SUSE Conversations


Configuring Linux User Management on non-OES2, SLES 10 Servers

mfaris01

By: mfaris01

April 22, 2008 5:27 pm

Reads:775

Comments:7

Rating:0

Configuring OES 2 Linux servers for Linux User Management in a normal eDirectory tree is pretty much a no brainer. Configure your Unix Workstation object, enable your groups and users to be LUM enabled and that’s pretty much it. But, what about a SLES 10 server that is not running OES2? How can you provide a standard across all your SLES 10 servers to use the same eDirectory authentication for local access?

In this article, we will successfully configure LUM on a “non-OES2”, SLES 10 server to allow users in your eDirectory LUM enabled group, to authenticate to this server without having to create local accounts, using their eDirectory ID’s and passwords.

These are the steps we will use to accomplish this process:

Prerequisites

The resources you will need to accomplish this, which isn’t that difficult or drawn out, are:

Admin equivalent rights, preferably, admin in the eDirectory tree you wish to base your authentication from.
Note: I say “admin” because this is stored in the Novell Account Management (nam) configuration and if you use your account and that account gets disabled, Heaven forbid, it could break this process.

The Open Enterprise Server 2 CD.

Root access to the SLES 10 server.

Installing Linux User Management Packages

I know this is a non-OES2 server, but there are a couple of packages we will need from the CD.
On the SLES 10 server, Run YaST and scroll down to the Software section. Choose Add-On CD.
Select CD, and place the CD in the drive when prompted. Once the CD is read, select “I Agree” and choose next.
Do not select any packages. Click Details and choose Search. In the field, type “lum” and click Go.
Select the following packages and click next:
Novell-lum
Novell-lum-providers

Do not select YaST2-lum – That will require more eDirectory related packages and we will not be managing LUM through this server, that’s done on an OES2 server.

When the packages are done installing, exit YaST, remove your CD and open a command prompt or Terminal console.

Pluggable Access Modules (PAM) Configuration

Now that we have our Linux User Management packages installed and ready for activation, let’s configure the pam modules for LUM.

With your favorite VI editor, open and edit the file /etc/pam.d/login

Make the following changes and add the lines in Bold to this file:

#%PAM-1.0
auth     required       pam_securetty.so
auth    required    pam_env.so
# auth     include        common-auth
auth     required       pam_nologin.so
auth    sufficient   pam_nam.so
auth    required    pam_unix2.so
account  include        common-account
account  sufficient  pam_nam.so
password include        common-password
password  sufficient  pam_nam.so
session  include        common-session
session  required       pam_lastlog.so nowtmp
session  required       pam_resmgr.so
session  optional       pam_mail.so standard
session  optional   pam_nam.so

Save the file and exit.

Make the same changes to the following files:

/etc/pam.d/gdm
/etc/pam.d/sshd
/etc/pam.d/su
/etc/pam.d/sudo

If you have other options available, like ftp, make these changes to these file also.

Name Service Switch (nsswitch) Configuration

Modify the file /etc/nsswitch.conf and make the following changes:

Scroll down to where you see the following lines.

passwd: compat
group: compat

Add nam to the end of each to where they appear as noted below:

passwd: compat nam
group: compat nam

Save the file and exit back to the bash shell.

Configure Novell Account Management (namconfig)

Now, we are ready to configure the nam. At the prompt, enter the following command, substituting your own parameters as noted. An example will be listed.

namconfig add -a [youradmin fdn] -r [yourbasedn] -w [CxyouwantyourUnixObject] -S [edirectoryldapserver]:389 -l 636

-a cn=admin,o=novell Fully Distinguished Admin account, in LDAP format

-r o=novell Your Base search container

-w o=novell Container you want the Unix Object created in

-S 192.168.10.2:389 Either the IP address, hostname, of your eDirectory server.

-l 636 Yes, that is a lowercase L

Using this, here’s how it will appear:

namconfig add -a cn=admin,o=novell -r o=novell -w o=novell -S 192.168.10.2:389 -l 636

You will be prompted for the password to this account.

Check the output for errors. Common errors are not sufficient rights, unable to modify schema and unable to retrieve certificate. To avoid them, ensure the eDirectory LDAP server has the following:

Time is synchronized

At least a Read / Write replica of the root of the tree

When successful, review the file /etc/nam.conf for the above parameters. Make corrections and re-run namconfig.

Unix Workstation Object

We have to assign a LUM enabled group to the newly created Unix Workstation Object for this SLES server.
Launch iManager and login, with an admin equivalent account, to the tree.

Scroll down, on the left side, to Linux User Management, click it to expand. Find Modify Unix Workstation Object.

Browse the tree and select the Unix Workstation Object that has the SLES 10 server Host Name appended to it.

Click Add and browse the tree and locate the LUM group for your tree. Select it and add it. Click Apply and then OK, once your changes have been applied.

Exit iManager and return to the command prompt or terminal console on the SLES 10 server.

Now let’s restart the namcd and test it.
At the prompt, type the following to restart namcd

rcnamcd restart

If you get an error regarding certificates, type this command to refresh the certificates.

namconfig -k

Testing

From another PC, you should be able to ssh to this SLES 10 server with your Novell eDirectory credentials. If not, restart the namcd and then check the /var/log/messages file using tail to see if there are any errors. Check your /etc/pam.d/* files to see if there are any stray characters or misspelled words.

Conclusion

Although most of our SLES 10 servers are OES2 and reside in our main eDirectory tree, there are servers, like ZENworks Linux Management and Novell Identity Management servers that are not and I would still like to have a way to administer them without trying to remember that many accounts and passwords. This solution satisfies this need.
Enjoy.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: , , ,
Categories: SUSE Linux Enterprise Server, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

7 Comments

  1. By:ncisrael

    Thought about licensing. Now that you added a OES component, although small, its now licensed as OES and not SLES

  2. By:slb985

    We could only get this working by stopping the nscd service (rcnscd stop) which appeared to be on by default. Is this the correct thing to do??

  3. By:mfaris01

    I double checked my sles boxes and they have it running. Perhaps a restart of nscd is what is needed. If you stop it, can you still logon as root?

  4. By:stevehume

    Hi there,

    I was working with slb985 (I prefer to call him Dave!) on the above. By default this didn’t run even after restarting nscd. A little further digging and we discovered that we had to edit /etc/nscd.conf and make “enable-cache-passwd no” and “enable-cache-group no” then restart nscd (rcnscd restart) and all was good.

  5. By:mfaris01

    Thank for the tip!

    Mike…

  6. By:mmillecam

    We have had some comments regarding Novell support for Cool Solutions, especially with this issue. Please note that Cool Solutions are ideas, suggestions and helps from actual users of the Novell product.

    Novell does not support these suggestions. If you have questions, problems or thoughts on the article you should address them in a comment to that article or to the author and not to Novell.

    Note: Novell Support has noted with the above article that “customers who do not own LUM can not install this on SLES – which is part of issues with the Cool Solution”.

    Thank you,
    Coolguys

  7. By:Elfstone2

    Hey Mike…

    Great article! I was wondering if you could update this for any changes you’ve encountered in the LUM modules since OES 2 SP1 has been released. I was about to attempt this until I realized that the lum and lum providers from OES2SP1 have many more dependancies (NLDAP, CIM, etc) than you had originally found to be the case. Wasn’t sure if that would also mean more changes to the PAM section too.

    Stefan Evans
    Gulfstream Aerospace

Comment

RSS