Installing LDAP PAM
You can find the pam_ldap library file, often named pam_ldap.so.1 or pam_ ldap.so, in the /usr/lib/security directory on most UNIX systems, but this version is often older than the pam_ldap file available from PADL. Earlier versions often won't work with AD because they weren't built to support or understand AD. Unless your UNIX vendor's pam_ldap works with AD, I suggest that you either download the current version of pam_ldap from PADL (http://www.padl.com/OSS /pam_ldap.html) and compile it yourself or obtain the binary package from Symas (http://rebec.symas.net/download/connexitor), a consulting company.
During the implementation of pam_ldap on a Sun Solaris 2.8 system (a popular UNIX version), I found that Solaris 2.8's pam_ldap didn't work with AD, but PADL's pam_ldap 164 (the most recent version) works well with AD. If you plan to build pam_ldap on Solaris 2.8, you can perform the steps below (users on a non-Solaris system might need to modify these instructions). The software I use to compile and support pam_ldap is all open-source freeware.
- Make sure you have the GNU Compiler Collection (Gcc), make, automake, and autoconf tools to generate executables. You use the tools to build pam_ldap and its dependencies. You can download the most recent stable version of Gcc 3.3 from http://www .gnu.org/directory/gnu/gcc.html, make 3.80 from http://www.gnu.org/ directory/gnu/make.html, automake 1.76 from http://www.gnu.org/directory/gnu/automake.html, and autoconf 2.57 from http://www.gnu.org/directory/gnu/autoconf.html. Gcc, make, automake, and autoconf's binary packages are also available at http://www.sunfreeware.com.
- Download and install a random number generator that SSL can use to generate encryption keys. A good example is Pseudo Random Number Generator Daemon (PRNGD) 0.9.27. You can get the tool's source code from http://www.aet.tu-cottbus.de/ personen/jaenicke/postfix_tls/prngd .html or get the binary package of version 0.95 from http://www.sunfreeware.com.
- Download and install the most recent version of OpenSSL 0.9.7b to support SSL. The source code is available from http://www.openssl.org. A binary package is also available at http://www .sunfreeware.com.
- Download the OpenLDAP 2.1.22 source code from http://www.openldap .org/software/download. Before you compile OpenLDAP, set up the environment settings by using the following commands:
export LDFLAGS CPPFLAGS
unset LD_LIBRARY_PATH
LDFLAGS="-L/usr/local/ssl/lib -L/usr/local/lib"
LDFLAGS="$LDFLAGS -R/usr/local/ssl/lib:/usr/local/lib"
CPPFLAGS="-I/usr/local/ssl/include -I/usr/local/include"
Next, use the following commands from the OpenLDAP source-code directory to compile and install the OpenLDAP's client component and the LDAPS function that pam_ldap uses:
./configure -disable-slapd -with-tls
make depend
make
make install
- Use the following commands to compile and install pam_ldap 164 from the pam_ldap directory:
./configure -with-ldap
-lib=openldap -with-ldap-
dir=/usr/local
-with-ldap-conf-
file=/etc/ldap.conf<
make
make install
The flags in the configure command tell pam_ldap to use OpenLDAP's LDAP functions and LDAP configuration from the /etc/ldap.conf file. The installation places the pam_ldap.so.1 file in the /usr/lib/security directory.
Configuring LDAP PAM
Before you can use pam_ldap, you need to configure the ldap.conf and pam .conf files on the UNIX system. You also need to configure AD on Win2K. PADL provides a sample file of ldap .conf and pam.conf with the pam_ ldap source code, but you need to customize the files for your environment. Let's look at the ldap.conf file configuration first, then look at the AD and pam.conf configuration.
Web Listing 1 (http://www.secadministrator.com, InstantDoc ID 39989) shows the sample ldap.conf file that I used to configure pam_ldap access to AD. The code at callout A in Web Listing 1 specifies the search base of the LDAP distinguished name (DN—i.e., your complete AD organization name string) and tells LDAP to search objects and attributes from the search base down through all child organizations until it finds or can't find the object within the user-defined search time limit—in this case 30 seconds.
The code at callout B shows the AD LDAP server Uniform Resource Identifiers (URIs) for the DCs that pam_ldap will use. (When you specify multiple DCs, as the example shows, the authentication can fail over to the next available DC if the current one isn't available.) LDAPS encrypts the LDAP communication to secure the user credentials passing over the wire from the UNIX system to AD. The code at callout B also tells LDAPS to use TCP port 636 and specifies the LDAP server version—AD supports LDAP 3.0, the most recent version.
Next, the code gives the LDAP bind DN and password used to log on to AD within the bind time limit (e.g., 30 seconds) and performs LDAP user object and attribute lookup for UNIX user authentication. The LDAP bind logon account can be a guest user account in the Domain Guests group that has no other access privileges. You can't use AD's anonymous account because the account can't look up the sAMAccountName attribute of the user object that pam_ldap authentication requires. AD lets you define a group and include only those users authorized to log on to the UNIX system. The code at callout C specifies that pam_ldap lets only those users who are members of the group Unix-System1 log on to the system. This group-membership control prevents an unauthorized user in AD from logging on to the system in the event that you forgot to delete the user's old UNIX account or you accidentally created the user's account on the system. The last line of code in Web Listing 1 denotes that the user password is an AD password.
You can create your own ldap.conf file by replacing the sample names in the code with the appropriate names from your system. Then, save the file in the \etc directory on your UNIX system and protect the file by letting only the root account read to or write to it.
Register
