知識庫

AIM - How to authenticate AIM users against OpenLDAP




As specified in the Operations Topic, it is possible to authenticate AIM users through an LDAP server. The following procedure describes a basic way to install and configure OpenLDAP allowing authentication of AIM users.


Procedure:

1. Install a recent version of Red Hat Linux with Software Development. In this example, RHEL5U4 64-bits was used

2. Select an IP address and a hostname for the LDAP service and register them in DNS if desired.

3. Download OpenLDAP and Berkeley DB from these links:


OpenLDAP does not support BDB 5.x so the latest 4.x version is used. The dependency chart can be accessed here. .

4. Install Berkeley DB

tar -xvf db-4.8.30.tar.tar

cd db-4.8.30/build_unix

../dist/configure

make

make install

5. Install OpenLDAP

tar -xzf openldap-2.4.23.tgz

cd openldap-2.4.23

CPPFLAGS="-I/usr/local/BerkeleyDB.4.8/include"


export CPPFLAGS


LDFLAGS="-L/usr/local/lib -L/usr/local/BerkeleyDB.4.8/lib -R/usr/local/BerkeleyDB.4.8/lib"


export LDFLAGS


LD_LIBRARY_PATH="/usr/local/BerkeleyDB.4.8/lib"


export LD_LIBRARY_PATH


./configure


make depend


make


make install


6. Configure OpenLDAP

6a. Add a schema file (usr/local/etc/openldap/schema/local.schema) containing the Scalent role. Here is an example:

attributetype ( 1.3.6.1.4.1.17952.2202.1.1
NAME 'role'
DESC 'role'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

objectclass ( 1.3.6.1.4.1.17952.2202.2.1
NAME 'scalentRole'
SUP inetOrgPerson
STRUCTURAL
MAY ( role )
)

6b. Add the following lines to /usr/local/etc/openldap/slapd.conf in the include section:

include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/local.schema

6c. Edit the database definition in /usr/local/etc/openldap/slapd.conf with the information specific to your server. Here is an example:

database bdb
suffix "dc=dell,dc=com"
rootdn "cn=Manager,dc=dell,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw Aim4Dell
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq

7. Add the ldap user and set the database ownership

useradd ldap

chown -R ldap:ldap /usr/local/var/openldap-data/

chown -R ldap:ldap /usr/local/etc/openldap/

chown ldap:ldap /usr/local/var/run


8. Configure OpenLDAP to start automatically

Copy the attached script (ldap) to /etc/init.d

chmod 755 /etc/init.d/ldap

chkconfig --add ldap

chkconfig ldap on

9. Start OpenLDAP

[root@ldapnc ~]# service ldap start
Starting slapd: [ OK ]

10. Add entries to the directory

10a. Add the organization

[root@ldapnc tmp]# cat organization.ldif
dn: dc=dell,dc=com
objectclass: dcObject
objectclass: organization
o: Dell
dc: dell

[root@ldapnc tmp]# ldapadd -x -D "cn=Manager,dc=dell,dc=com" -W -f organization.ldif

Enter LDAP Password:
adding new entry "dc=dell,dc=com"

10b. Add the organizationalRole

[root@ldapnc tmp]# cat organizationalRole.ldif
dn: cn=Manager,dc=dell,dc=com
objectclass: organizationalRole
cn: Manager

[root@ldapnc tmp]# ldapadd -x -D "cn=Manager,dc=dell,dc=com" -W -f organizationalRole.ldif

Enter LDAP Password:
adding new entry "cn=Manager,dc=dell,dc=com"

10c. Add the organizationUnit

[root@ldapnc tmp]# cat organizationalUnit.ldif
dn: ou=users,dc=dell,dc=com
objectClass: organizationalUnit
ou: users

[root@ldapnc tmp]# ldapadd -x -D "cn=Manager,dc=dell,dc=com" -W -f organizationalUnit.ldif
Enter LDAP Password:
adding new entry "ou=users,dc=dell,dc=com"

10d. Add a user

[root@ldapnc tmp]# cat user1.ldif
dn: uid=john.smith,ou=users,dc=dell,dc=com
role: ConsoleAccess,Admin
userPassword: M0tdePasse
uid: john,smith
objectclass: inetOrgPerson
objectClass: scalentRole
objectClass: simpleSecurityObject
sn: John Smith
cn: John Smith

[root@ldapnc tmp]# ldapadd -x -D "cn=Manager,dc=dell,dc=com" -W -f user1.ldif

Enter LDAP Password:
adding new entry "uid=john.smith,ou=users,dc=dell,dc=com"

11. Configure the controller to authenticate with the OpenLDAP server

11a. Add the following to the /var/opt/scalent/smc/conf/jetty-jaas.conf file (for earlier versions than 3.4) as specified in chapter 5 of the Operations Topic:

com.scalent.mi.ui.webauth.JAASLdapLoginModule sufficient
ldapProviderURL="ldap://ldapnc.dell.com"
authDN="uid=%USERNAME%,ou=users,dc=dell,dc=com"
authzAttr="role"
useSSL="false";

For 3.4 and later the file is /opt/dell/aim/smc/conf/jetty-jaas.conf:

com.dell.aim.mi.ui.webauth.JAASLdapLoginModule sufficient
ldapProviderURL="ldap://ldapnc.dell.com"
authDN="uid=%USERNAME%,ou=users,dc=dell,dc=com"
authzAttr="role"
useSSL="false";

This must be done on both controllers in a resilient configuration.

11b. If the LDAP service hostname was not added to DNS, add an entry in the controller host file

172.16.0.45 ldapnc.dell.com

11c. Restart the controller(s)

12. Login to the controller with the user that was just added to the directory.


References:

http://www.openldap.org/doc/admin24/install.html 
Quick Tips content is self-published by the Dell Support Professionals who resolve issues daily. In order to achieve a speedy publication, Quick Tips may represent only partial solutions or work-arounds that are still in development or pending further proof of successfully resolving an issue. As such Quick Tips have not been reviewed, validated or approved by Dell and should be used with appropriate caution. Dell shall not be liable for any loss, including but not limited to loss of data, loss of profit or loss of revenue, which customers may incur by following any procedure or advice set out in the Quick Tips.

文章 ID: SLN61096

上次修改日期: 12/17/2016 01:08 PM


為本文評分

準確
實用
易懂
這篇文章對您有用嗎?
傳送意見反應
評語中不得包含下列特殊字元:<>()\
很抱歉,我們的意見回饋系統目前關閉中。請稍後再試。

感謝您的寶貴意見。