Security Guide : 10. Configuring LDAP Authentication
 
Share this page                  
Configuring LDAP Authentication
 
Configure LDAP Authentication Using PAM
Configure LDAP Authentication Using PAM
When connecting from a remote node, the Name Server (GCN) performs the LDAP authentication using PAM.
To configure the LDAP authentication, perform the following steps:
1. Shut down the Vector instance:
ingstop
2. Disable DBMS authentication:
iisetres ii.$(iipmhost).dbms.*.dbms_authentication OFF
You can check the new setting:
iigetres ii.$(iipmhost).dbms.*.dbms_authentication
3. Install OpenLDAP Client:
yum -y install openldap-clients nss-pam-ldapd
4. As root, do the following:
a. Enable LDAP authentication:
authconfig --enableldap --enableldapauth --ldapserver=<LDAP Server Host>:<LDAP Server Port> --ldapbasedn="dc=actian,dc=com" --update
Note:  If message “getsebool: SELinux is disabled” is displayed, enable SELinux by setting “SELINUX=enforcing” in “/etc/selinux/config/”, reboot the machine, run "authconfig", and then switch back to "SELINUX=disabled" and reboot again.
Check your setting:
authconfig --test | grep ldap
b. Configure the local LDAP name service daemon (nslcd) by editing the file /etc/nslcd.conf, as follows:
# The user and group nslcd should run as (default setting)
uid nslcd
gid ldap
# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
# or "uri ldaps://<LDAP Server Hostname>:<LDAP Server Port>/" if TLS is used
uri ldap://<LDAP Server Hostname>:<LDAP Server Port>/
# The distinguished name of the search base.
base dc=your,dc=search,dc=base
# Customize certain database lookups.
base passwd ou=<your user accounts group>,...,dc=your,dc=search,dc=base
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn uid=<admin user>, ..., dc=your,dc=search,dc=base
bindpw <admin password>
# the user account object class which contains the password field
filter passwd (objectClass=inetOrgPerson)
# This comment prevents repeated auto-migration of settings.
# "yes", if TLS is used
ssl no
tls_cacertdir /etc/openldap/cacerts
Note:  There is no need to configure /etc/openldap/ldap.conf.
c. Create PAM configuration service file "ingres" in directory /etc/pam.d as a symbolic link to 'login':
ln -s /etc/pam.d/login /etc/pam.d/ingres
d. Add the following entries to /etc/pam.d/ingres.
Note:  To avoid risk, test it first with a copy of /etc/pam.d/login, rename the copy to /etc/pam.d/ingres, and then add the entries.
auth sufficient pam_ldap.so
auth sufficient pam_nologin.so
account sufficient pam_ldap.so
e. Change the ownership and permissions on ingvalidpam:
chown root:root $II_SYSTEM/ingres/bin/ingvalidpam
chmod 4755 $II_SYSTEM/ingres/bin/ingvalidpam
5. As user actian, set II_SHADOW_PWD to point to the executable:
ingsetenv II_SHADOW_PWD $II_SYSTEM/ingres/bin/ingvalidpam
To check that the setting now exists:
ingprenv II_SHADOW_PWD
6. Start the Vector instance:
ingstart
To test the configuration, call ingvalidpam directly. You are not prompted. Enter the LDAP user name followed by a space and the LDAP password. If that returns 0 (echo $?) it works. If it does not work, set II_INGVALIDPW_LOG to a filename (in the OS environment). It will show the value returned by the PAM system (which is not the return value from ingvalidpam). Those values are defined in /usr/include/security/pam_appl.h or actually in /usr/include/security/_pam_types.h (included from the first).