Solaris 10 Ldap authentication with Windows AD server 
Friday, July 13, 2018, 05:15 - Technical Informations, Oracle Solaris
Posted by Administrator

Introduction


Well documented is the User Management of Solaris using a Directory Server. Thisis documented in the Solaris manuals.
How to do a SSO using a Windows AD Server is also documented on various sites.
What is less obvious and not documented is how to just authenticate (check passwords) using ldap. Thats what should be documented in this post.

Setup



Bind User in Windows AD Server



First you need to create a bind user on the Window AD Server who has the rights to lookup all usernames, which should be able to authenticate.

Setup a user:

cn=unixbind,ou=USER system,ou=yyy,dc=xxx,dc=com

This user needs only to have read-only rights on the user objects. It is used to lookup the users cn using the sAMAccountName field to do the bind.

Import the CA-Cert into the certdb



If you are going to use ldaps you need the Certification authorithy certificate. This can be a root ca of you own organisation or a ca from an official authority like verisign, which was used to sign you certificate.

To find the authority cert use:


Armins-Air:Desktop ado$ openssl x509 -noout -text -in google.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 8057627504494046370 (0x6fd2718631c8eca2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Google Trust Services, CN=Google Internet Authority G3
        ...
        ...

Here it would be "Google Internet Authority G3"

As this is an official Trust authority you can find the cert in your web browser and export it.

For Firefox: Preferences -> Privacy & Security -> Certificates -> View Certificates -> Authorities.

The cert found for Google Internet Authority G3 was:

Armins-Air:Desktop ado$ openssl x509 -noout -in GoogleInternetAuthorityG3.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:e3:a9:30:1c:fc:72:06:38:3f:9a:53:1d
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign


This cert was issued by GlobalSign Root CA - R2. So we get this cert from the browser too and then we check the trust chain using openssl:

We put the two certs in one file:

Armins-Air:Desktop ado$ cat GoogleInternetAuthorityG3.crt GlobalSignRootCA-R2.crt > ca.crt

and check then the cert of google.

Armins-Air:Desktop ado$ openssl verify -CAfile ca.crt google.crt 
google.crt: OK



Then create a empty certdb:

/usr/sfw/bin/certutil -N -d /var/ldap

Then import the ca cert into the db:

/usr/sfw/bin/certutil -A -d /var/ldap -i ca.crt -n xxxx.com -t 'C,C,C'

The binary /usr/sfw/bin/certutil is installed by the package SUNWtlsu

Change the pam.conf


You can use ldap authentication for all logins. This is done using this "other section":

other   auth requisite        pam_authtok_get.so.1
other   auth required         pam_dhkeys.so.1
other   auth required         pam_unix_cred.so.1
other   auth sufficient         pam_ldap.so.1
other   auth binding          pam_unix_auth.so.1 server_policy

Or you can use it only for ssh:
/

sshd-kbdint    auth requisite          pam_authtok_get.so.1
sshd-kbdint    auth required           pam_dhkeys.so.1
sshd-kbdint    auth required           pam_unix_cred.so.1
sshd-kbdint   auth binding         pam_ldap.so.1
sshd-password    auth requisite          pam_authtok_get.so.1
sshd-password    auth required           pam_dhkeys.so.1
sshd-password    auth required           pam_unix_cred.so.1
sshd-password   auth binding         pam_ldap.so.1

Then on the console no ldap authentication is used.

Setup ldap client


ldapclient manual \
-a domainName=xxx.com \
-a credentialLevel=proxy \
-a authenticationMethod=tls:simple \
-a defaultSearchBase=dc=xxx,dc=com \
-a "proxyDN=cn=unixbind,ou=USER system,ou=LI,dc=xxx,dc=com" \
-a proxyPassword=wassimmer \
-a objectClassMap=passwd:posixaccount=user \
-a attributeMap=passwd:uid=sAMAccountName \
-a serviceSearchDescriptor=passwd:dc=xxx,dc=com?sub \
-a followReferrals=false \
-a preferredServerList="10.10.1.1"

 
This will create to files in /var/ldap :

/var/ldap/ldap_client_cred: Bind user with its encrypted password
/var/ldap/ldap_client_file: The configration of the ldap service


Start ldap Service

Now we just have to enable the ldap service:


svcadm enable ldap/client

check the ldap service now:

xxx@yyy> /usr/lib/ldap/ldap_cachemgr -g

cachemgr configuration:
server debug level          0
server log file "/var/ldap/cachemgr.log"
number of calls to ldapcachemgr         63

cachemgr cache data statistics:
Configuration refresh information: 
  Previous refresh time: 2018/07/06 19:46:58
  Next refresh time:     2018/07/12 19:47:11
Server information: 
  Previous refresh time: 2018/07/12 07:47:11
  Next refresh time:     2018/07/12 10:57:02
  server: xx.yy.zz.66, xyz, status: UP
Cache data information: 
  Maximum cache entries:          256
  Number of cache entries:          0




[ view entry ]
 ( 189 views )
  |  permalink  |  print article  |   ( 3 / 1192 )


 <Back   | 1 | 2 | 3 |  Next>     Last>>