Understanding and Configuring Veritas Authentication Service for LDAP based authentication

Article:TECH87928  |  Created: 2009-01-18  |  Updated: 2011-03-22  |  Article URL http://www.symantec.com/docs/TECH87928
Article Type
Technical Solution

Product(s)

Environment

Issue



Understanding and Configuring Veritas Authentication Service for LDAP based authentication


Solution



Understanding LDAP Required Entries in VRTSatlocal.conf

 
· Location of VRTSatlocal.conf
· /var/VRTSat/.VRTSat/profile  (in UNIX & Linux)
· C:\Prpgram Files\VERITAS\Security\Authentication\systemprofile (in Windows 32-bit)
· C:\Prpgram Files (x86)\VERITAS\Security\Authentication\systemprofile (in Windows 64-bit)
VRTSatLocal.conf file must contain the following section:
   [Security\Authentication\Authentication
   Broker\AtPlugins\ldap\DomainInfos\ldap\DomainName]
where DomainName is the name of the LDAP domain you are using.
For example:
   [Security\Authentication\Authentication
   Broker\AtPlugins\ldap\DomainInfos\ldap\VSS]
Each DomainInfos section should include the following information:
Note:
All of the optional fields have default values set in the main [Security\Authentication\Authentication Broker\AtPlugins\ldap] section. If you want these defaults to be overridden for a particular domain, set the new value in the section for that domain. Setting a new value for one domain does not affect the values for another.
· "Server"="serverName"
(Required) Defines the LDAP server. serverName can be a host name, fully-qualified host name, or IP address of the LDAP server.
For example:
"Server"="my_ldap_server.example.com"
· "GroupBaseDN"="OU=groups,dc=name,dc=name"
(Required) Contains the LDAP distinguished name (DN) of the group container for the intended LDAP domain.
For example:
"GroupBaseDN"="OU=group,dc=example,dc=com"
· "UserBaseDN"="OU=people,dc=name,dc=name"
(Required) Contains the LDAP distinguished name (DN) for the user container for the intended LDAP domain.
For example:
"UserBaseDN"="OU=people,dc=example,dc=com"
· "GroupObjClass"="className"
(Optional) Name of the LDAP Object class which describes how groups within a domain are to be stored in LDAP. The default is "posixGroup". If you override the default here, the new value will affect only this specific domain.
· "UserObjClass"="className"
(Optional) Name of the LDAP Object class which describes how users/people in the domain are to be stored in LDAP. The default is "posixAccount". If you override the default here, the new value will affect only this specific domain.
· "GroupAttr"="cnAttributeName"
(Optional) Name of the attribute within the group object class which used to store the group name. The default is "cn". If you override the default here, the new value will affect only this specific domain.
· "UserAttr"="UIDAttributeName"
(Optional) Name of the attribute within the user object class which used to store the unique user identifier. The default is "uid". If you override the default here, the new value will affect only this specific domain.
· "GroupGIDAttr"="GIDAttributeName"
(Optional) Name of the attribute within the group object class which used to store the group ID. The default is "gidNumber". If you override the default here, the new value will affect only this specific domain.
· "UserGIDAttr"="GIDAttributeName"
(Optional) Name of the attribute within the user object class which used to store the group IDs of the groups the user belongs to. The default is "gidNumber". If you override the default here, the new value will affect only this specific domain.
VRTSatLocal.conf file must contain the following section:
[Security\Authentication\Authentication
Broker\AtPlugins\ldap\ServerInfos\ServerName]
This section must include:
· "IsDefault"=dword-value
Indicates whether the local host is the default LDAP server.
o Local host is the default LDAP server-"IsDefault"=dword:00000001
o Local host is not the default LDAP server-"IsDefault"=dword:00000000
· "URL"="ldap://your_ldap_server.com"
Defines the LDAP directory server URL.
· "SSLEnabled"=dword-value
Defines whether SSL is enabled between the LDAP plugin and the LDAP server.
o SSL is turned on-"SSLEnabled"=dword:00000001
o SSL is turned off-"SSLEnabled"=dword:00000000
Note:
The LDAP plugin only supports SSL server authentication.
· "SSLType"=dword:00000000
Indicates that server-only SSL is being used. (In the future, mutually authenticated SSL will be supported.)
· "TrustedCACertsPresent"=dword-value
Indicates whether the CA-trusted certificate chain is present. Valid only when SSLEnabled is on (dword:00000001).
o CA-trusted certificate chain is present-"TrustedCACertsPresent"=dword:00000001
o CA-trusted certificate chain is not present-"TrustedCACertsPresent"=dword:00000000

Configuring VRTSat for LDAP-based Authentication

 
1. Please get the following information of an LDAP Server:
· FQDN of LDAP Server:           ______________________________________
· IP Address of LDAP Server:  ______________________________________
· Is it in DNS?
· Is there any Firewall between the LDAP Server & system running VRTSat?
· A proxy user,  AdminUser (a.k.a, bind-user), with access privilege to browse the LDAP's search tree.
 
2. From any system with LDAP client software, execute 'ldapsearch' command to find out whether useful LDAP information for any LDAP user can be retrieved from the LDAP Server, say qaldap.foo.com , by LDAP's AdminUser, say ccs-qa, used in VRTSatlocal.conf

# ldapsearch -L -h qaldap.foo.com -p 389 -D "cn=ccs-qa,ou=ApplicationUsers,o=foo" -w b7r8fjy -b "ou=internal,o=foo" "uid=e120662"
version: 1
dn: uid=E120662,ou=People,ou=NA,ou=internal,o=foo
mail: john.harris@foo.com
uid: E120662
givenName: John
sn: Harris
o: Foo International
objectClass: Top
objectClass: Person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: hworgperson
objectClass: ndsLoginProperties
cn: Hiris,Dan

 
3. Determine the starting point of LDAP queries on the LDAP server.
 
# ldapsearch -v -h qaldap.foo.com -b '' -s base '(objectlass=*)' NamingContext
 
ldapsearch: started Wed Apr 29 14:09:49 2009
 
ldap_init( qaldap.foo.com, 389 )
filter pattern: (objectlass=*)
returning: NamingContext
filter is: (objectlass=*)
ldapsearch: ignoring LDAP response message type 0x61 (bind result)
 
 
 
4. Determine the top level organization units, using namingContext, (say dc=veritas,dc=com), derived in the above step 2, on the LDAP server.
 
# ldapsearch  -h qaldap.foo.com -b “dc=veritas,dc=com” -s subtree '(objectclass=organizationalunit)'
 
ou=Groups, dc=veritas,dc=com
objectClass=top
objectClass=organizationalUnit
 
ou=People, dc=veritas,dc=com
objectClass=top
objectClass=organizationalunit
ou=People
 
5. List all the users in the LDAP server,
 
# ldapsearch -x -h mtv2850-01.mvw.spt.symantec.com -b dc=example,dc=com
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
 
# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
objectClass: top
o: example.com
dc: example
 
# Manager, example.com
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
 
# Marketing, example.com
dn: ou=Marketing,dc=example,dc=com
objectClass: organizationalUnit
ou: Marketing
...
# Jane Doe, Marketing, example.com
dn: cn=Jane Doe,ou=Marketing,dc=example,dc=com
objectClass: inetOrgPerson
cn: Jane Doe
givenName: Jane
sn: Doe
uid: jdoe
telephoneNumber: 3453321
roomNumber: T33
 
6. Troubleshooting the queries on the LDAP server:
· the LDAP server is unreachable
· the LDAP port is not reachable
· the proxy user,  AdminUser (a.k.a, bind-user), is not authorized to browse the LDAP's search tree.
 
7. Assume that VRTSat is already installed and will use LDAP-based authentication on a broker domain, say, FOOLDAP.
 
# cd /opt/VRTSat/bin
# ./vssat showversion
vssat version: 4.3.34.4
# ./vssat showallbrokerdomains     ( Does FOOLDAP exist?)
# ./vssat addbrokerdomain --domain  ldap:FOOLDAP --broker qaldap.foo.com
(NOTE: LDAPserverName: qaldap.foo.com in this example)
# ./vssat showallbrokerdomains     ( Does AOLLDAP exist now?)
 
 
8. Stop  vxatd before manually modifying VRTSatlocal.conf file.
 
# /etc/init.d/vxatd stop (UNIX/LINUX) (net stop vrtsat  (in Windows))
# cd /var/VRTSat/.VRTSat/profile
# rm  VRTSatlocal.conf.lock
 
9. Ensure that the client system is running VRTSat with Root Broker (RB) and Authentication Broker (AB).
# /opt/VRTSat/bin/vxatd -a -r
# cp VRTSatlocal.conf VRTSatlocal.conf-orig
 
 
10. You can configure VRTSat for LDAP-based authentication in two ways:
· Using 'addldapdomain' option of the vssat command
· Manually modifying VRTSatlocal.conf
 
11. Configure VRTSat using 'addldapdomain' option of the vssat command in VRTSat 4.4 or above:
 
# /etc/init.d/vxatd stop
# /opt/VRTSat/bin/vssat showversion
 
# /opt/VRTSat/bin/vssat addldapdomain --domainname FOOLDAP --server_url ldap:// qaldap.foo.com --user_base_dn cn= ccs-qa,o=Foo --group_base_dn “dc=groups,o=Foo --schema_type rfc2307
 
Another Example,
 
# /opt/VRTSat/bin/vssat addldapdomain --domainname FOOLDAP --server_url ldap:// qaldap.foo.com --user_base_dn ou=people,dc=foo,dc=com --group_base_dn “dc=group,dc=foo,dc=com -schema_type rfc2307
 
· Please edit VRTSatlocal.conf, and change
    "PluginSharedLibFileName"="/opt/VRTSat/lib/libauthldap.so"
 "IsEnabled"=dword:00000001
 
 "AuthType"="BOB"
 "AdminUserPassword"="<Enter_password>"
 "AdminUser"="cn=ccs-qa,ou=ApplicationUsers,o=foo"
 
· Please restart vxatd:  /etc/init.d/vxatd start
 
· To authenticate an LDAP user, say e120662, via LDAP , please do:
 
# /opt/VRTSat/bin/vssat authenticate --domain ldap: FOOLDAP --prplname e120662
 
 
12. Method II: Configure VRTSat manually  for LDAP-based authentication.
 
# /etc/init.d/vxatd stop  (In UNIX/LINUX)
  net stop vrtsat                (In Windows)
# /opt/VRTSat/bin/vssat showversion
 

An Excerpt of VRTSatlocal.conf for LDAP-based Authentication



[Security]
[Security\Authentication]
[Security\Authentication\Authentication Broker]
"Mode"=dword:00000003  
"DebugLogFileName"="/var/VRTSat/vxatd.log"
"UpdatedDebugLogFileName"="/var/VRTSat/vxatd.log"
"CredDetailsFileName"="/var/VRTSat/vrtsat_broker.txt"
"UserName"="root"
"DomainName"="root@sfHos1.foo.com"
"DomainType"="vx"
"BrokerName"="sfHos1.foo.com"
"IsPBXExchangeInstalled"=dword:00000001
"UpdatedSSLIOPServiceID"="VxAT_SSLIOPBroker"
"CurrentSSLIOPServiceID"="VxAT_SSLIOPBroker"
"UpdatedSSLServiceID"="VxAT_SSLBroker"
"CurrentSSLServiceID"="VxAT_SSLBroker"
"UpdatedServiceID"="VxAT_Broker"
"CurrentServiceID"="VxAT_Broker"
"UpdatedPBXPort"=dword:00000614
"CurrentPBXPort"=dword:00000614
"AcceptTimeOut"=dword:00000014
"UpdatedBrokerPort"=dword:00000b05
"CurrentBrokerPort"=dword:00000b05
"BrokerPort"=dword:00000000
"SnapShotDirectory"="/var/VRTSatSnapShot"
"Version"="ver4.0.010"
"RootBrokerTag"="sfHos1.foo.com"
"PBXExchangeRetryInterval"=dword:0000001e
"DebugLevel"=dword:00000004  
"ABSerial"=dword:000000f2
"RBSerial"=dword:00000002


[Security\Authentication\Authentication Broker\AtPlugins]
[Security\Authentication\Authentication Broker\AtPlugins\ldap]
"PluginSharedLibFileName"="/opt/VRTSat/lib/libauthldap.so"
"IsEnabled"=dword:00000001
[Security\Authentication\Authentication Broker\AtPlugins\ldap\AuthMechanisms]
[Security\Authentication\Authentication Broker\AtPlugins\ldap\AuthMechanisms\Simple]
"SearchScope"="SUB"
"AuthType"="BOB"
"AdminUserPassword"="****"
"UserBaseDN"="ou=internal,o=foo"
"GroupBaseDN"="ou=group,ou=internal,o=foo"
"UserObjClass"="inetOrgPerson"
"GroupObjClass"="posixGroup"
"AuxUserObjClass"=""
"AuxGroupObjClass"=""
"UserAttr"="uid"
"UserGIDAttr"="gidNumber"
"GroupAttr"="cn"
"GroupGIDAttr"="gidNumber"
"PasswordAttr"=""
"AdminUser"="cn=ccs-qa,ou=ApplicationUsers,o=foo"
[Security\Authentication\Authentication Broker\AtPlugins\ldap\ServerInfos]
[Security\Authentication\Authentication Broker\AtPlugins\ldap\ServerInfos\qaldap.foo.com]
"SSLType"=dword:00000000
"IsDefault"=dword:00000001
"SSLEnabled"=dword:00000000
"TrustedCACertsPresent"=dword:00000000
"URL"="ldap://qaldap.foo.com"  
[Security\Authentication\Authentication Broker\AtPlugins\ldap\DomainInfos]
[Security\Authentication\Authentication Broker\AtPlugins\ldap\DomainInfos\ldap]
[Security\Authentication\Authentication Broker\AtPlugins\ldap\DomainInfos\ldap\FOOLDAP]
"Server"="qaldap.foo.com"  
 
· Please restart vxatd:  
o /etc/init.d/vxatd start  (in UNIX/LINUX)
o net start vrtsat     (in Windows)
 
· To authenticate an LDAP user, say e126626, via LDAP , please do:
 
# /opt/VRTSat/bin/vssat authenticate --domain ldap: FOOLDAP --prplname e120662
 

Troubleshooting Failure of Authentication for an LDAP-based user using VRTSat

 
· Please collect the data and examine the log file:
o /var/VRTSat/vxatd.log          (UNIX/LINUX)
o C:\Program Files\VERITAS\Security\Authentication\bin\vxatd.log      (WINDOWS)
o VRTSatlocal.conf
o Outputs of
o vssat showversion
o vssat showcred
o vssat showallbrokerdomains
 
 

An Example Output of ldapsearch Command for an LDAP User by Common Name (cn)

 
[root@mtv2850-01 LDAP_LAB]# /usr/bin/ldapsearch -vLx  -b "dc=example,dc=com" "(cn=Foo Smith)"
 
version: 1
 
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (cn=Foo Smith)
# requesting: ALL
#
 
# Foo Smith, Marketing, example.com
dn: cn=Foo Smith,ou=Marketing,dc=example,dc=com
cn: Foo Smith
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
mail: FSmith@yahoo.com
givenName: Foo
sn: Smith
homePostalAddress: 14 San Carlos Street
l: San Jose
st: CA
postalCode: 95124
telephoneNumber: (408)555-1238
uid: fsmith
userPassword:: bXlzZWNyZXQ=
seeAlso: dc=www,dc=example,dc=com
 
# search result
 
# numResponses: 2
# numEntries: 1
 

An Example Output of ldapsearch Command for an LDAP User by Surname (sn)


[root@mtv2850-01 LDAP_LAB]# /usr/bin/ldapsearch -vLx  -b "dc=example,dc=com" "(sn=Smith)"
 
version: 1
 
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (sn=Smith)
# requesting: ALL
#
 
# Jay Smith, Engineering, example.com
dn: cn=Jay Smith,ou=Engineering,dc=example,dc=com
objectClass: inetOrgPerson
cn: Jay Smith
givenName: Jay
sn: Smith
telephoneNumber: 3452332
roomNumber: E23
 
# Foo Smith, Marketing, example.com
dn: cn=Foo Smith,ou=Marketing,dc=example,dc=com
cn: Foo Smith
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
mail: FSmith@yahoo.com
givenName: Foo
sn: Smith
homePostalAddress: 14 San Carlos Street
l: San Jose
st: CA
postalCode: 95124
telephoneNumber: (408)555-1238
uid: fsmith
userPassword:: bXlzZWNyZXQ=
seeAlso: dc=www,dc=example,dc=com
 
# search result
 
# numResponses: 3
# numEntries: 2
 
 


Legacy ID



332223


Article URL http://www.symantec.com/docs/TECH87928


Terms of use for this information are found in Legal Notices