No edit summary |
No edit summary |
||
Line 40: | Line 40: | ||
==== Manually ==== | ==== Manually ==== | ||
On systems without a helper tool such as authconfig, one needs to configure the client system manually. The configuration involves several steps: | |||
1. configure nsswitch.conf - append <code>ldap</code> to the lines beginning with <code>passwd</code> and <code>group</code>. | |||
passwd: files ldap | |||
group: files ldap | |||
2. configure PAM - configuring the PAM stack differs on particular distributions. The resulting PAM stack should look like this one: | |||
auth required pam_env.so | |||
auth sufficient pam_unix.so nullok try_first_pass | |||
auth requisite pam_succeed_if.so uid >= 500 quiet | |||
auth sufficient pam_ldap.so use_first_pass | |||
auth required pam_deny.so | |||
account required pam_unix.so broken_shadow | |||
account sufficient pam_localuser.so | |||
account sufficient pam_succeed_if.so uid < 500 quiet | |||
account [default=bad success=ok user_unknown=ignore] pam_ldap.so | |||
account required pam_permit.so | |||
password requisite pam_cracklib.so try_first_pass retry=3 type= | |||
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok | |||
password sufficient pam_ldap.so use_authtok | |||
password required pam_deny.so | |||
session optional pam_keyinit.so revoke | |||
session required pam_limits.so | |||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid | |||
session required pam_unix.so | |||
session optional pam_ldap.so | |||
3. configure nslcd.conf - The nslcd.conf config file can be pretty minimal. It just needs to include the LDAP URI and search base: | |||
uri ldap://ipaserver.ipatest.example.com | |||
base cn=compat,dc=ipatest,dc=example,dc=com | |||
4. configure pam_ldap.conf - The pam_ldap.conf config file looks quite similar to nslcd.conf. Its minimal contents also only include the LDAP URI and the search base: | |||
uri ldap://ipaserver.ipatest.example.com | |||
base cn=compat,dc=ipatest,dc=example,dc=com | |||
=== Identity lookups of IPA users and groups === | === Identity lookups of IPA users and groups === | ||
Line 71: | Line 105: | ||
|results= | |results= | ||
Both users from the IPA domain and the trusted domain should be able to log in. | |||
}} | }} | ||
[[Category:FreeIPA_Test_Cases]] | [[Category:FreeIPA_Test_Cases]] |
Revision as of 21:36, 24 July 2013
Description
Use nss-pam-ldapd to gain access to trusted domain users
Setup
- Make sure your FreeIPA server is set up as in QA:Testcase_freeipa_trust_establish.
- Make sure nss-pam-ldapd is installed. This test uses RHEL-6.3 as an example, but the steps should be similar for other distribution or OS
How to test
Add test users and groups on the IPA server
When testing the legacy client, we will begin by creating a user and a group he is a member of on the server first to establish a baseline.
$ kinit admin $ ipa user-add --first=test --last=user tuser $ ipa group-add --desc="test group" tgroup $ ipa group-add-member --users=tuser tgroup
Also set some password for the newly created user so that we can log in using his credentials.
$ ipa passwd tuser
Install required packages
The package installation step differs for every OS or distribution. For nss-pam-ldapd, simply install the packages using yum:
# yum install nss-pam-ldapd pam_ldap authconfig
The authconfig utility will help us configure the PAM stack.
Configure nss-pam-ldapd and pam_ldap
Next the nss-pam-ldapd needs to be configured. The configuration will point to a "compat tree" which is a parallel LDAP tree autogenerated from the main tree and tailored so that it matches the expectations legacy clients might have. The configuration includes two important items:
- LDAP URI - The URI is simply the host name of the IPA server prefixed with
ldap://
. For example, if the hostname wassrv.ipa.example.org
, then the URI would beldap://srv.ipa.example.org
- LDAP search base - The LDAP search base we need consists of the base DN prefixed with "cn=compat", which is the container the compat tree lives in. To get the base DN, take the IPA domain name and substitute each dot for a "dc=". For example, the IPA domain
ipa.example.org
would yield base DNdc=ipa,dc=example,dc=org
. The full search base you want to use would then becn=compat,dc=ipa,dc=example,dc=org
Using authconfig
Configuring the system to authenticate with IPA using authconfig is a matter of one shell command once you know the LDAP URI and the search base.
authconfig --updateall --enableldap --enableldapauth \ --ldapserver=ldap://srv.ipa.example.org \ --ldapbasedn=cn=compat,dc=ipa,dc=example,dc=com
Manually
On systems without a helper tool such as authconfig, one needs to configure the client system manually. The configuration involves several steps:
1. configure nsswitch.conf - append ldap
to the lines beginning with passwd
and group
.
passwd: files ldap group: files ldap
2. configure PAM - configuring the PAM stack differs on particular distributions. The resulting PAM stack should look like this one:
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
3. configure nslcd.conf - The nslcd.conf config file can be pretty minimal. It just needs to include the LDAP URI and search base:
uri ldap://ipaserver.ipatest.example.com base cn=compat,dc=ipatest,dc=example,dc=com
4. configure pam_ldap.conf - The pam_ldap.conf config file looks quite similar to nslcd.conf. Its minimal contents also only include the LDAP URI and the search base:
uri ldap://ipaserver.ipatest.example.com base cn=compat,dc=ipatest,dc=example,dc=com
Identity lookups of IPA users and groups
Try to request data about the user that was created on the start of this test:
$ getent passwd tuser $ getent group tgroup $ id tuser
The commands above should reflect that tuser is member of tgroup.
Authentication as IPA user
ssh client.example.org -l tuser
Identity lookups of trusted users and groups
When requesting the user from a trusted domain, the username must be fully qualified in the form of username@ad-domain. Additionaly, to conform with nss-pam-ldapd limitation, the username and domain name must be lowercased to match the name in the compat tree with respect to case.
To request a from the trusted domain:
$ getent passwd administrator@ad.example.org
Authentication as trusted user
Again, the username must be fully qualified and lowercased:
ssh client.example.org -l administrator@ad.example.org
Expected Results
Both users from the IPA domain and the trusted domain should be able to log in.