Chapter 4 User Authentication

  Table of Contents

  Glossary

  Index

The Internet Express Administration utility lets you set up and manage user authentication with the LDAP Module for System Authentication, which serves as a central repository of user information, for identifying and authenticating individual users

This chapter describes the following:

Managing the LDAP Module for System Authentication

The LDAP Module for System Authentication is a loadable authentication mechanism based on the Tru64 UNIX Security Integration Architecture. It intercepts security-related system calls and extracts the information from an LDAP Directory server. This allows you to use LDAP authentication without making any changes to application source code or recompiling.

The Lightweight Directory Access Protocol (LDAP) is an Internet standard directory service protocol that runs over TCP/IP. An LDAP server manages entries in a directory, and makes the information available to users and applications across the network. An LDAP server can be used as a central repository of user information to identify and authenticate individuals. When used in this way, an LDAP server is similar to Network Information Services (NIS), also known as yellow pages. When compared to NIS, an LDAP server offers the following advantages:

  • An LDAP directory is highly scalable

  • LDAP directories are dynamically updated, saving administrators time because it is not necessary to rebuild maps and push them onto the network. Also, changes are available virtually immediately.

  • An LDAP directory database can be used to centralize management of user related information

  • The ability to modify an attribute can be controlled at the attribute level. Users can be allowed to modify noncritical information (such as their preferred login shell or mail forwarding address) on their own. Modifications to more sensitive information (such as UID, GID, or a user's home directory) can be restricted to authorized directory managers only.

  • You can set up multiple LDAP servers to make the data in the directory highly available. Through a process called replication, you can ensure that all LDAP servers have identical copies of the directory. The LDAP servers bind to one another and through standard LDAP commands, propagate changes to the directory.

When you install and enable the LDAP Module for System Authentication subset, user and group authentication takes place through an LDAP server. For example, an LDAP server transparently provides authentication information for login (rlogin, ftp, telnet) and mail (POP and IMAP). For users not found in the LDAP directory, authentication will automatically fall back to using the local authentication mechanism (/etc/passwd) and/or NIS, if it is configured.

When the LDAP Module for System Authentication is installed on your system, the Administration utility for Internet Express provides the following capabilities:

  • You can configure the LDAP Module for System Authentication and test changes to the configuration (see Section : Configuring the LDAP Module for System Authentication)

  • When you create any user account (captive or noncaptive, named or generic), you can elect to have the account information stored in an LDAP database (if you are using an LDAP directory server in your environment)

  • You can enable and disable the LDAP Module for System Authentication to authenticate users through LDAP or through traditional UNIX methods, respectively

Chapter 11 describes how to administer Internet Express-provided Directory servers.

Default Configuration for the LDAP Module for System Authentication

Internet Express configures the security matrix in the/etc/sia/matrix.conf file to use the LDAP Module for System Authentication. The security matrix consists of a list of security-related system calls and the library to be used for each call. As shown in Example 4-1, the siad_ses_authent and siad_ses_estab calls are configured to use the libsialdap.so library first. If that library is not available, or if the requested information is not found in the LDAP server's directory, then the libc.so library is used.

See the siacfg(8) and matrix.conf(4) reference pages for more information about configuring security methods.

Example 4-1 Security Matrix Enabled for LDAP

⋮

.
.
.
siad_getgrgid=(BSD,libc.so) (LDAP,/usr/shlib/libsialdap.so)
siad_setpwent=(BSD,libc.so) (LDAP,/usr/shlib/libsialdap.so)

.
.
.

When you install the LDAP Module for System Authentication, the installation procedure checks the validity of the configuration information you supplied, and tries to connect to the LDAP server you specified during the installation, then enables the LDAP Module for System Authentication. If the connection fails, or if the required schema attributes are not found, the LDAP Module for System Authentication is not enabled and you must use the LDAP Module for System Authentication Administration menu to enable it (after correcting the problems) or use the /usr/internet/ldap_tools/ldap_enable utility. Check the attribute values in the Distinguished Name, Password, System Name, Port Number, and the Search Base fields (see Section ).

The LDAP Module for System Authentication gets its information from the LDAP server by way of the ldapcd caching daemon (see Figure 4-1). This daemon runs at all times and is started by the following entry in the /etc/inittab file:

ldapcd:34:respawn:/usr/sbin/ldapcd -D > /dev/console 2>&1

Figure 4-1 LDAP Caching Daemon

LDAP Caching Daemon

Configuration information, used by the LDAP caching daemon and the provided tools, use a the configuration file, /etc/ldapcd.conf. This file provides information on how to connect to the LDAP directory server, the attribute mappings for the password and group entries, and caching parameters. This file must contain a clear text password that allows the utilities to connect to the directory server, and should always be read-only by root. The configuration file is shown in Example 4-2. HP recommends that you use the Administration utility to modify the /etc/ldapcd.conf file. To validate the configuration file, use the /usr/internet/ldap_tools/ldap_check utility.

Example 4-2 LDAP Caching Daemon Configuration File

#
# directory server and port, active ldap connections cached
# by the daemon, max worker threads started
#
directory:      host.xyz.com 1
searchbase:     "o=XYZCompany" 2
port:           389 3
connections:    6 4
max_threads:    64 5

#
# max entries in cache, and number of seconds before entries
# expire in the cache
#
pw_cachesize:   2000 6
pw_expirecache: 120 
gr_cachesize:   100 
gr_expirecache: 600 
⋮machine_dn:     "cn=Directory Manager" 7
machine_pass:   "password"

#
⋮

# the objectClass name of a password entry
pw_oclass:      posixAccount 8

# name mappings for password attribute fields
pw_username:    uid 9
pw_password:    userPassword 10
pw_uid:         uidNumber
pw_gid:         gidNumber
pw_quota:
pw_comment:     description
pw_gecos:       gecos
pw_homedir:     homedirectory
pw_shell:       loginshell

# the objectClass name of a group entry
gr_oclass:      posixGroup 11

# name mappings for group attribute fields
gr_oclass:      unixGroup 12
gr_name:        cn
gr_password:    userPassword
gr_gid:         gidNumber
gr_members:     MemberUID

1

Host name of the LDAP directory server to be used for user authentication.

2

The root of the branch in the directory server's database where user information is stored.

3

The default directory server port; this must match the port you are using for the directory server.

4

Maximum number of open connections to the directory server maintained by the ldapcd caching daemon.

5

Maximum number of threads maintained by the ldapcd caching daemon. Each thread handles one connection to a local program. Allowing a higher number of threads may enable better response from the LDAP caching daemon, but requires more memory. If you are running a service that requires a large number of connections (for example, a mail service), set the maximum number of threads to 64 or greater (if your system has sufficient memory).

6

The value of pw_cachesize determines how many individual passwd entries are allowed to be cached. The value of pw_expirecache determines the maximum length of time that the ldapcd caching daemon will check the cache for an individual passwd entry. When the value of pw_expirecache is exceeded, the ldapcd daemon returns to the server to look for the requested passwd entry.

The values for gr_cachesize and gr_expirecache work similarly to pw_cachesize and pw_expirecache, but they work for group entries.
7

The value of machine_dn is the distinguished name by which the ldapcd caching daemon binds to the directory to do searches and retrievals of information from the directory. By requiring each system to use a particular DN, you can determine which machines are accessing the directory and for what purpose. Further, you can also control read and search access to the directory on a machine-account basis.

8

The name for the object class that defines the attributes for a UNIX account in the extended schema on your server (see Section : Extended LDAP Schema for UNIX Account Information).

9

LDAP attribute names (on the right) are mapped to fields (on the left) in the passwd structure returned by a call to getpwent.

10

Only the encrypted password is stored in the userPassword attribute.

11

The name for the object class that defines the attributes for a UNIX group in the extended schema defined on your server (see Section : Extended LDAP Schema for UNIX Account Information).

12

LDAP attribute names (on the right) are mapped to fields (on the left) in the group structure returned by a call to getgrent(3).

Note:

HP recommends you use the Administration utility to modify the ldapcd.conf file.

Creating Branches

By creating branches, you can organize an LDAP directory tree into meaningful categories of information, each with its own search base. The use of branches can improve the performance of an LDAP server by allowing queries to be confined to the branch that contains the information of interest. For example, you might create a separate branch to contain user information. To create a user information branch on the directory server, follow these steps:

  1. Find the following information in the /etc/ldapcd.conf file:

    • Value of searchbase

    • Value of machine_dn

    • Value of machine_pass

  2. Decide on a name for a new branch; for example, accounts.

  3. Create a file containing the following, substituting the value you found in step 1 for searchbase:

    dn: ou=accounts,o=searchbase
    objectclass: top
    objectclass: organizationalUnit
    ou: accounts
    description: description
  4. Run the following command, substituting the values you found in step 1 for searchbase, machine_dn, and machine_pass, and specify the name of the file you created in step 3 with the -f option:

    /usr/local/bin/ldapmodify -add \
    	-D "machine_dn" -w "machine_pass" \
    	-f file
  5. Verify that the accounts branch works by entering the following command, substituting the values you found in step 1 for searchbase, machine_dn, and machine_pass:

    /usr/local/bin/ldapsearch  \
    	-D "machine_dn" -w "machine_pass" \
    	-b "searchbase" \
    	ou=accounts
  6. Use the Administration utility (or manually edit the /etc/ldapcd.conf file) to add the following entry, substituting the value you found in step 1 for searchbase:

    userbranch: ou=accounts,searchbase
Note:

After you add a default user or group branch to the /etc/ldapcd.conf file, the Administration utility and the LDAP utilities in /usr/internet/ldap_tools use this branch by default. As a result, other entries that were created before you added the group or user branch might be masked.

Extended LDAP Schema for UNIX Account Information

Internet Express depends on the existence of certain object classes and attributes being present in the directory server. These items are defined by RFC 2307 and are present when you use a directory server installed by Internet Express.

If you are planning on using a directory server not installed by Internet Express, you will need to verify that required schema elements are present. The required schema elements are documented in RFC 2307. This RFC can be found at:

http://www.faqs.org

If you want to use schema objects other than those defined in RFC 2307, and are planning on using the Internet Express LDAP authentication module, you will have to change the default configuration to recognize your custom objects and attributes. The needed changes can be made using the Internet Express system administration user interface (see Section : Default Configuration for the LDAP Module for System Authentication).

The Internet Express kit includes LDAP utilities that work with the RFC 2307 schema objects supplied by Internet Express. See Section : Utilities for Maintaining User Information in the LDAP Directory Server for information on these utilities. Note that these LDAP tools are sensitive to the directory servers schema and so will not be able to support a schema that differs greatly from the RFC 2307 definition. A provided tool, /usr/internet/ldap_tools/ldap_check, can be used to verify the schema once the configuration changes have been made.

The LDAP utilities require the userPassword attribute that can store and return unchanged the supplied value which is in the form:

{crypt}crypted-string

where {crypt} is a keyword or phrase used to indicate the type of password encryption for the passwd file and crypted-string is the encrypted password.

Directory servers provided by Internet Express properly handle this feature. Other directory servers, such as Oracle's Internet Directory will interpret the supplied string as a password to be encrypted and will return a value that is not compatible with the standard BSD crypt mechanism. When using such a directory server, it is necessary to create a schema object similar to the RFC 2307 unixAccount object, except with another attribute substituted for the standard attribute userPassword. This substitute attribute should be of the type case exact string. Be sure to use the substituted attribute name in the LDAP Caching Daemon Configuration File.

Example 4-3 shows sample user and group object class definitions.

Example 4-3 Sample RFC 2307 User and Group Object Class Definitions

#
#       Partial RFC 2307 schema.
#
#       The OIDs are derived from iso(1) org(3) dod(6)
#       internet(1) directory(1) nisSchema(1).
#
# Attribute types from RFC 2307
#

attribute       uidNumber       1.3.6.1.1.1.1.0         int single
attribute       gidNumber       1.3.6.1.1.1.1.1         int single
attribute       gecos           1.3.6.1.1.1.1.2         cis single
attribute       homeDirectory   1.3.6.1.1.1.1.3         ces single
attribute       loginShell      1.3.6.1.1.1.1.4         ces single
attribute       memberUid       1.3.6.1.1.1.1.12        ces

#
# ojectclass from rfc2307
#

# posixAccount is an auxiliary class. You may use account as a structural
# class.
objectclass posixAccount
        oid
                1.3.6.1.1.1.2.0
        requires
                objectClass,
                cn,
                uid,
                uidNumber,
                gidNumber,
                homeDirectory
        allows
                userPassword,
                loginShell,
                gecos,
                description

objectclass posixGroup
        oid
                1.3.6.1.1.1.2.2
        superior
                top
        requires
                objectClass,
                cn,
                gidNumber
        allows
                userPassword,
                memberUid,
                description

Indexing Attributes for the Directory Servers

Directory servers use indexes to aid in searching the directory. Directory server indexes greatly improve the performance of searches in the directory databases, but they do so at the cost of potentially slower database modification and entry creation operations. Indexes will also cost more in terms of system resources, especially in disk-space use.

The directory server maintains five distinct types of indexes, as described in Table 4-1.

Table 4-1 LDAP Database Index Types

Index TypeDescription
presPresence index. Allows for searches that return every entry that contains the indexed attribute.
eqEquality index. Allows for searches that return the entries containing an attribute that is set to a specific value.
approxApproximate index. Used only for string values such as commonName or givenName. Allows for phonetic searching.
subSubstring index. Allows for searches that return entries containing a specified substring.
matching ruleInternational index. Allows for searches that return entries that are sorted according to a specified collation order.

 

Adding Indices for OpenLDAP

To index attributes for your directory server using OpenLDAP, follow these steps:

  1. Shut down slapd using the following command:

    # /sbin/init.d/openldap stop 

  2. Edit the /usr/internet/etc/slapd.conf file and add new indices.

  3. Restart slapd using the following command:

    # /sbin/init.d/openldap start 

For more information about adding indexing with OpenLDAP, see:

http://www.openldap.org

Configuring the LDAP Module for System Authentication

When you install the LDAP Module for System Authentication subset, you can use the Administration utility to perform the following tasks:

Notes:

After you configure the LDAP Module for System Authentication, you must import users (unless you are using an existing LDAP server). For instructions on importing or exporting users and groups to and from the LDAP directory server, see Section : Importing and Exporting Users from /etc/passwd.

Statically linked clients and executables (which do not use shared libraries) cannot take advantage of the LDAP Module for System Authentication loadable architecture. For example, the /sbin/ls command (which is typically the default for root) is statically linked. On a system using the LDAP Module for System Authentication to authenticate user names, the output from the /sbin/ls -l command resembles the following:

-rw-r--r--   1 1008     IASS_Usr      60 Nov 13 15:05 bar
-rw-r--r--   1 1008     IASS_Usr    1765 Nov 13 15:05 bs.txt
-rw-r--r--   1 1008     IASS_Usr      97 Nov 13 15:05 file.txt
-rw-r--r--   1 1008     IASS_Usr     855 Nov 13 15:05 file2.txt
-rw-r--r--   1 1008     IASS_Usr       2 Nov 13 15:05 foo

Note that the owner is shown as a number instead of a name. (If groups were defined in the LDAP database rather than the /etc/group file, the output would have shown a number in place of group name, as well.)

In general, use the system tools in /usr/bin when the LDAP Module for System Authentication is enabled.

Modifying the LDAP Module Configuration

You can use the Administration utility to configure the following attributes of the LDAP Module for System Authentication:

The default configuration parameters for the Group attributes are correct for most LDAP servers. Do not modify these fields unless you are very familiar with LDAP schemas and the schemas used by your server. The Internet Express installation and configuration utilities correctly configure the Internet Express-supplied LDAP servers to work with ldapcd. HP strongly recommends that you do not change these values.

Defining LDAP System Parameters

To define system parameters for the LDAP Module for System Authentication, follow these steps:

  1. From the Administration utility Main menu, choose Manage Components.

  2. From the Manage Components menu, under Users, choose LDAP Module for System Authentication.

  3. From the LDAP Module for System Authentication Administration menu, choose Modify Configuration.

  4. From the Modify Configuration menu, choose Define System Parameters.

    When the Define System Parameters form is displayed, the default values shown are those stored in the /etc/ldapcd.conf file.

  5. Specify a Distinguished Name and Password. The Distinguished Name and Password are what you will use to bind to the directory server. These values are set when you initially configure the directory server during installation. Typically, you use the root distinguished name and password as specified in the directory server's configuration file (sladpd.conf). For the OpenLDAP Directory Server, the installation procedure initially sets the Root Distinguished Name to cn=root,o=<hostname>. The OpenLDAP Directory Server uses the password specified to access the iass login account and the administration servers for the initial Root DN Password.

  6. The System Name is the name of the system on which the LDAP directory server is running or a comma-separated list of names of systems on which replicated directory servers are running.

  7. Search Base is the top level of the branch in the LDAP database containing user information (see Section : Creating Branches).

  8. The Port Number value must match the port you are using for the directory server. The default port for the directory server is 389.

  9. The Active Connections value specifies the maximum number of open connections maintained by ldapcd caching daemon (see Figure 4-1).

  10. The Thread Maximum value specifies the maximum number of threads maintained by ldapcd caching daemon (see Figure 4-1). Each thread handles one connection to a local program. Allowing a higher number of threads enables better response from the LDAP caching daemon, but requires more memory. If you are running a service that requires a large number of connections (for example, a mail service), set the maximum number of threads to 64 or greater (if your system has sufficient memory).

  11. The value of Password Entries in Cache determines how many individual passwd entries are allowed to be cached. The value of Password Expire Cache determines the maximum length of time that the ldapcd caching daemon will check the cache for an individual passwd entry. When the value of Password Expire Cache is exceeded, the ldapcd daemon returns to the server to look for the requested passwd entry.

  12. The values for Group Entries in Cache and Group Expire Cache work similarly to Password Entries in Cache and Password Expire Cache, respectively, but apply to group entries.

  13. Click on Submit.

    If the ldapcd.conf file was successfully updated, the Define System Parameters form is redisplayed with the Success icon at the top.

Configuring LDAP Password Attributes

To configure LDAP password attributes, follow these steps:

  1. From the Administration utility Main menu, choose Manage System.

  2. From the Manage System menu, choose Configure LDAP Module for System Authentication.

  3. From the LDAP Module for System Authentication Administration menu, choose Modify Configuration.

  4. From the Modify Configuration menu, choose Configure Password Attributes.

    When the Configure Password Attributes form is displayed, the default values shown are those stored in the /etc/ldapcd.conf file.

  5. Using the Configure Password Attributes form, you can modify the mapping between LDAP attributes and the fields in the passwd structure returned by a call to getpwent. By default, the getpwent fields are mapped to the attribute names defined by the Internet Express extended schema (see Section : Extended LDAP Schema for UNIX Account Information).

    The Object Class Name field represents the object class for the password structure in the LDAP schema. Only change this field if you are using an object class other than the default (posixPassword). The object class chosen must contain attributes for all of the components of a passwd entry. See the passwd(4) reference page for more information about passwd entries.

    The Password Branch Name field is used as the starting point in the LDAP directory for password entries. Branches are used to partition a directory into smaller, easier to manage sections and are not required.

    The remaining fields allow you to change the name of the LDAP attribute within the Object Class selected for the Password structure. The name of each attribute must be a member of the object class specified in the Object Class Name field.

    • The Login Name field represents the name of the LDAP attribute to be used within the Password Object Class to store the name of a UNIX login (user) name. The default value is uid.

    • Comment Field represents the name of the attribute used to store an optional comment for each user. The default value is description.

    • The User Password Name field represents the name of the attribute used to store the user's password. The default value is userpassword.

    • The Gecos field represents the name of the attribute used to store user gecos information (full name, phone number, and so on). The default value is gecos.

    • The User ID field represents the name of the attribute used to store the UID number. The default value is uidNumber.

    • The Home Directory Name field represent the attribute used to store the users home directory information. The default value is homedirectory.

    • The Group ID field represents the name of the attribute used to store the GID number of a users default group. The default value is uidNumber.

    • The Login Shell field represents the name of the attribute used to store the users default login shell. The default value is loginshell.

  6. Click on Submit.

    If the ldapcd.conf file was successfully updated, the Configure Password Attributes form is redisplayed with the Success icon at the top.

Configuring LDAP Group Attributes

To configure LDAP group attributes, follow these steps:

  1. From the Administration utility Main menu, choose Manage Components.

  2. From the Manage Components menu, under Users, choose LDAP Module for System Authentication.

  3. From the LDAP Module for System Authentication Administration menu, choose Modify Configuration.

  4. From the Modify Configuration menu, choose Configure Group Attributes.

    When the Configure Group Attributes form is displayed, the default values shown are those stored in the /etc/ldapcd.conf file.

  5. Using the Configure Group Attributes form, you can modify the mapping between LDAP attributes and the fields in the group structure returned by a call to getgrent(3). By default, the getgrent fields are mapped to the attribute names defined by the Internet Express extended schema (see Section : Extended LDAP Schema for UNIX Account Information).

    The Object Class Name field represents the object class for the group structure in the LDAP schema. Only change this field if you are using an object class other than the default (posixGroup). The object class chosen must contain attributes for all of the components of a group(4) entry. Refer to the group(4) reference page for more information about group components.

    The Group Branch Name field is used as the starting point in the LDAP directory for Group entries. Branches are used to partition a directory into smaller, easier to manage sections and are not required.

    The remaining fields allow you to change the name of the LDAP attribute within the Object Class selected for the Group structure. The name of each attribute must be a member of the object class specified in the Object Class Name field.

    • The Group Name field represents the name of the LDAP attribute to be used within the Group Object Class to store the name of a UNIX user group. The default value is cn.

    • The Group ID Name field represents the name of the LDAP attribute to be used within the Group Object Class to store the Group ID (gid) number. The default value is gidNumber.

    • The Password Name field is the name of the attribute to be used for storing Group Password entries. The default value is userPassword.

    • The Group Members Name field represents the name of the attribute to be used to store the member IDs belonging to groups. The default value is MemberUID.

  6. Click on Submit.

If the ldapcd.conf file was successfully updated, the Configure Group Attributes form is redisplayed with the Success icon at the top.

Testing the LDAP Module Configuration

When you choose Test Configuration from the LDAP Module for System Authentication Module Administration menu, the Administration utility performs the following tasks:

  • Reads the ldapcd.conf file and verifies its contents

  • Connects to the directory server specified in ldapcd.conf

  • Verifies that you can use the distinguished name and password in the ldapcd.conf file to bind to the directory server

  • Checks that the attributes that are mapped to the passwd and group structures are in the schema

Enabling and Disabling the LDAP Module

You can enable or disable the LDAP Module for System Authentication as follows:

  1. From the Administration utility Main menu, choose Manage Components.

  2. From the Manage Components menu, under Users, choose LDAP Module for System Authentication.

  3. From the LDAP Module for System Authentication Administration menu, choose Enable/Disable Module.

  4. The current status of the LDAP Module for System Authentication is displayed at the top of the form.

    If the module is currently enabled, you can disable or restart the module.

    If the module is currently disabled, you can enable it by clicking on Start.

Note:

Whenever you enable or disable the LDAP Module for System Authentication, you must reboot the system. Otherwise, some applications (such as cron and Advanced Server for UNIX) will not detect the change in authentication method.

Importing and Exporting Users from /etc/passwd

The following sections describe how to import users into, and export users from, the directory server.

Importing Users into the Directory Server

To import users from the /etc/passwd file and store them in the LDAP database, follow these steps:

  1. Configure the LDAP server to use extended LDAP schema for UNIX account information (see Section : Extended LDAP Schema for UNIX Account Information).

  2. Verify through either of the following methods that the server is running and that you can connect to it:

  3. Identify the users that you want to put into the LDAP directory and extract user information from the /etc/passwd file. Use the passwd_extract utility (see Section ) with the -f option to extract users from /etc/passwd and store the records (formatted as passwd entries) in a file. For example,

    # usr/internet/ldap_tools/passwd_extract -f /tmp/ldapusers user1 user2 ...
    Note:

    Processing a large number of users may take a while.

  4. Use the passwd_extract utility again, this time, replace -f with -r.

  5. Use the ldap_add_user utility (see Section ) to populate the LDAP directory with the extracted user records in the file created in step 3.

  6. Move the remainder file created in step 4 to /etc/passwd and run the mkpasswd utility, or, manually remove the users with the vipw utility (see vipw(8)).

Importing Users from NIS

To import users from NIS, follow these steps:

  1. Use ypcat to fetch the user information from the NIS server, and then use the passwd_extract utility. For example:

    # ypcat passwd | /usr/internet/ldap_tools/passwd_extract -f
    /tmp/ldapusers [user1 user2 ...] 
    

  2. Use the ldap_add_user utility (see Section : Adding a User Entry) to populate the LDAP directory with the extracted user records in the file created in step1.

Exporting Users from the Directory Server

To export users from the directory server, follow these steps:

  1. Use the ldap_get_users -f output-file command to extract user records from the LDAP database.

  2. Merge the file created in step 1 with the /etc/passwd file. See the vipw(8) reference page.

Adding an LDAP User in a C2 Environment

There is an additional step required when you have C2 security enabled. For each system into which you wish the user to be able to login, you must add an edauth entry. The entry should be of the form:

echo "<username>:u_name=<username>:u_id#<uid>:u_oldcrypt#3:u_lock@:chkent:"\
 | /usr/tcb/bin/eduath -s

Access Control

By default, users defined in the LDAP database are able to log into every system which uses that database in conjunction with the LDAP Module for System Authentication. If you want to limit user access to specific systems, use the access control files /etc/ldapusers.deny and /etc/ldapusers.allow.

A default /etc/ldapusers.deny file is provided at installation time. Included are all of the standard system users: root, bin, daemon, and so on. If you want to deny access to a user, add that user's name to the /etc/ldapusers.deny file.

If you want to disallow access to all but a few users, use the /etc/ldapusers.allow file. If the /etc/ldapusers.allow file exists on a system, only users listed in that file are allowed to log in using LDAP authentication. Note that this is true even if /etc/ldapusers.allow is empty — its very existence invokes the stricter access control rules.

Utilities for Maintaining User Information in the LDAP Directory Server

The Internet Express software kit includes several utilities that you can use to maintain the extended LDAP directory server shipped with Internet Express. The following utilities, summarized in Table 4-2, are installed in the /usr/internet/ldap_tools directory:

Table 4-2 LDAP Database Utilities

Program NameOptionsDescription
ldap_check

None

Checks either ./ldapcd.conf or /etc/ldapcd.conf against the listing of directory servers in the conf file. Validates all entries related to the directory server. Diagnostics are printed to stdout; when the exit code is greater than 0, a problem was encountered.
ldap_add_user

-b branch—Branch to add users to; should be a full distinguished name, including the search base.

-f input-file – Specifies the name of the file containing user records to add to the directory server.

-m – Modify existing record.

-n – Do not submit.

-v – Verbose output.

Adds a user to the LDAP directory server. Users can be specified on the command line, in a file, or from stdin (with -f -).
ldap_del_user

-b branch – Branch to delete users from.

-f input-file – Specifies an input file containing login names.

-n – Do not submit.

-v – Verbose output.

Deletes a user from the LDAP directory server. You can specify users on the command line, in a file, or from stdin (with -f -).
ldap_get_user

-b branch – Branch to get users from.

-s searchfilter – Specifies an optional LDAP search filter to select the password entries to output.

-S searchfilter – Specifies an optional LDAP search filter to select the password entries to output. Differs from the -s option in that the provided filter is wrapped within a filter that adds an object class restriction on the query.

-R start[-end] – Specifies a range of user IDs to be retrieved, including the endpoints. If you do not specify the -end portion of the range, then all users greater than or equal to the start value are retrieved.

-f output-file – Specifies the name of the output file in which to store search results (default is stdout).

Retrieves entries selected from the LDAP directory server for specified users. By default, this program selects all users on the default user branch or search base.
ldap_sync_user

-b branch – Branch to add users to; should be a full distinguished name, including the search base

-n – Do not submit

-v – Verbose output.

-C – Do not create/modify the CN attribute

Synchronizes the users in the directory server with the provided input which is in passwd format.
ldap_add_group

-b branch – Branch to which to add group.

-n – Do not submit.

-m – Modify existing entry.

-v – Verbose output.

Adds a group to the LDAP directory server. Can be used on the command line, from a file, or from stdin.
ldap_mod_group

-b branch – Branch in which groups to be modified reside.

-r – Remove login names from specified group.

-R – Remove login names from all groups.

Assigns the listed login names to the specified group. Use the -r option to remove the specified login names from the group or the -R option to remove login names from all groups.
ldap_del_group

-b branch – Branch from which to delete groups.

-n – Do not submit.

-v – Verbose output.

Deletes a group from the LDAP directory server. Can be used on the command line, from a file, or from stdin.
ldap_get_group

-b branch – Branch to get groups from.

-f output-file – Specifies the name of the output file in which to store search results (the default is stdout).

-s searchfilter – Specifies an optional LDAP search filter to select the group entries to output.

-S searchfilter – Specifies an optional LDAP search filter to select the group entries to output. Differs from the -s option in that the provided filter is wrapped within a filter that adds an object class restriction on the query.

-R start[-end] – Specifies a range of group IDs to be retrieved, including the endpoints. If you do not specify the -end portion of the range, then all groups greater than or equal to the start value are retrieved.

Gets group entries from the LDAP directory server. By default, selects all groups on the default group branch or search base. Use the -s option to select a subset of group.
ldap_enable

None.

Starts the ldapcd daemon and configures SIA to use the LDAP authentication mechanism.
ldap_disable

None.

Stops the ldapcd daemon and configures SIA to not use the LDAP authentication mechanism.
passwd_extract [username ...]

-f output-file – Specifies the output file in which to store

passwd entries that match the selection criteria (the default is stdout).

-g range – Extracts passwd entries that match the specified range of GIDs. Use commas and/or hyphens to separate the range values (for example, 23, 40-49).

-i input-file – Specifies the file from which to extract users (the default is /etc/passwd).

-r output-file – Specifies the output file in which to store

passwd entries that do not match the selection criteria (that is, the remaining passwdentries after extracting matching entries).

-u range – Extracts passwd entries that match the specified range of UIDs. Use commas and/or hyphens to separate the range values (for example, 350, 400-1000).

-v – Verbose output.

Extracts users from the specified input file (/etc/passwd is the default). Specify users to be extracted by name (as parameters to the passwd_extract command) or by using one or more options in any combination.

 

Checking the LDAP Server Configuration

The ldap_check utility validates the contents of the ./ldapcd.conf or /etc/ldapcd.conf file as follows:

  • Verifies that the specified directory servers are running and that connections to the servers can be made

    Note:

    If any of the LDAP servers specified in the ldapcd.conf file fail the verification, the remaining servers are not checked and the entire verification fails.

  • Verifies that the search base (the top-level directory for searches) exists

  • If specified, verifies that user and group branches exist (see Section : Creating Branches)

  • Verifies that user and group object classes exist

  • Validates all object classes and attributes

If a problem is encountered during either of these checks, the ldap_check utility returns an exit code greater than 0.

Extracting Users from the /etc/passwd File

Use the passwd_extract utility to extract users from the specified input file (/etc/passwd is the default) and store the extracted records in the specified output file (with the -f option). Optionally, you can use the -r option (with the -f option) to extract entries that do not match the selection criteria to a remainder file. The records in the output file and remainder file (if any) are formatted as passwd(4) entries.

You can extract users based on:

  • User name, specified by a space-separated parameter list:

    passwd_extract hill susan mike cliff austin powers

    Note that if no output file is specified, the default is stdout.

  • Any combination of individual UIDs or range of UIDs:

    passwd_extract -u 500,624,700-800 -f output-file 
  • Any combination of individual GIDs or range of GIDs:

    passwd_extract -g 23,29-35,50 -f output-file
  • Any combination of names, UIDs and GIDs:

    passwd_extract -e james bond -u 500,624,700-800 -g 23,29-35,50 -f output-file

To extract records from a file other than /etc/passwd, specify the input file name with the -i option. For example:

# passwd_extract larry curly moe -i myusers -f stooges 

The records in the input file must be formatted as passwd entries.

Adding a User Entry

The ldap_add_user utility adds one or more user entries to the LDAP database. To use this utility on the command line, provide the following arguments:

ldap_add_user logname passwd uid gid gecos homedir shell

The ldap_add_user utility adds users to the first directory server specified in the ldapcd.conf file. If multiple servers are listed, only the first is used, even if it is not operational. The distinguished name (DN) is constructed as follows:

logname_attribute=logname,branch

The logname_attribute is replaced by the attribute name specified by the pw_username entry in the ldapcd.conf file. The logname is the user's login name. The branch is one of three possible values, taken in this order:

  1. Value specified on the command line using the -b option

  2. Value of the userbranch attribute in the ldapcd.conf file

  3. Value of the searchbase attribute in the ldapcd.conf file

If a problem is encountered when adding a user to the LDAP database, the ldap_add_user utility returns an exit code greater than 0.

For a description of the options you can use with this utility, see Table 4-2.

To add one or more users from a file:

ldap_add_user -f input-file

To add one or more users from stdin:

cat filename | ldap_add_user -f -
Note:

The input must be in passwd(4) format.

Deleting a User Entry

The ldap_del_user utility works in a similar fashion to ldap_add_user, except that users are removed, rather than added, to the directory server.

If a problem is encountered when deleting a user from the LDAP directory server, the ldap_del_user utility returns an exit code greater than 0.

For a description of the options you can use with this utility, see Table 4-2.

For example, to delete a user from the command line:

ldap_del_user logname [ logname ... ]

To delete one or more user or users listed in a file:

ldap_del_user -f input-file

To delete one or more users from stdin:

cat filename | ldap_del_user -f -
Note:

The input must be in passwd(4) format, but only the login name portion of each record is used. Anything beyond the first colon (:) in each input record is ignored.

A list of names (one per line) is also acceptable as input.

Retrieving a User Entry

Use the ldap_get_user utility to retrieve passwd entries for specified users in the LDAP directory server. Unless otherwise specified, the ldap_get_user utility selects all users on the default user branch or search base. Use the -s option to select a subset of users (see Table 4-2).

If a problem is encountered when retrieving a user from the LDAP directory server, the ldap_get_user utility returns an exit code greater than 0.

For a description of the options you can use with this utility, see Table 4-2.

To retrieve all users:

ldap_get_user [ -b branch ] [ -f filename ]
Note:

In the following examples, the -b branch and -f output-file options (not shown) can also be used.

To use a search filter to find users:

ldap_get_user -s filter

To use a search filter with object class restrictions added to the search:

ldap_get_user -S filter

For example, a search filter might look like the following:

uid=bjensen
(&(uidNumber>=10)(uidNumber<=20))
Note:

You must quote the filter string according to your shell.

To retrieve a range of users (where start is the starting UID in the range and end is the optional ending UID in the range):

ldap_get_user -R start[-end]

If you do not specify end, the search retrieves all users from the starting UID through the highest UID in the LDAP directory server.

To retrieve specific users:

ldap_get_user user [ user ...]

Synchronizing with a Password File

Use the ldap_sync_user utility to synchronize the ldap directory entries for users with the contents of a passwd file. This utility adds, updates or deletes users as needed to ensure that the contents of the directory match the supplied entries. This utility is intended to provide easy synchronization of the directory server with an alternate source for login information (such as NIS), where the alternate source is considered the master source of the information.

If a problem is encountered , the ldap_sync_user utility returns an exit code greater than 0.

For a description of the options you can use with this utility, see Table 4-2.

To synchronize users:

ldap_sync_user [-b branch ] [ filename]

Adding a Group Entry

Use the ldap_add_group utility to retrieve group(4) entries from the LDAP directory server. (Use the ldap_mod_group utility to add users to groups. See Section  for more information.) The ldap_add_group utility adds groups to the first directory server specified in the ldapcd.conf file. If multiple servers are listed, only the first is used, even if it is not operational.

The ldap_add_group utility constructs the distinguished name (DN) as follows:

groupname_attribute=groupname,branch

The groupname_attribute is replaced by the attribute name specified by the gr_name entry in the ldapcd.conf file. The groupname is the group name. The branch is one of three possible values, taken in this order:

  1. Value specified on the command line using the -b option

  2. Value of the userbranch attribute in the ldapcd.conf file

  3. Value of the searchbase attribute in the ldapcd.conf file

If a problem is encountered when creating a group in the LDAP directory server, the ldap_add_group utility returns an exit code greater than 0.

For a description of the options you can use with this utility, see Table 4-2.

To add one or more groups from a file:

ldap_add_group -f input-file

To add one or more groups from stdin:

cat filename | ldap_add_group -f -
Note:

The input must be in group(4) format.

Maintaining Group Membership

Use the ldap_mod_group utility to add or remove users from groups in the LDAP database. The ldap_mod_group utility adds the specified login names to the specified group as group members. Use the -r option to remove the specified login names from the group member list.

If a problem is encountered when modifying group membership in the LDAP database, the ldap_mod_group utility returns an exit code greater than 0.

For a description of the options you can use with this utility, see Table 4-2.

For example, to add one or more users to a group:

ldap_mod_group group logname [ logname ...]

To remove one or more users from a group:

ldap_mod_group -r group logname [ logname ...]

To remove a user from all groups:

ldap_mod_group -R logname

Deleting a Group Entry

Use the ldap_del_group utility to delete one or more groups from the LDAP directory server. The ldap_del_group utility works in a similar fashion to ldap_add_group, except that groups are removed, rather than added, to the directory server.

If a problem is encountered when deleting a group from the LDAP directory server, the ldap_del_group utility returns an exit code greater than 0.

For a description of the options you can use with this utility, see Table 4-2.

For example, to delete groups from the command line:

ldap_del_group groupname [ groupname ... ]

To remove groups specified in a file:

ldap_del_group -f filename

To remove groups specified by stdin:

cat filename | ldap_del_group -f -
Notes:

The input must be in group(4) format, but only the group name will be used.

A list of group names (one per line) is also acceptable as input.

Retrieving a Group Entry

Use the ldap_get_group utility to retrieve group(4) entries for selected groups in the LDAP directory server. Unless otherwise specified, the ldap_get_group utility selects all groups on the default group branch or search base. Use the -s option to select a subset of users (see Table 4-2).

If a problem is encountered when retrieving a group from the LDAP directory server, the ldap_get_group utility returns an exit code greater than 0.

For a description of the options you can use with this utility, see Table 4-2.

For example, to retrieve all groups:

ldap_get_group [ -b branch ] [ -f input-file ]
Note:

In the following examples, the -b branch and -f input-file options (which are not shown) can also be used.

To use a search filter to find groups:

ldap_get_group -s filter

To use a search filter with object class restrictions added to the search:

ldap_get_group -S filter

A search filter might look like the following:

gid=staff
	(&(gidNumber>=10)(gidNumber<=20))
Note:

You must quote the filter string in accordance with your shell.

To retrieve a range of groups (where start is the starting GID in the range and end is the optional ending GID in the range):

ldap_get_group -R start[-end]

If you do not specify end, the search retrieves users from the starting GID to the highest GID in the LDAP directory server.

To retrieve specific groups:

ldap_get_group group [ group ...]

Setting a User's Password in the LDAP Directory Server

As root, you can set a user's password in the LDAP directory server by using the ldap_passwd utility:

ldap_passwd loginname new_passwd

The ldap_passwd utility attempts to clear the local ldapcd daemon's cache.

Starting the ldapcd Daemon

Use the ldap_enable utility to configure the system to use the LDAP caching daemon (ldapcd) with the existing ldapcd.conf configuration file.

You can also start the ldapcd daemon using the Administration utility; see Section : Enabling and Disabling the LDAP Module.

Note:

Whenever you enable or disable the LDAP Module for System Authentication, you must reboot the system. Otherwise, some applications (such as cron and Advanced Server for UNIX) will not detect the change in authentication method.

Stopping the ldapcd Daemon

Use the ldap_disable utility to stop the LDAP caching daemon (ldapcd) and configure the system so that the LDAP Authentication will not be used.

You can also stop the ldapcd daemon using the Administration utility; see Section : Enabling and Disabling the LDAP Module.

Note:

Whenever you enable or disable the LDAP Module for System Authentication, you must reboot the system. Otherwise, some applications (such as cron and Advanced Server for UNIX) will not detect the change in authentication method.

Maintaining the LDAP Directory Server Using LDAP Commands

You can use LDAP commands (instead of the LDAP utilities supplied with Internet Express) to formulate different queries than those provided by the Internet Express LDAP utilities. The following sections describe how to use these commands to add and modify LDAP entries.

Adding Entries to an LDAP Database

To modify an entry in an existing LDAP database, you can use the ldapmodify command. In the following example, the ldapmodify command is reading from standard input:

# /usr/internet/ldap_sdk/tools/ldapmodify -w admin \
-D "cn=root, o=HP Engineering, c=US" 
dn: cn=Joseph Shmoe, o=HP Engineering, c=US
changetype: modify
replace: title
title: Process Engineer
-
^D
modifying entry cn=Joseph Shmoe, o=HP Engineering, c=US

You can use the ldapsearch command to retrieve the modified entry:

# /usr/local/bin/ldapsearch -b 'o=HP Engineering, c=US' 'cn=Joe Shmoe'
cn=Joseph Shmoe, o=HP Engineering, c=US
objectclass=person              
cn=Joseph Shmoe
cn=Joe Shmoe
sn=Shmoe
givenname=Joseph
mail=shmoe@fac.digieng.com
uid=jshmoe
title=Process Engineer

For more information, see ldapmodify(1).

Modifying Entries in an LDAP Database

To modify an entry in an existing LDAP database, you can use the ldapmodify command. In the following example, the ldapmodify command is reading from standard input:

# /usr/internet/ldap_sdk/tools/ldapmodify -w admin \
-D "cn=root, o=HP Engineering, c=US" 
dn: cn=Joseph Shmoe, o=HP Engineering, c=US
changetype: modify
replace: title
title: Process Engineer
-
^D
modifying entry cn=Joseph Shmoe, o=HP Engineering, c=US

You can use the ldapsearch command to retrieve the modified entry:

# /usr/local/bin/ldapsearch -b 'o=HP Engineering, c=US' 'cn=Joe Shmoe'
cn=Joseph Shmoe, o=HP Engineering, c=US
objectclass=person              
cn=Joseph Shmoe
cn=Joe Shmoe
sn=Shmoe
givenname=Joseph
mail=shmoe@fac.digieng.com
uid=jshmoe
title=Process Engineer

For more information, see ldapmodify(1).

Overview of the LDAP Client

This section provides a summary of the LDAP client functionality and related files.

Actions Performed by the LDAP Client

The LDAP client daemon does the following when started.

  • Updates the /etc/sia/matrix.conf file to include the LDAP Security Integration Architecture (SIA) mechanism.

  • Adds the following entry to the /etc/inittab file to automatically start the LDAP client daemon when the system starts:

    ldapcd:34:respawn:/usr/sbin/ldapcd -D /dev/console 2&1

Authentication Actions Performed

When you install and enable the LDAP Module for System Authentication subset, user and group authentication takes place through an LDAP server.

For example, an LDAP server transparently provides authentication information for login (rlogin, ftp, telnet, su) and mail (POP and IMAP).

For users not found in the LDAP directory, authentication automatically falls back to using the local authentication mechanism (/etc/passwd) and/or NIS, if it is configured.

Files Modified by theLDAP Module for System Authentication

The LDAP module for system authentication configures the security matrix in the /etc/sia/matrix.conf file for system authentication.

The security matrix consists of a list of security-related system calls and the library to be used for each call.

Files Not Modified by the LDAP Module for System Authentication

The LDAP module does not add or modify either /etc/nsswitch.conf or /etc/svc.conf.

In case /etc/nsswitch.conf or /etc/svc.conf are modified manually by someone to include LDAP entries, you should revert the file back to its original state.

Other Important Files

Other relevant files include /etc/ldapusers.deny and /etc/ldapusers.allow .

/etc/ldapusers.deny

The /etc/ldapusers.deny file is a text file in which you enter the name of a Tru64 UNIX user who will not be authenticated by LDAP authentication.

A default /etc/ldapusers.deny file is provided when you install the LDAP client software.

/etc/ldapusers.allow

If you want to disallow access to all but a few users, you must create the /etc/ldapusers.allow file. The /etc/ldapusers.allow file is a text file in which you enter the name of a Tru64 UNIX user who will only be authenticated by LDAP authentication.

If the /etc/ldapusers.allow file exists on a system, only users listed in that file are allowed to log in using LDAP authentication. Note that this is true even if /etc/ldapusers.allow is empty. The existence of this file invokes the stricter access control rules.

Additional considerations related to the /etc/ldapusers.deny and /etc/ldapusers.allow files include the following:

  • Consider if the /etc/ldapusers.allow file is not present, then all the users except for those in /etc/ldapusers.deny file should be allowed to log in.

  • If the /etc/ldapusers.allow file is present then only the users present in that file are allowed to log in.

  • If an user is present in both /etc/ldapusers.allow and /etc/ldapusers.deny , then the user should be allowed to log in. The /etc/ldapusers.allow file has a higher precedence over /etc/ldapusers.deny .

  • If the user is not in either /etc/ldapusers.allow or /etc/ldapusers.deny, then the user should not be allowed to log in.

Behavior of the the ldapdc Daemon

The ldapcd daemon runs at all times and is started by the following entry in the /etc/inittab file:

ldapcd:34:respawn:/usr/sbin/ldapcd -D  /dev/console 2&1

Thus, whenever ldapcd exits for some reason, the daemon is restarted using /etc/inittab.

Debugging ldapdc

To enable logging for ldapcd, add debug: 1 at the end of the /etc/ldapcd.conf file.

ldapcd logs a file as ldapcd.log.XXXX under /usr/tmp/, where XXXX is a randomly selected value.

You may enable debug and look at the log file for any errors.

Operation of login/su

The login/su command inspects the /etc/sia/matrix.conf file and attempts to authenticate users based on the mechanisms specified there. Consider the following situation in which the same users are present in multiple databases, such as LDAP and NIS:

  • There are three users, user1, user2, and user3 in LDAP.

  • There are three users, user1, user4, and user5 in nis. ( Note that there is a user1 in both LDAP and NIS).

  • An entry for user1 exists in /etc/ldapusers.deny.

To address this issue, the administrator should log in to the machine as root and run the following command:

# su user2

The su operation first examines /etc/passwd, then in NIS and finally in LDAP ( based on the entries in /etc/sia/matrix.conf) and authenticates the user with LDAP database as the user that is present in LDAP. The command is successful.

Next, the administrator should run the following command as a root:

# su user1

The su operation examines NIS and returns success. As it is successful, su completes the operation and /etc/ldapusers.deny is ignored.