HELIOS authentication server LDAP

Introduction

Prerequisites

Background on LDAP

Installation

LDAP client configuration via "authsrv"

Verifying the LDAP connection

Manually setting up the OpenLDAP server

LDAP server configuration and user management

Uninstallation

Versions

Feedback

Introduction

The HELIOS authentication server ("authsrv") now supports LDAP authentication against the following LDAP servers:

  • Mac OS X Server ("Open Directory"/Password Server)
  • Univention Corporate Server (LDAP server)
  • OpenLDAP (LDAP server; tested on SUSE 10.2)

The "authsrv" is installed on the HELIOS server and acts as an LDAP client, which accesses the LDAP database read-only.

In the following, we describe the installation and configuration of the "authsrv" for the three LDAP server systems Mac OS X Server, Univention, and OpenLDAP. Please note that the configuration, especially for OpenLDAP, requires some know-how and should therefore be restricted to experienced system integrators.

Note: Customers who wish to use AD/PDC do not need LDAP. Instead, they can use the existing AD/PDC support.

Prerequisites

Background on LDAP

  • LDAP (Lightweight Directory Access Protocol) is a networking protocol, which runs over TCP/IP, for querying and modifying directory services
  • All users and groups are stored in the LDAP database
  • The HELIOS supported LDAP version is LDAPv3
  • SASL (Simple Authentication and Security Layer) is an encryption selection protocol, which can be used in combination with LDAP, and is needed to communicate with the Apple Password Server.
  • Password verification
    • On Mac OS X Server passwords are created with the Apple "Workgroup Manager" and verified against the Apple Password Server
    • On Univention Corporate Server passwords are verified against the NTLM password
    • On OpenLDAP the HELIOS password must be set manually
  • If passwords are stored in LDAP, different encryption methods may be used (HELIOS requires the NTLM or HELIOS password):

    Password encryption method
    Description
    UNIX crypted password Used by UNIX applications (not recommended)
    NTLM password Used by HELIOS and Samba
    HELIOS password Used by HELIOS

  • Different UNIX platforms supply different LDAP implementations. To some extent these are older or incompatible. Therefore, HELIOS provides current and consistent LDAP libraries for all platforms:

    HELIOS supplied LDAP libraries
    Description
    libldap_s.so1 LDAP library
    libsasl2_s.so1 SASL library
    sasl2/ Directory including supported encryption methods used by SASL
    1 Mac OS X: "libldap_s.dylib" and "libsasl2_s.dylib"; RS/6000: "libldap_s.a" and "libsasl2_s.a"

Installation

The HELIOS UB+ authentication server includes support for LDAP when installed from HELIOS CD023.

The following instructions are for HELIOS UB users only:
For HELIOS UB, download the "authsrv" preview software for the required server platform at: http://www.helios.de/ldappreview/ and follow the instructions below.

"authsrv" preview cannot be installed (or updated) via HELIOS Update Installer!

Stop HELIOS:
# cd /usr/local/helios
# bin/stop-helios now

Save the original authentication server, e.g.:

(Mac OS X)
# mv sbin/authsrv sbin/authsrv.save
# mv lib/libccllib_s.dylib lib/libccllib_s.dylib.save

(RS/6000)
# mv sbin/authsrv sbin/authsrv.save
# mv lib/libccllib_s.a lib/libccllib_s.a.save

(All other platforms)
# mv sbin/authsrv sbin/authsrv.save
# mv lib/libccllib_s.so lib/libccllib_s.so.save

Extract:
# bin/htar -xvzf <path_to_archive>.tgz

Call "05mkliblinks" to create the required symbolic links for the new libraries:
# etc/install/05mkliblinks

Set the authentication server preference NameServices according to the used LDAP systems, i.e. for Univention and OpenLDAP add "LDAP" to the list, and for Mac OS X Server add "MACOSX" (but NEVER both values together!).

Examples:

prefvalue -k 'Programs/authsrv/NameServices' -t str "local,NIS,LDAP" (for Univention and OpenLDAP systems)

prefvalue -k 'Programs/authsrv/NameServices' -t str "local,NIS,MACOSX" (for the Mac OS X Server system)

LDAP client configuration for "authsrv"

The following preferences and attributes should be set via the included Perl scripts:

Script name
Description
ldapMacosxPrefs.pl LDAP configuration script for Mac OS X Server
ldapUniventionPrefs.pl LDAP configuration script for Univention Corporate Server
ldapOpenLDAPPrefs.pl LDAP configuration script for OpenLDAP

These scripts are only examples, which have to be edited before use. The values that must be specified depend on the used LDAP server system, e.g.:

  • Server name (Mac OS X)
  • Server name, bind name/password (Univention)
  • Server name, user/group base, bind name/password (OpenLDAP)

LDAP filter preferences

The following preferences, except for LDAP_Port, must be specified with the command:

prefvalue -k 'Programs/authsrv/<preference>' -t str <value>

For LDAP_Port use:

prefvalue -k 'Programs/authsrv/LDAP_Port' -t int <value>

Preference
Example value
Description
LDAP_Server localhost LDAP server name or IP address
LDAP_Port 389 LDAP server port
LDAP_UserBase dc=HELIOS,dc=de Base pointer in database
LDAP_GroupBase dc=HELIOS,dc=de Base pointer in database
LDAP_BindDN uid=Administrator,cn=users,
dc=univention,dc=local		 LDAP bind name
LDAP_BindPassword secret LDAP bind password
LDAP_LongUserFilter longName=%s Select LDAP user entry by long name
LDAP_UserFilter cn=%s Select LDAP user entry by short name
LDAP_UserIDFilter longName=%d Select LDAP user entry by user ID
LDAP_GroupFilter cn=%s Select LDAP user entry by name
LDAP_GroupIDFilter gid=%d Select LDAP user entry by ID
LDAP_GroupMemberFilter user=%s Select LDAP user entry by group membership

LDAP attributes

Preference
Example name
Description
LDAP_UATTR_HeliosPassword heliosPassword HELIOS password (generated via HELIOS "authutil" tool)
LDAP_UATTR_ClearPassword clearPassword Cleartext password (not recommended)
LDAP_UATTR_NTPassword sambaNTPassword NT hash
LDAP_UATTR_Name uid User name (e.g. UNIX short name)
LDAP_UATTR_LongName cn User long name (e.g. UNIX GECOS)
LDAP_UATTR_UID uidNumber User ID
LDAP_UATTR_PGID gidNumber Primary group ID
LDAP_UATTR_HomeDirectory homeDirectory Path to user home directory
LDAP_UATTR_AppleID authAuthority Apple ID used to identify user to Apple Password Server (only Mac OS X Server)
LDAP_GATTR_GID gidNumber Group ID
LDAP_GATTR_NAME cn Group name
LDAP_GATTR_AppleID authAuthority Apple ID used to identify group to Apple Password Server (only Mac OS X Server)

Verifying the LDAP connection

To verify the LDAP connection after the installation of the "authsrv", do the following:

1. Establish a connection to the LDAP server

# socket -v <LDAP_Server> <LDAP_Port>

If the server returns Successfully connected to server. Going into interactive mode. everything is fine. However, if the server connection could not be successfully established in time you will receive a Connection timed out message, or, if there is no LDAP service running on this host or port, a Connection refused message.

Example:

# cd /usr/local/helios
# bin/socket -v ldaphost 389
socket 1.0.0 (c) 2005 by HELIOS Software Garbsen
Trying to connect to ldaphost port 389 ...
Resolving ip address ...
Address is 172.16.3.228.
Opening socket ...
Done.
Connecting to server ...
Done.
Local port is 44590, remote port is 389.
Successfully connected to server.
Going into interactive mode.

2. To check the LDAP server connectivity you may use the "ldapsearch" command line tool, which is usually part of all UNIX systems

The parameters depend on the platform where the command is issued from. Please refer to the corresponding manpages. The output depends on the referred host, i.e. specified by the -h switch (in the folllowing examples "ldaphost").

# ldapsearch -h <Host Name>

Example call (OpenLDAP for Mac OS X, Linux, Univention):

# ldapsearch -h ldaphost -x -s base -b "" "(objectclass=*)" +

Example call (IBM AIX, Solaris):

ldapsearch -h ldaphost -s base -b "" "(objectclass=*)" +

Example output:

structuralObjectClass=OpenLDAProotDSE
configContext=cn=config
namingContexts=dc=my-domain,dc=com
supportedControl=1.3.6.1.4.1.4203.1.9.1.1
supportedControl=2.16.840.1.113730.3.4.18
supportedControl=2.16.840.1.113730.3.4.2
supportedControl=1.3.6.1.4.1.4203.1.10.1
supportedControl=1.2.840.113556.1.4.319
supportedControl=1.2.826.0.1.334810.2.3
supportedControl=1.2.826.0.1.3344810.2.3
supportedControl=1.3.6.1.1.13.2
supportedControl=1.3.6.1.1.13.1
supportedControl=1.3.6.1.1.12
supportedExtension=1.3.6.1.4.1.4203.1.11.1
supportedExtension=1.3.6.1.4.1.4203.1.11.3
supportedFeatures=1.3.6.1.1.14
supportedFeatures=1.3.6.1.4.1.4203.1.5.1
supportedFeatures=1.3.6.1.4.1.4203.1.5.2
supportedFeatures=1.3.6.1.4.1.4203.1.5.3
supportedFeatures=1.3.6.1.4.1.4203.1.5.4
supportedFeatures=1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion=3
supportedSASLMechanisms=DIGEST-MD5
supportedSASLMechanisms=CRAM-MD5
entryDN=
subschemaSubentry=cn=Subschema

Only if "ldapsearch" is successful you should continue with the next steps.

3. Start the HELIOS authentication server with the "ldapcheck" command

Note: HELIOS services must not run to perform this step!

By use of this call "authsrv" tries to get, with the currently set preferences, all attributes for <User Name>. The specified user must be a complete and valid LDAP user.

# authsrv ldapcheck <User_Name>

Example:

# cd /usr/local/helios
# sbin/authsrv ldapcheck ldapuser
ldap preliminary check starting...
preference ldap server - 'LDAP_Server':'ldaphost.helios.de' OK
preference using port - 'LDAP_Port':'389' OK
* connected
* got version 2
* set to version 3
* using anonymous bind
* bind OK, now requesting user info for 'ldapuser'
preference user filter - 'LDAP_UserFilter':'uid=%s' OK
preference user base - 'LDAP_UserBase':'cn=users,dc=ldaphost,dc=helios,dc=de' OK
* filter: 'uid=ldapuser'
* user found, now requesting basic attributes
preference user name - 'LDAP_UATTR_Name':'uid' OK
preference user long name - 'LDAP_UATTR_LongName':'cn' OK
preference home dir - 'LDAP_UATTR_HomeDirectory':'homeDirectory' OK
preference uid - 'LDAP_UATTR_UID':'uidNumber' OK
preference pgid - 'LDAP_UATTR_PGID':'gidNumber' OK
* (attribute 'objectClass' detected)
* attribute UID detected
* (attribute 'apple-generateduid' detected)
* (attribute 'apple-mcxflags' detected)
* (attribute 'loginShell' detected)
* attribute PGID detected
* (attribute 'authAuthority' detected)
* clear text password detected
* attribute name detected
* attribute long name detected
* (attribute 'sn' detected)
* attribute homedir detected
* 12 attributes detected

Manually setting up the OpenLDAP server (example for SUSE 10.2)

Note: The following example is simplified. Usually structure and access rights should should have a more sophisticated design.

Run "yast" and install the packets "openldap2", "openldap2-client", and optionally "yast2-ldap-server", but do not start the OpenLDAP server immediately.

Edit "/etc/openldap/slapd.conf" according to your needs and especially include the file helios.schema right after "yast.schema", and ensure that the entries for "rootdn" and "rootpw" match those specified for the HELIOS authentication server ("LDAP_BindDN" and "LDAP_BindPassword"). It may also be necessary to include "nis.schema" instead of "rfc2307bis.schema" to create groups.

Build the root node and nodes for users/groups:

Customize the file root_node.ldif according to your requirements and call the command

# slapadd -v -l root_node.ldif

Start the OpenLDAP server and check for error messages

# /etc/rc.d/ldap start

Set up a sample user/group:

Create a HELIOS password via authutil passwd -H -X -p <HELIOS_password>

Edit sample_user.ldif according to your needs using the just created HELIOS password

# ldapadd -v -f sample_user.ldif -x -D "cn=Manager,dc=my-domain,dc=com" -w secret

Edit sample_group.ldif according to your needs

# ldapadd -v -f sample_group.ldif -x -D "cn=Manager,dc=my-domain,dc=com" -w secret

As user root issue the command "slapcat" and verify that the just added sample user is listed.

LDAP server configuration and user management

Mac OS X Server:
User/group administration via "Workgroup Manager" program

Univention Corporate Server:
User/group administration via "Univention Admin" web interface

OpenLDAP:
Manual user/group administration via configuration files or third-party tools.

Configuration files can be:

  • ldap.conf (LDAP basic settings for clients)
  • ldapfilter.conf (LDAP filter configuration)
  • ldapsearchprefs.conf (LDAP search settings)
  • ldaptemplates.conf (LDAP output settings)

Uninstallation

To deactivate LDAP support it is sufficient to take this step:

  • Remove the value "LDAP" (Univention, OpenLDAP) or "MACOSX" (Mac OS X Server) from the preference NameServices:

    prefvalue -k 'Programs/authsrv/NameServices' -t str "local,NIS"

To completely uninstall LDAP support, take the following steps:

  • Stop HELIOS:

    # cd /usr/local/helios
    # bin/stop-helios now
  • Restore the original authentication server, e.g.:

    (Mac OS X)
    # mv sbin/authsrv.save sbin/authsrv
    # mv lib/libccllib_s.dylib.save lib/libccllib_s.dylib
    # rm lib/libldap_s.dylib lib/libsasl2_s.dylib
    # rm -r lib/sasl2

    (RS/6000)
    # mv sbin/authsrv.save sbin/authsrv
    # mv lib/libccllib_s.a.save lib/libccllib_s.a
    # rm lib/libldap_s.a lib/libsasl2_s.a
    # rm -r lib/sasl2

    (All other platforms)
    # mv sbin/authsrv.save sbin/authsrv
    # mv lib/libccllib_s.so.save lib/libccllib_s.so
    # rm lib/libldap_s.so lib/libsasl2_s.so
    # rm -r lib/sasl2

Versions

  • Preview 2 (July 13, 2007)
    • Fixes NTLM for Vista
    • Removes user entry from cache if password has been changed
    • Fixes for HP IA-64
    • Fixes logins against Mac OS X LDAP & Password server
  • Final HELIOS UB+ (December, 2007)

Feedback

Please report errors or make suggestions to: beta (at) helios.de.
Search the HELIOS web site: