HELIOS Authentication Server LDAP
Introduction
The HELIOS authentication server (“authsrv”) now supports LDAP authentication against the following LDAP servers:
- Mac OS X Server (“Open Directory”/Password Server)
- Univention Corporate Server (LDAP server)
- OpenLDAP (LDAP server; tested on SUSE 10.2)
The “authsrv” is installed on the HELIOS server and acts as an LDAP client, which accesses the LDAP database read-only.
In the following, we describe the installation and configuration of the “authsrv” for the three LDAP server systems Mac OS X Server, Univention, and OpenLDAP. Please note that the configuration, especially for OpenLDAP, requires some know-how and should therefore be restricted to experienced system integrators.
Note: Customers who wish to use AD/PDC do not need LDAP. Instead, they can use the existing AD/PDC support.
Prerequisites
- HELIOS UB+ product generation on all HELIOS supported platforms, except for Windows
Background on LDAP
- LDAP (Lightweight Directory Access Protocol) is a networking protocol, which runs over TCP/IP, for querying and modifying directory services
- All users and groups are stored in the LDAP database
- The HELIOS supported LDAP version is LDAPv3
- SASL (Simple Authentication and Security Layer) is an encryption selection protocol, which can be used in combination with LDAP, and is needed to communicate with the Apple Password Server.
- Password verification
- On Mac OS X Server passwords are created with the Apple “Workgroup Manager” and verified against the Apple Password Server
- On Univention Corporate Server passwords are verified against the NTLM password
- On OpenLDAP the HELIOS password must be set manually
- If passwords are stored in LDAP, different encryption methods may be used (HELIOS requires the NTLM or HELIOS password):
Password encryption method
Description
UNIX crypted password
Used by UNIX applications (not recommended)
NTLM password
Used by HELIOS and Samba
HELIOS password
Used by HELIOS
- Different UNIX platforms supply different LDAP implementations. To some extent these are older or incompatible. Therefore, HELIOS provides current and consistent LDAP libraries for all platforms:
HELIOS supplied LDAP libraries Description
libldap_s.so1
LDAP library
libsasl2_s.so1
SASL library
sasl2/
Directory including supported encryption methods used by SASL
1 Mac OS X: “libldap_s.dylib” and “libsasl2_s.dylib”; RS/6000: “libldap_s.a” and “libsasl2_s.a”
Installation
The HELIOS UB+ authentication server includes support for LDAP when installed from HELIOS CD023 or newer.
Set the authentication server preference NameServices according to the used LDAP systems, i.e. for Univention and OpenLDAP add “LDAP” to the list, and for Mac OS X Server add “MACOSX” (but NEVER both values together!).
Examples:
prefvalue -k 'Programs/authsrv/NameServices' -t str "local,NIS,LDAP" (for Univention and OpenLDAP systems)
prefvalue -k 'Programs/authsrv/NameServices' -t str "local,NIS,MACOSX" (for the Mac OS X Server system)
LDAP client configuration via “authsrv”
The following preferences and attributes should be set via the included Perl scripts:
|
Script name |
Description |
|
LDAP configuration script for Mac OS X Server | |
|
LDAP configuration script for Univention Corporate Server | |
|
LDAP configuration script for OpenLDAP |
These scripts are only examples, which have to be edited before use. The values that must be specified depend on the used LDAP server system, e.g.:
- Server name (Mac OS X)
- Server name, bind name / password (Univention)
- Server name, user / group base, bind name / password (OpenLDAP)
LDAP filter preferences
The following preferences, except for LDAP_Port, must be specified with the command:
For LDAP_Port use:
prefvalue -k 'Programs/authsrv/LDAP_Port' -t int <value>
|
Preference |
Example value |
Description |
|
LDAP_Server |
localhost |
LDAP server name or IP address |
|
LDAP_Port |
389 |
LDAP server port |
|
LDAP_UserBase |
dc=HELIOS,dc=de |
Base pointer in database |
|
LDAP_GroupBase |
dc=HELIOS,dc=de |
Base pointer in database |
|
LDAP_BindDN |
uid=Administrator,cn=users, |
LDAP bind name |
|
LDAP_BindPassword |
secret |
LDAP bind password |
|
LDAP_LongUserFilter |
longName=%s |
Select LDAP user entry by long name |
|
LDAP_UserFilter |
cn=%s |
LDAP user entry by short name |
|
LDAP_UserIDFilter |
longName=%d |
Select LDAP user entry by user ID |
|
LDAP_GroupFilter |
cn=%s |
Select LDAP user entry by name |
|
LDAP_GroupIDFilter |
gid=%d |
Select LDAP user entry by ID |
|
LDAP_GroupMemberFilter |
user=%s |
Select LDAP user entry by group membership |
LDAP attributes
|
Preference |
Example name |
Description |
|
LDAP_UATTR_HeliosPassword |
heliosPassword |
HELIOS password (generated via HELIOS “authutil” tool) |
|
LDAP_UATTR_ClearPassword |
clearPassword |
Cleartext password (not recommended) |
|
LDAP_UATTR_NTPassword |
sambaNTPassword |
NT hash |
|
LDAP_UATTR_Name |
uid |
User name (e.g. UNIX short name) |
|
LDAP_UATTR_LongName |
cn |
User long name (e.g. UNIX GECOS) |
|
LDAP_UATTR_UID |
uidNumber |
User ID |
|
LDAP_UATTR_PGID |
gidNumber |
Primary group ID |
|
LDAP_UATTR_HomeDirectory |
homeDirectory |
Path to user home directory |
|
LDAP_UATTR_AppleID |
authAuthority |
Apple ID used to identify user to Apple Password Server (only Mac OS X Server) |
|
LDAP_GATTR_GID |
gidNumber |
Group ID |
|
LDAP_GATTR_NAME |
cn |
Group name |
|
LDAP_GATTR_AppleID |
authAuthority |
Apple ID used to identify group to Apple Password Server (only Mac OS X Server) |
Verifying the LDAP connection
To verify the LDAP connection after the installation of the “authsrv”, do the following:
1. Establish a connection to the LDAP server
# socket -v <LDAP_Server> <LDAP_Port>
If the server returns Successfully connected to server. Going into interactive mode., everything is fine. However, if the server connection could not be successfully established in time you will receive a Connection timed out message, or, if there is no LDAP service running on this host or port, a Connection refused message.
Example:
# cd /usr/local/helios
# bin/socket -v ldaphost 389
socket 1.0.0 (c) 2005 by HELIOS Software Garbsen
Trying to connect to ldaphost port 389 ...
Resolving ip address ...
Address is 172.16.3.228.
Opening socket ...
Done.
Connecting to server ...
Done.
Local port is 44590, remote port is 389.
Successfully connected to server.
Going into interactive mode.
# bin/socket -v ldaphost 389
socket 1.0.0 (c) 2005 by HELIOS Software Garbsen
Trying to connect to ldaphost port 389 ...
Resolving ip address ...
Address is 172.16.3.228.
Opening socket ...
Done.
Connecting to server ...
Done.
Local port is 44590, remote port is 389.
Successfully connected to server.
Going into interactive mode.
2. To check the LDAP server connectivity you may use the “ldapsearch” command line tool, which is usually part of all UNIX systems
The parameters depend on the platform where the command is issued from. Please refer to the corresponding manpages. The output depends on the referred host, i.e. specified by the -h switch (in the folllowing examples “ldaphost”).
# ldapsearch -h <Host Name>
Example call (OpenLDAP for Mac OS X, Linux, Univention):
# ldapsearch -h ldaphost -x -s base -b "" "(objectclass=*)" +
Example call (IBM AIX, Solaris):
# ldapsearch -h ldaphost -s base -b "" "(objectclass=*)" +
Example output:
structuralObjectClass=OpenLDAProotDSE
configContext=cn=config
namingContexts=dc=my-domain,dc=com
supportedControl=1.3.6.1.4.1.4203.1.9.1.1
supportedControl=2.16.840.1.113730.3.4.18
supportedControl=2.16.840.1.113730.3.4.2
supportedControl=1.3.6.1.4.1.4203.1.10.1
supportedControl=1.2.840.113556.1.4.319
supportedControl=1.2.826.0.1.334810.2.3
supportedControl=1.2.826.0.1.3344810.2.3
supportedControl=1.3.6.1.1.13.2
supportedControl=1.3.6.1.1.13.1
supportedControl=1.3.6.1.1.12
supportedExtension=1.3.6.1.4.1.4203.1.11.1
supportedExtension=1.3.6.1.4.1.4203.1.11.3
supportedFeatures=1.3.6.1.1.14
supportedFeatures=1.3.6.1.4.1.4203.1.5.1
supportedFeatures=1.3.6.1.4.1.4203.1.5.2
supportedFeatures=1.3.6.1.4.1.4203.1.5.3
supportedFeatures=1.3.6.1.4.1.4203.1.5.4
supportedFeatures=1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion=3
supportedSASLMechanisms=DIGEST-MD5
supportedSASLMechanisms=CRAM-MD5
entryDN=
subschemaSubentry=cn=Subschema
configContext=cn=config
namingContexts=dc=my-domain,dc=com
supportedControl=1.3.6.1.4.1.4203.1.9.1.1
supportedControl=2.16.840.1.113730.3.4.18
supportedControl=2.16.840.1.113730.3.4.2
supportedControl=1.3.6.1.4.1.4203.1.10.1
supportedControl=1.2.840.113556.1.4.319
supportedControl=1.2.826.0.1.334810.2.3
supportedControl=1.2.826.0.1.3344810.2.3
supportedControl=1.3.6.1.1.13.2
supportedControl=1.3.6.1.1.13.1
supportedControl=1.3.6.1.1.12
supportedExtension=1.3.6.1.4.1.4203.1.11.1
supportedExtension=1.3.6.1.4.1.4203.1.11.3
supportedFeatures=1.3.6.1.1.14
supportedFeatures=1.3.6.1.4.1.4203.1.5.1
supportedFeatures=1.3.6.1.4.1.4203.1.5.2
supportedFeatures=1.3.6.1.4.1.4203.1.5.3
supportedFeatures=1.3.6.1.4.1.4203.1.5.4
supportedFeatures=1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion=3
supportedSASLMechanisms=DIGEST-MD5
supportedSASLMechanisms=CRAM-MD5
entryDN=
subschemaSubentry=cn=Subschema
Only if “ldapsearch” is successful you should continue with the next steps.
3. Start the HELIOS authentication server with the “ldapcheck” command
Note: HELIOS services must not run to perform this step!
By use of this call “authsrv” tries to get, with the currently set preferences, all attributes for <User Name>. The specified user must be a complete and valid LDAP user.
# authsrv ldapcheck <User_Name>
Example:
# cd /usr/local/helios
# sbin/authsrv ldapcheck ldapuser
ldap preliminary check starting...
preference ldap server - 'LDAP_Server':'ldaphost.helios.de' OK
preference using port - 'LDAP_Port':'389' OK
* connected
* got version 2
* set to version 3
* using anonymous bind
* bind OK, now requesting user info for 'ldapuser'
preference user filter - 'LDAP_UserFilter':'uid=%s' OK
preference user base - 'LDAP_UserBase':'cn=users,dc=ldaphost,dc=helios,dc=de' OK
* filter: 'uid=ldapuser'
* user found, now requesting basic attributes
preference user name - 'LDAP_UATTR_Name':'uid' OK
preference user long name - 'LDAP_UATTR_LongName':'cn' OK
preference home dir - 'LDAP_UATTR_HomeDirectory':'homeDirectory' OK
preference uid - 'LDAP_UATTR_UID':'uidNumber' OK
preference pgid - 'LDAP_UATTR_PGID':'gidNumber' OK
* (attribute 'objectClass' detected)
* attribute UID detected
* (attribute 'apple-generateduid' detected)
* (attribute 'apple-mcxflags' detected)
* (attribute 'loginShell' detected)
* attribute PGID detected
* (attribute 'authAuthority' detected)
* clear text password detected
* attribute name detected
* attribute long name detected
* (attribute 'sn' detected)
* attribute homedir detected
* 12 attributes detected
# sbin/authsrv ldapcheck ldapuser
ldap preliminary check starting...
preference ldap server - 'LDAP_Server':'ldaphost.helios.de' OK
preference using port - 'LDAP_Port':'389' OK
* connected
* got version 2
* set to version 3
* using anonymous bind
* bind OK, now requesting user info for 'ldapuser'
preference user filter - 'LDAP_UserFilter':'uid=%s' OK
preference user base - 'LDAP_UserBase':'cn=users,dc=ldaphost,dc=helios,dc=de' OK
* filter: 'uid=ldapuser'
* user found, now requesting basic attributes
preference user name - 'LDAP_UATTR_Name':'uid' OK
preference user long name - 'LDAP_UATTR_LongName':'cn' OK
preference home dir - 'LDAP_UATTR_HomeDirectory':'homeDirectory' OK
preference uid - 'LDAP_UATTR_UID':'uidNumber' OK
preference pgid - 'LDAP_UATTR_PGID':'gidNumber' OK
* (attribute 'objectClass' detected)
* attribute UID detected
* (attribute 'apple-generateduid' detected)
* (attribute 'apple-mcxflags' detected)
* (attribute 'loginShell' detected)
* attribute PGID detected
* (attribute 'authAuthority' detected)
* clear text password detected
* attribute name detected
* attribute long name detected
* (attribute 'sn' detected)
* attribute homedir detected
* 12 attributes detected
Manually setting up the OpenLDAP server (example for SUSE 10.2)
Note: The following example is simplified. Usually structure and access rights should have a more sophisticated design.
Run “yast” and install the packets “openldap2”, “openldap2-client”, and optionally “yast2-ldap-server”, but do not start the OpenLDAP server immediately.
Edit “/etc/openldap/slapd.conf” according to your needs and especially include the file helios.schema right after “yast.schema”, and ensure that the entries for “rootdn” and “rootpw” match those specified for the HELIOS authentication server (“LDAP_BindDN” and “LDAP_BindPassword”). It may also be necessary to include “nis.schema” instead of “rfc2307bis.schema” to create groups.
Build the root node and nodes for users / groups:
Customize the file root_node.ldif according to your requirements and call the command:
# slapadd -v -l root_node.ldif
Start the OpenLDAP server and check for error messages.
# /etc/rc.d/ldap start
Set up a sample user / group:
Create a HELIOS password via authutil passwd -H -X -p <HELIOS_password>.
Edit sample_user.ldif according to your needs using the just created HELIOS password.
# ldapadd -v -f sample_user.ldif -x -D "cn=Manager,dc=my-domain,dc=com" -w secret
Edit sample_group.ldif according to your needs.
# ldapadd -v -f sample_group.ldif -x -D "cn=Manager,dc=my-domain,dc=com" -w secret
As user root issue the command “slapcat” and verify that the just added sample user is listed.
LDAP server configuration and user management
Mac OS X Server:
User / group administration via “Workgroup Manager” program
Univention Corporate Server:
User / group administration via “Univention Admin” web interface
OpenLDAP:
Manual user / group administration via configuration files or third-party tools.
Configuration files can be:
- ldap.conf (LDAP basic settings for clients)
- ldapfilter.conf (LDAP filter configuration)
- ldapsearchprefs.conf (LDAP search settings)
- ldaptemplates.conf (LDAP output settings)
Uninstallation
To deactivate LDAP support it is sufficient to take this step:
- Remove the value “LDAP” (Univention, OpenLDAP) or “MACOSX” (Mac OS X Server) from the preference NameServices:
# prefvalue -k 'Programs/authsrv/NameServices' -t str "local,NIS"
To completely uninstall LDAP support, take the following steps:
- Stop HELIOS:
# cd /usr/local/helios
# bin/stop-helios now
- Restore the original authentication server, e.g.:
(Mac OS X)
# mv sbin/authsrv.save sbin/authsrv
# mv lib/libccllib_s.dylib.save lib/libccllib_s.dylib
# rm lib/libldap_s.dylib lib/libsasl2_s.dylib
# rm -r lib/sasl2
(RS/6000)
# mv sbin/authsrv.save sbin/authsrv
# mv lib/libccllib_s.a.save lib/libccllib_s.a
# rm lib/libldap_s.a lib/libsasl2_s.a
# rm -r lib/sasl2
(All other platforms)
# mv sbin/authsrv.save sbin/authsrv
# mv lib/libccllib_s.so.save lib/libccllib_s.so
# rm lib/libldap_s.so lib/libsasl2_s.so
# rm -r lib/sasl2
Versions
