HELIOS Authentication Server LDAP

Introduction Manually setting up the OpenLDAP server
Prerequisites LDAP server configuration and user management
Background on LDAP Uninstallation
Installation Versions
LDAP client configuration via “authsrv” Feedback
Verifying the LDAP connection



Introduction

The HELIOS authentication server (“authsrv”) now supports LDAP authentication against the following LDAP servers:

  • Mac OS X Server (“Open Directory”/Password Server)
  • Univention Corporate Server (LDAP server)
  • OpenLDAP (LDAP server; tested on SUSE 10.2) 

The “authsrv” is installed on the HELIOS server and acts as an LDAP client, which accesses the LDAP database read-only.
In the following, we describe the installation and configuration of the “authsrv” for the three LDAP server systems Mac OS X Server, Univention, and OpenLDAP. Please note that the configuration, especially for OpenLDAP, requires some know-how and should therefore be restricted to experienced system integrators.

Note: Customers who wish to use AD/PDC do not need LDAP. Instead, they can use the existing AD/PDC support.


Prerequisites

Background on LDAP
  • LDAP (Lightweight Directory Access Protocol) is a networking protocol, which runs over TCP/IP, for querying and modifying directory services
  • All users and groups are stored in the LDAP database
  • The HELIOS supported LDAP version is LDAPv3
  • SASL (Simple Authentication and Security Layer) is an encryption selection protocol, which can be used in combination with LDAP, and is needed to communicate with the Apple Password Server.

Password verification

  • On Mac OS X Server passwords are created with the Apple “Workgroup Manager” and verified against the Apple Password Server
  • On Univention Corporate Server passwords are verified against the NTLM password
  • On OpenLDAP the HELIOS password must be set manually

If passwords are stored in LDAP, different encryption methods may be used (HELIOS requires the NTLM or HELIOS password):

Password encryption method Description
UNIX crypted password Used by UNIX applications (not recommended)
NTLMv1 password Used by HELIOS and Samba
HELIOS password Used by HELIOS

Different UNIX platforms supply different LDAP implementations. To some extent these are older or incompatible. Therefore, HELIOS provides current and consistent LDAP libraries for all platforms:

HELIOS supplied LDAP libraries Description
libldap_s.so1 LDAP library
libsasl2_s.so1 SASL library
sasl2/ Directory including supported encryption methods used by SASL

1 Mac OS X: “libldap_s.dylib” and “libsasl2_s.dylib”; RS/6000: “libldap_s.a” and “libsasl2_s.a”


Installation

The HELIOS authentication server includes support for LDAP when installed from HELIOS CD023 or newer.

Set the authentication server preference NameServices according to the used LDAP systems, i.e. for Univention and OpenLDAP add “LDAP” to the list, and for Mac OS X Server add “MACOSX” (but NEVER both values together!).

If the same users are available both locally and via LDAP, you might want to prefer the LDAP user database over the local database. In this case add “+LDAP” instead of “LDAP” to the NameServices list.

In case the system itself authenticates users against LDAP, “+LDAP” is mandatory.

The HELIOS Admin checkbox Prefer LDAP corresponds to “+LDAP”.

Examples:
prefvalue -k 'Programs/authsrv/NameServices' -t str "local,NIS,LDAP" (for Univention and OpenLDAP systems)
prefvalue -k 'Programs/authsrv/NameServices' -t str "local,NIS,MACOSX" (for the Mac OS X Server system)


LDAP client configuration via “authsrv”

The following preferences and attributes should be set via the included Perl scripts:

Script name Description
ldapMacosxPrefs.pl  LDAP configuration script for Mac OS X Server
ldapUniventionPrefs.pl LDAP configuration script for Univention Corporate Server
ldapOpenLDAPPrefs.pl LDAP configuration script for OpenLDAP

These scripts are only examples, which have to be edited before use. The values that must be specified depend on the used LDAP server system, e.g.:

  • Server name (Mac OS X)
  • Server name, bind name / password (Univention)
  • Server name, user / group base, bind name / password (OpenLDAP)
LDAP filter preferences

The following preferences, except for LDAP_Port, must be specified with the command:
prefvalue -k 'Programs/authsrv/<preference>' -t str <value>
For LDAP_Port use:
> prefvalue -k 'Programs/authsrv/LDAP_Port' -t int <value>

Preference Example value Description
LDAP_Server localhost LDAP server name or IP address
LDAP_Port 389 LDAP server port
LDAP_UserBase dc=HELIOS,dc=de Base pointer in database
LDAP_GroupBase dc=HELIOS,dc=de Base pointer in database
LDAP_BindDN uid=Administrator,cn=users,
dc=univention,dc=local
LDAP bind name
LDAP_BindPassword secret LDAP bind password
LDAP_LongUserFilter longName=%s Select LDAP user entry by long name
LDAP_UserFilter cn=%s LDAP user entry by short name
LDAP_UserIDFilter longName=%d Select LDAP user entry by user ID
LDAP_GroupFilter cn=%s Select LDAP user entry by name
LDAP_GroupIDFilter gid=%d Select LDAP user entry by ID
LDAP_GroupMemberFilter user=%s

 

Select LDAP user entry by group membership
LDAP attributes
Preference Example name Description
LDAP_UATTR_HeliosPassword heliosPassword HELIOS password (generated via HELIOS “authutil” tool)
LDAP_UATTR_ClearPassword clearPassword Cleartext password (not recommended)
LDAP_UATTR_NTPassword sambaNTPassword NT hash
LDAP_UATTR_Name uid User name (e.g. UNIX short name)
LDAP_UATTR_LongName cn User long name (e.g. UNIX GECOS)
LDAP_UATTR_UID uidNumber User ID
LDAP_UATTR_PGID gidNumber Primary group ID
LDAP_UATTR_HomeDirectory homeDirectory Path to user home directory
LDAP_UATTR_AppleID authAuthority Apple ID used to identify user to Apple Password Server (only Mac OS X Server)
LDAP_GATTR_GID gidNumber Group ID
LDAP_GATTR_NAME cn Group name
LDAP_GATTR_AppleID authAuthority Apple ID used to identify group to Apple Password Server (only Mac OS X Server)

Verifying the LDAP connection

To verify the LDAP connection after the installation of the “authsrv”, do the following:

1. Establish a connection to the LDAP server

# socket -v <LDAP_Server> <LDAP_Port>

If the server returns Successfully connected to server. Going into interactive mode., everything is fine. However, if the server connection could not be successfully established in time you will receive a Connection timed out message, or, if there is no LDAP service running on this host or port, a Connection refused message.

Example:

# cd /usr/local/helios
# bin/socket -v ldaphost 389
socket 1.0.0 (c) 2005 by HELIOS Software Garbsen
Trying to connect to ldaphost port 389 ...
Resolving ip address ...
Address is 172.16.3.228.
Opening socket ...
Done.
Connecting to server ...
Done.
Local port is 44590, remote port is 389.
Successfully connected to server.
Going into interactive mode.

2. To check the LDAP server connectivity you may use the “ldapsearch” command line tool, which is usually part of all UNIX systems

The parameters depend on the platform where the command is issued from. Please refer to the corresponding manpages. The output depends on the referred host, i.e. specified by the -h switch (in the folllowing examples “ldaphost”). 

# ldapsearch -h <Host Name>

Example call (OpenLDAP for Mac OS X, Linux, Univention):

# ldapsearch -h ldaphost -x -s base -b "" "(objectclass=*)" +

Example call (IBM AIX, Solaris):

# ldapsearch -h ldaphost -s base -b "" "(objectclass=*)" +

Example output:

structuralObjectClass=OpenLDAProotDSE
configContext=cn=config
namingContexts=dc=my-domain,dc=com
supportedControl=1.3.6.1.4.1.4203.1.9.1.1
supportedControl=2.16.840.1.113730.3.4.18
supportedControl=2.16.840.1.113730.3.4.2
supportedControl=1.3.6.1.4.1.4203.1.10.1
supportedControl=1.2.840.113556.1.4.319
supportedControl=1.2.826.0.1.334810.2.3
supportedControl=1.2.826.0.1.3344810.2.3
supportedControl=1.3.6.1.1.13.2
supportedControl=1.3.6.1.1.13.1
supportedControl=1.3.6.1.1.12
supportedExtension=1.3.6.1.4.1.4203.1.11.1
supportedExtension=1.3.6.1.4.1.4203.1.11.3
supportedFeatures=1.3.6.1.1.14
supportedFeatures=1.3.6.1.4.1.4203.1.5.1
supportedFeatures=1.3.6.1.4.1.4203.1.5.2
supportedFeatures=1.3.6.1.4.1.4203.1.5.3
supportedFeatures=1.3.6.1.4.1.4203.1.5.4
supportedFeatures=1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion=3
supportedSASLMechanisms=DIGEST-MD5
supportedSASLMechanisms=CRAM-MD5
entryDN=
subschemaSubentry=cn=Subschema

Only if “ldapsearch” is successful you should continue with the next steps.

3. Start the HELIOS authentication server with the “ldapcheck” command

Note: HELIOS services must not run to perform this step!

By use of this call “authsrv” tries to get, with the currently set preferences, all attributes for <User Name>. The specified user must be a complete and valid LDAP user.

# authsrv ldapcheck <User_Name>

Example:

# cd /usr/local/helios
# sbin/authsrv ldapcheck ldapuser
ldap preliminary check starting...
preference ldap server - 'LDAP_Server':'ldaphost.helios.de' OK
preference using port - 'LDAP_Port':'389' OK
* connected
* got version 2
* set to version 3
* using anonymous bind
* bind OK, now requesting user info for 'ldapuser'
preference user filter - 'LDAP_UserFilter':'uid=%s' OK
preference user base - 'LDAP_UserBase':'cn=users,dc=ldaphost,dc=helios,dc=de' OK
* filter: 'uid=ldapuser'
* user found, now requesting basic attributes
preference user name - 'LDAP_UATTR_Name':'uid' OK
preference user long name - 'LDAP_UATTR_LongName':'cn' OK
preference home dir - 'LDAP_UATTR_HomeDirectory':'homeDirectory' OK
preference uid - 'LDAP_UATTR_UID':'uidNumber' OK
preference pgid - 'LDAP_UATTR_PGID':'gidNumber' OK
* (attribute 'objectClass' detected)
* attribute UID detected
* (attribute 'apple-generateduid' detected)
* (attribute 'apple-mcxflags' detected)
* (attribute 'loginShell' detected)
* attribute PGID detected
* (attribute 'authAuthority' detected)
* clear text password detected
* attribute name detected
* attribute long name detected
* (attribute 'sn' detected)
* attribute homedir detected
* 12 attributes detected


Manually setting up the OpenLDAP server (example for SUSE 10.2)

Note: The following example is simplified. Usually structure and access rights should have a more sophisticated design.

Run “yast” and install the packets “openldap2”, “openldap2-client”, and optionally “yast2-ldap-server”, but do not start the OpenLDAP server immediately.

Edit “/etc/openldap/slapd.conf” according to your needs and especially include the file helios.schema right after “yast.schema”, and ensure that the entries for “rootdn” and “rootpw” match those specified for the HELIOS authentication server (“LDAP_BindDN” and “LDAP_BindPassword”). It may also be necessary to include “nis.schema” instead of “rfc2307bis.schema” to create groups.

Build the root node and nodes for users / groups:

Customize the file root_node.ldif according to your requirements and call the command:

# slapadd -v -l root_node.ldif

Start the OpenLDAP server and check for error messages.

# /etc/rc.d/ldap start

Set up a sample user / group:

Create a HELIOS password via authutil passwd -H -X -p <HELIOS_password>.

Edit sample_user.ldif according to your needs using the just created HELIOS password.

# ldapadd -v -f sample_user.ldif -x -D "cn=Manager,dc=my-domain,dc=com" -w secret

Edit sample_group.ldif according to your needs.

# ldapadd -v -f sample_group.ldif -x -D "cn=Manager,dc=my-domain,dc=com" -w secret

As user root issue the command “slapcat” and verify that the just added sample user is listed.


LDAP server configuration and user management

Mac OS X Server:

User / group administration via “Workgroup Manager” program

Univention Corporate Server:

User / group administration via “Univention Admin” web interface

OpenLDAP:

Manual user / group administration via configuration files or third-party tools.

Configuration files can be:

  • ldap.conf (LDAP basic settings for clients)
  • ldapfilter.conf (LDAP filter configuration)
  • ldapsearchprefs.conf (LDAP search settings)
  • ldaptemplates.conf (LDAP output settings)

Uninstallation

To deactivate LDAP support it is sufficient to take this step:

 

  • Remove the value “LDAP” (Univention, OpenLDAP) or “MACOSX” (Mac OS X Server) from the preference NameServices:
    # prefvalue -k 'Programs/authsrv/NameServices' -t str "local,NIS"

Versions Feedback

Please report errors or make suggestions to: support (at) helios.de.

  • Final HELIOS UB+ (December, 2007)
  • Preview 2 (July 13, 2007)
  • Fixes NTLM for Vista
  • Removes user entry from cache if password has been changed
  • Fixes for HP IA-64
  • Fixes logins against Mac OS X LDAP & Password server