- Createl DSCC Registry that is Directory Server Manager for LDAP server administration
root@ldapserv1:/opt/ODSEE_ZIP_Distribution/dsee7/bin# ./dsccsetup ads-create
Choose password for Directory Service Manager:
Confirm password for Directory Service Manager:
Creating DSCC registry...
DSCC Registry has been created successfully
- Deploy the directory server
root@ldapserv1:/opt/ODSEE_ZIP_Distribution/dsee7/bin# ./dsccsetup war-file-create
Created /opt/ODSEE_ZIP_Distribution/dsee7/var/dscc7.war
1636 /opt/dsInst
Choose the Directory Manager password: <Password Directory Manager>
Confirm the Directory Manager password: <Password Directory Manager>
- Starting the instance created with dsadm
Use command 'dsadm start '/opt/dsInst'' to start the instance
oot@ldapserv1:/opt/ODSEE_ZIP_Distribution/dsee7/bin# ./dsadm start '/opt/dsInst'
Directory Server instance '/opt/dsInst' started: pid=19325
- Create the suffix and port that will be used, by default you will have 1389
root@ldapserv1:#./dsconf create-suffix -p 1389 dc=pan,dc=com
Enter "cn=Directory Manager" password: <Password Directory Manager>
- Validate the port where the Directory Server was registered
root@ldapserv1:/opt/ODSEE_ZIP_Distribution/dsee7/bin# ./dsccsetup status
***
DSCC Registry has been created
Path of DSCC registry is /opt/ODSEE_ZIP_Distribution/dsee7/var/dcc/ads
Port of DSCC registry is 3998
- Create agent instance for port 3997
root@ldapserv1:/opt/ODSEE_ZIP_Distribution/dsee7/bin# ./dsccagent create
DSCC agent will use the following port: 3997
Enter DSCC agent password:
Confirm the password:
Agent instance /opt/ODSEE_ZIP_Distribution/dsee7/var/dcc/agent has been created successfully
Run the following command to register the agent in the registry : /opt/ODSEE_ZIP_Distribution/dsee7/bin/dsccreg add-agent /opt/ODSEE_ZIP_Distribution/dsee7/var/dcc/agent
n/dsee7/bin/dsccreg add-agent /opt/ODSEE_ZIP_Distribution/dsee7/var/dcc/agenttio
Agent path: /opt/ODSEE_ZIP_Distribution/dsee7/var/dcc/agent
Enter DSCC agent "/opt/ODSEE_ZIP_Distribution/dsee7/var/dcc/agent" password:
Enter DSCC administrator's password: <Password Directory Manager>
- Starting agent created in the previous step
Agent instance has been registered in DSCC on ldapserv1
You can now run dsccagent start to start the agent
root@ldapserv1:/opt/ODSEE_ZIP_Distribution/dsee7/bin# ./dsccagent start
The agent /opt/ODSEE_ZIP_Distribution/dsee7/var/dcc/agent has been started
- Now you can check the agent process id, running port, and the server and owner the command used is dsccagent info
root@ldapserv1:/opt/ODSEE_ZIP_Distribution/dsee7/bin# ./dsccagent info
Instance Path : /opt/ODSEE_ZIP_Distribution/dsee7/var/dcc/agent
Owner : root
JMX port : 3997
SNMP port : Disabled
State : Running
PID : 19891
DSCC hostname : ldapserv1
DSCC non-secure port : 3998
DSCC secure port : 3999
Instance version : A-A00
- At this moment we have Directory Server, ports and suffix “PAN.COM” and the agent, however we will need to register it
#./dsccreg list-servers -h
Enter DSCC administrator's password:
Hostname Port sPort Type Owner Flags iPath Agent Port Agent Path
-------- ---- ----- ---- ----- ----- ----- ---------- ----------
0 server instance(s) found in DSCC on ldapserv1.
- Now in the previous step you have seen that no instance is registered and you can registered with the command below
dsInstdapserv1:/opt/ODSEE_ZIP_Distribution/dsee7/bin# ./dsccreg add-server /opt/dsInst
Enter DSCC administrator's password:
/opt/dsInst is an instance of DS
Agent No Hostname Port Owner iPath
-------- --------- ---- ----- -----------------------------------------------
0 ldapserv1 3997 root /opt/ODSEE_ZIP_Distribution/dsee7/var/dcc/agent
The registration will use DSCC agent on port: 3997
Enter password of "cn=Directory Manager" for /opt/dsInst:
This operation will restart /opt/dsInst.
Do you want to continue ? (y/n) y
Connecting to /opt/dsInst (using ldap://127.0.0.1:1389)
Enabling DSCC access to /opt/dsInst
Restarting /opt/dsInst
Registering /opt/dsInst in DSCC on localhost.
- Finally you can use the “solaris.ldif” in order to deploy the example in the PAN.COM domain, you can edit the information in order to take the information that you need, or you can deploy all the example in order to test.
In other hand if you have and ldif with you user, group and host information, you can use it
root@ldapserv1:/opt/ODSEE_ZIP_Distribution/dsee7/bin# ./dsconf import -h ldapserv1 -p 1389 /opt/ODSEE_ZIP_Distribution/dsee7/dsrk/bin/example_files/solaris.ldif dc=pan,dc=com
Certificate "CN=ldapserv1, CN=1636, CN=Directory Server, O=Sun Microsystems" presented by the server is not trusted.
Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: Y
Enter "cn=Directory Manager" password:
New data will override existing data of the suffix "dc=pan,dc=com".
Initialization will have to be performed on replicated suffixes.
Do you want to continue [y/n] ? y
## Index buffering enabled with bucket size 40
## Beginning import job...
## Starting to process and index entries
## Processing file "/opt/ODSEE_ZIP_Distribution/dsee7/dsrk/bin/example_files/solaris.ldif"
## Finished scanning file "/opt/ODSEE_ZIP_Distribution/dsee7/dsrk/bin/example_files/solaris.ldif" (274 entries)
## Indexing database entries, 1 remaining.
## Indexing database entries, 1 remaining.
## Indexing database entries, 1 remaining.
## Indexing database entries, 1 remaining.
## Indexing database entries, 1 remaining.
## Indexing database entries, 1 remaining.
## Indexing database entries, 1 remaining.
## Indexing database entries, 1 remaining.
## Indexing database entries, 1 remaining.
## Indexing database entries, 1 remaining.
## Indexing database entries, 1 remaining.
## Indexing database entries, 1 remaining.
## Indexing database entries, 1 remaining.
## Indexing database entries, 1 remaining.
## Indexing database entries, 1 remaining.
## Indexing database entries, 1 remaining.
## Indexing database entries, 1 remaining.
## Indexing database entries, 1 remaining.
## Indexing database entries, 1 remaining.
## Indexing database entries, 1 remaining.
## Indexing database entries, 1 remaining.
## Workers finished; cleaning up...
## Workers cleaned up.
## Cleaning up producer thread...
## Indexing complete.
## Starting numsubordinates attribute generation.
## This may take a while, please wait for further activity reports.
## Numsubordinates attribute generation complete. Flushing caches...
## Closing files...
## Import complete. Processed 274 entries in 449 seconds. (0.61 entries/sec)
Task completed (slapd exit code: 0).
- Execute idsconfig in order to validate all the information, ports, ip, authentication credentials, etc
/usr/lib/ldap/idsconfig
It is strongly recommended that you BACKUP the directory server
before running idsconfig.
Hit Ctrl-C at any time before the final confirmation to exit.
Do you wish to continue with server setup (y/n/h)? [n] y
Enter the Directory Server's hostname to setup: ldapserv1
Enter the port number for DSEE (h=help): [389] 1389
Enter the directory manager DN: [cn=Directory Manager]
Enter passwd for cn=Directory Manager :
Enter the domainname to be served (h=help): [pan.com]
Enter LDAP Base DN (h=help): [dc=pan,dc=com]
Checking LDAP Base DN ...
Validating LDAP Base DN and Suffix ...
sasl/GSSAPI is not supported by this LDAP server
Enter the profile name (h=help): [default]
Just enable shadow update (y/n/h)? [n] n
Are you sure you want to overwrite profile cn=default? y
Default server list (h=help): [10.1.102.175:1389]
Preferred server list (h=help): 10.1.102.175
Choose desired search scope (one, sub, h=help): [one] one
The following are the supported credential levels:
1 anonymous
2 proxy
3 proxy anonymous
4 self
Choose Credential level [h=help]: [1] 2
The following are the supported Authentication Methods:
1 none
2 simple
3 sasl/DIGEST-MD5
4 tls:simple
5 tls:sasl/DIGEST-MD5
6 sasl/GSSAPI
Choose Authentication Method (h=help): [1] 2
Current authenticationMethod: simple
Do you want to add another Authentication Method? n
Do you want the clients to follow referrals (y/n/h)? [n]
Do you want to modify the server timelimit value (y/n/h)? [n]y (-1)
Do you want to modify the server sizelimit value (y/n/h)? [n]y (-1)
Do you want to store passwords in "crypt" format (y/n/h)? [n] y
Do you want to setup a Service Authentication Methods (y/n/h)? [n] y
Do you want to setup a Service Auth. Method for "pam_ldap" (y/n/h)? [n] y
The following are the supported Authentication Methods:
1 simple
2 sasl/DIGEST-MD5
3 tls:simple
4 tls:sasl/DIGEST-MD5
5 sasl/GSSAPI
Choose Service Authentication Method: [1] 1
Current authenticationMethod: pam_ldap:simple
Do you want to add another Authentication Method? n
Do you want to setup a Service Auth. Method for "keyserv" (y/n/h)? [n] n
Do you want to setup a Service Auth. Method for "passwd-cmd" (y/n/h)? [n] y
The following are the supported Authentication Methods:
1 simple
2 sasl/DIGEST-MD5
3 tls:simple
4 tls:sasl/DIGEST-MD5
5 sasl/GSSAPI
Choose Service Authentication Method: [1] 1
Current authenticationMethod: passwd-cmd:simple
Do you want to add another Authentication Method? n
Client search time limit in seconds (h=help): [30]
Profile Time To Live in seconds (h=help): [43200]
Bind time limit in seconds (h=help): [10]
Do you want to enable shadow update (y/n/h)? [n] n
Do you wish to setup Service Search Descriptors (y/n/h)? [n] y
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit] a
Enter the service id: passwd
Enter the base: ou=People,dc=pan,dc=com
Enter the scope: sub
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit] p
Current Service Search Descriptors:
==================================
passwd:ou=People,dc=pan,dc=com?sub
Hit return to continue.
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit] q
Summary of Configuration
1 Domain to serve : pan.com
2 Base DN to setup : dc=pan,dc=com
3 Profile name to create : default
4 Default Server List : 10.1.102.175:1389
5 Preferred Server List : 10.1.102.175
6 Default Search Scope : sub
7 Credential Level : proxy
8 Authentication Method : simple
9 Enable Follow Referrals : FALSE
10 DSEE Time Limit :
11 DSEE Size Limit :
12 Enable crypt password storage : TRUE
13 Service Auth Method pam_ldap : pam_ldap:simple
14 Service Auth Method keyserv :
15 Service Auth Method passwd-cmd: passwd-cmd:simple
16 Search Time Limit : 30
17 Profile Time to Live : 43200
18 Bind Limit : 10
19 Enable shadow update : FALSE
20 Service Search Descriptors Menu
Enter config value to change: (1-20 0=commit changes) [0] 0
Enter DN for proxy agent: [cn=proxyagent,ou=profile,dc=pan,dc=com]
Enter passwd for proxyagent:
Re-enter passwd:
Populate Directory Server
ldapaddent -D "cn=directory manager" -a "simple" -a passwd-cmd -f /etc/passwd passwd
- Pam configuration Solaris 11
PAM SOLARIS 11
root@ldapserv1:/etc/pam.d# cat login
#
# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
#
# PAM configuration
#
# login service (explicit because of pam_dial_auth)
#
auth definitive pam_user_policy.so.1
auth requisite pam_authtok_get.so.1
auth required pam_dhkeys.so.1
#auth required pam_unix_auth.so.1
auth required pam_unix_cred.so.1
auth required pam_dial_auth.so.1
#
auth requisite pam_authtok_get.so.1
auth required pam_dhkeys.so.1
auth required pam_unix_cred.so.1
auth binding pam_unix_auth.so.1 server_policy
auth required pam_ldap.so.1
auth required pam_dial_auth.so.1
root@ldapserv1:/etc/pam.d# cat other
#
# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
#
# PAM configuration
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
auth definitive pam_user_policy.so.1
auth requisite pam_authtok_get.so.1
auth required pam_dhkeys.so.1
#auth required pam_unix_auth.so.1
auth required pam_unix_cred.so.1
#
account requisite pam_roles.so.1
account definitive pam_user_policy.so.1
account required pam_unix_account.so.1
account required pam_tsol_account.so.1
#
session definitive pam_user_policy.so.1
session required pam_unix_session.so.1
#
password definitive pam_user_policy.so.1
# Password construction requirements apply to all users.
# Edit /usr/lib/security/pam_authtok_common and remove force_check
# to have the traditional authorized administrator bypass of construction
# requirements.
password include pam_authtok_common
password required pam_authtok_store.so.1
#
auth requisite pam_authtok_get.so.1
auth required pam_dhkeys.so.1
auth required pam_unix_cred.so.1
auth binding pam_unix_auth.so.1 server_policy
auth required pam_ldap.so.1
root@ldapserv1:/etc/pam.d# cat passwd
#
# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
#
# PAM configuration
#
# passwd command (explicit because of a different authentication module)
#
auth required pam_passwd_auth.so.1
#
# passwd service - account management for Trusted Extensions (TX)
# These entries are required for TX environments since these services
# run in the Trusted Path and pam_tsol_account(5) isn't applicable to
# PAM sessions which run in the Trusted Path.
# If Trusted Extensions aren't enabled then these entries are equivalent
# to the /etc/pam.d/other PAM stack for account management.
#
account requisite pam_roles.so.1
account definitive pam_user_policy.so.1
account required pam_unix_account.so.1
root@ldapserv1:/etc/pam.d# cat cron
#
# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
#
# PAM configuration
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
account definitive pam_user_policy.so.1
account required pam_unix_account.so.1
root@ldapserv1:/etc/pam.d# cat cups
#
# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
#
# PAM configuration
#
# cups service (explicit because of non-usage of pam_roles.so.1)
#
account definitive pam_user_policy.so.1
account required pam_unix_account.so.1
- PAM configuration Solaris 10
PAM SOLARIS 10
root@opscenter:/# cat /etc/pam.conf
#
#ident "@(#)pam.conf 1.31 07/12/07 SMI"
#
# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
- Install client or client Solaris 10 / 11
# ldapclient manual -a serviceAuthenticationMethod=pam_ldap:simple -a serviceAuthenticationMethod=passwd-cmd:simple -a \ adminDN=cn=admin,ou=profile,dc=pan,dc=com -a adminPassword=test -a enableShadowUpdate=TRUE \
-a credentialLevel=proxy -a defaultSearchBase=dc=pan,dc=com -a domainName=pan.com -a \ proxyDN=cn=proxyagent,ou=profile,dc=pan,dc=com -a \ proxyPassword=test 10.1.102.175:1389
- How to client Linux Red Hat “authconfig-tui”
17.- In the next screen you need to complete the followin
dc=pan,dc.com
ready to go!!! Create users and groups with password for the user and check if your authentication is working
Comments