users are visible to all clients of the domain. You would then have to use the windows management functions to make sure that the proxy user couldn't log on, had guest rights, etc. I think this method makes the proxy user unappealing to use with ADS.
I also came across these instructions about AD integration, but
Kerberos is used for authentication rather than LDAP:
http://blog.scottlowe.org/2006/10/16/refined-solaris-10-ad-integration-instructions/
http://blog.scottlowe.org/2006/08/29/follow-ups-on-solaris-native-kerberos-authentication/
These are not bad, the only real difference is how you configure pam and nss. You don't need such a large 'ldapclient' string since LDAP attribute and object names are case insensitive. I would suggest the following base config to see how things work.
ldapclient manual \
-a credentialLevel=anonymous \
-a authenticationMethod=tls:simple \
-a proxyDN=cn=proxyuser,cn=Users,dc=example,dc=com \
-a defaultSearchBase=dc=example,dc=com \
-a domainName=example.com \
-a “defaultServerList=172.16.1.10” \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:cn=users,dc=example,dc=com?one \
-a serviceSearchDescriptor=group:cn=users,dc=example,dc=com?one
I think one should use a more specific serviceSearchDescriptors than the blog. Also, the Sun doc on naming is an excellent read.
http://docs.sun.com/app/docs/doc/816-4556
Now, to force the client to perform a bind to authenticate instead of
having the client compare the hashes locally you have to:
1. make sure the proxy user can't see the hash
2. everywhere in /etc/pam.conf that you see:
<servicename> auth required pam_unix_auth.so.1
change this to:
<servicename> auth binding pam_unix_auth.so.1 server_policy
<servicename> auth required pam_ldap.so.1
Is this in addition to the ldapclient(1M) argument that Chriss Ridd
suggested
-a serviceAuthenticationMethod=pam_ldap:tls:simple
or in place of it?
The authenticationMethod and serviceAuthenticationMethod arguments do not describe how the ldapclient should fucntion in terms of authentication, rather how authentication data should be transmitted. So that command just tells pam_ldap to use SSL for all LDAP traffic, 'tls', and to send the password in plaintext inside the SSL tunnel, 'simple'. You still need to configure the pam stack to use pam_ldap correctly.
To change a password via LDAP in ADS you need to use SSL and you need to connect on port 636. You will need to get the certificate of the CA that signed your DCs certificate and put it in /var/ldap/cert8.db.
Since you will need the 'passwd-cmd' as well as the 'pam_ldap' service to use SSL I would suggest using the non-service specific option:
-a authenticationMethod=tls:simple
The man page on 'ladpclient' describes all the options in more detail.
Neal
.
- References:
- LDAP bind authentication
- From: david . magda
- Re: LDAP bind authentication
- From: Neal A. Lucier
- Re: LDAP bind authentication
- From: david . magda
- LDAP bind authentication
- Prev by Date: Solaris 10 Software Media Kit
- Next by Date: Re: S10 static route startup script hack
- Previous by thread: Re: LDAP bind authentication
- Next by thread: TSM backup and ZFS
- Index(es):
Relevant Pages
|
