Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Configuring Domino for LDAP Directory
1. 1900 – Configuring Domino to Be an LDAP Directory and to Use an LDAP Directory Rob Fox, Paul Godby, & Moacyr Mallemont
2.
3. 1900 – part I - Configuring Domino for LDAP By Rob Fox & Paul Godby January 20 th , 2006 – 10:15 am
4.
5.
6.
7.
8.
9.
10.
11. Anatomy of LDAP Connector Database full of Names and Addresses Magic Happy User My LDAP Directory Server Joe Mama Angie Daddy Terd Ferguson Art Major Rob Fox Travis Womack … .
The knowledge that you will receive from this document/session was actually used in a real technical environment running on virtual machines under vmware workstation. All the screens have been captured so that you can have complete understanding on what to do to have your Linux workstations authenticating on an IBM Lotus Domino LDAP service.
What is nss_ldap and pam_ldap? The nss_ldap is a LDAP module for the “Solaris Nameservice Switch” (NSS). NSS is a set of C libraries with extensions needed to access information in a LDAP directory service that will be used instead of the “Network Information Service” (NIS) or flat files (that is the Linux default); the nss_ldap is necessary so that the Linux desktop can use their native LDAP service. The pam_ldap is used to integrate the LDAP authentication into the PAM API. Using the pam_ldap enables users to authenticate and change password using a LDAP service. Both modules are part of the nss_ldap package. The nss_ldap and pam_ldap installation To setup the Linux authentication with the Lotus Domino LDAP server it is necessary to download two PAM modules, the nss_ldap and the pam_ldap. Those modules will latter in the process be compiled and installed in the Linux workstation that will authenticate in the Lotus Domino LDAP service: Compiling nss_ldap e pam_ldap After copying the two modules to the Linux desktop, you have to unzip, compile and setup them. To do that, use the following commands: gunzip *tgz tar -xvf cd nss_ldap ./configure make make install cd .. cd pam_ldap ./configure make make install Making a ldap search using PAM Now that PAM has the new modules installed, you can validate access from the Linux desktop to the Lotus Domino LDAP service using the following command: Ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta The results can span more than one screen, so you can use “| more” to page the output. It should show the ldap schema objects that the user “mcosta” has in the Lotus Domino server directory . Setting up the ldap.conf file Now it is possible to setup the “/etc/ldap.conf” file, so that the Linux desktop will be able to use the Lotus Domino LDAP server for authentication and user information. The following lines should be used (let all the other lines as comments): host domino.br.ibm.com base o=ibm uri ldap://domino.br.ibm.com binddn cn=ldapbind,o=ibm bindpw pawws0rd rootbinddn cn=ldapbind,o=ibm pam_password clear ssl no Setting up the ldap.secrets file Completing the PAM configuration (ldap.secret) You will now need to create the “/etc/ldap.secret” file that holds the password for the rootdn user (specified in /etc/ldap.conf). This user will be used whenever the Linux root user makes a ldap search. To do this you should run the following commands: creating ldap.secret echo passw0rd >/etc/ldap.secret chmod ou-rw /etc/ldap.secret Please note that the “/etc/ldap.secret” file will be only accessible by the root user.
What is nss_ldap and pam_ldap? The nss_ldap is a LDAP module for the “Solaris Nameservice Switch” (NSS). NSS is a set of C libraries with extensions needed to access information in a LDAP directory service that will be used instead of the “Network Information Service” (NIS) or flat files (that is the Linux default); the nss_ldap is necessary so that the Linux desktop can use their native LDAP service. The pam_ldap is used to integrate the LDAP authentication into the PAM API. Using the pam_ldap enables users to authenticate and change password using a LDAP service. Both modules are part of the nss_ldap package. The nss_ldap and pam_ldap installation To setup the Linux authentication with the Lotus Domino LDAP server it is necessary to download two PAM modules, the nss_ldap and the pam_ldap. Those modules will latter in the process be compiled and installed in the Linux workstation that will authenticate in the Lotus Domino LDAP service: Compiling nss_ldap e pam_ldap After copying the two modules to the Linux desktop, you have to unzip, compile and setup them. To do that, use the following commands: gunzip *tgz tar -xvf cd nss_ldap ./configure make make install cd .. cd pam_ldap ./configure make make install Making a ldap search using PAM Now that PAM has the new modules installed, you can validate access from the Linux desktop to the Lotus Domino LDAP service using the following command: Ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta The results can span more than one screen, so you can use “| more” to page the output. It should show the ldap schema objects that the user “mcosta” has in the Lotus Domino server directory . Setting up the ldap.conf file Now it is possible to setup the “/etc/ldap.conf” file, so that the Linux desktop will be able to use the Lotus Domino LDAP server for authentication and user information. The following lines should be used (let all the other lines as comments): host domino.br.ibm.com base o=ibm uri ldap://domino.br.ibm.com binddn cn=ldapbind,o=ibm bindpw pawws0rd rootbinddn cn=ldapbind,o=ibm pam_password clear ssl no Setting up the ldap.secrets file Completing the PAM configuration (ldap.secret) You will now need to create the “/etc/ldap.secret” file that holds the password for the rootdn user (specified in /etc/ldap.conf). This user will be used whenever the Linux root user makes a ldap search. To do this you should run the following commands: creating ldap.secret echo passw0rd >/etc/ldap.secret chmod ou-rw /etc/ldap.secret Please note that the “/etc/ldap.secret” file will be only accessible by the root user.
What is nss_ldap and pam_ldap? The nss_ldap is a LDAP module for the “Solaris Nameservice Switch” (NSS). NSS is a set of C libraries with extensions needed to access information in a LDAP directory service that will be used instead of the “Network Information Service” (NIS) or flat files (that is the Linux default); the nss_ldap is necessary so that the Linux desktop can use their native LDAP service. The pam_ldap is used to integrate the LDAP authentication into the PAM API. Using the pam_ldap enables users to authenticate and change password using a LDAP service. Both modules are part of the nss_ldap package. The nss_ldap and pam_ldap installation To setup the Linux authentication with the Lotus Domino LDAP server it is necessary to download two PAM modules, the nss_ldap and the pam_ldap. Those modules will latter in the process be compiled and installed in the Linux workstation that will authenticate in the Lotus Domino LDAP service: Compiling nss_ldap e pam_ldap After copying the two modules to the Linux desktop, you have to unzip, compile and setup them. To do that, use the following commands: gunzip *tgz tar -xvf cd nss_ldap ./configure make make install cd .. cd pam_ldap ./configure make make install Making a ldap search using PAM Now that PAM has the new modules installed, you can validate access from the Linux desktop to the Lotus Domino LDAP service using the following command: Ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta The results can span more than one screen, so you can use “| more” to page the output. It should show the ldap schema objects that the user “mcosta” has in the Lotus Domino server directory . Setting up the ldap.conf file Now it is possible to setup the “/etc/ldap.conf” file, so that the Linux desktop will be able to use the Lotus Domino LDAP server for authentication and user information. The following lines should be used (let all the other lines as comments): host domino.br.ibm.com base o=ibm uri ldap://domino.br.ibm.com binddn cn=ldapbind,o=ibm bindpw pawws0rd rootbinddn cn=ldapbind,o=ibm pam_password clear ssl no Setting up the ldap.secrets file Completing the PAM configuration (ldap.secret) You will now need to create the “/etc/ldap.secret” file that holds the password for the rootdn user (specified in /etc/ldap.conf). This user will be used whenever the Linux root user makes a ldap search. To do this you should run the following commands: creating ldap.secret echo passw0rd >/etc/ldap.secret chmod ou-rw /etc/ldap.secret Please note that the “/etc/ldap.secret” file will be only accessible by the root user.
What is nss_ldap and pam_ldap? The nss_ldap is a LDAP module for the “Solaris Nameservice Switch” (NSS). NSS is a set of C libraries with extensions needed to access information in a LDAP directory service that will be used instead of the “Network Information Service” (NIS) or flat files (that is the Linux default); the nss_ldap is necessary so that the Linux desktop can use their native LDAP service. The pam_ldap is used to integrate the LDAP authentication into the PAM API. Using the pam_ldap enables users to authenticate and change password using a LDAP service. Both modules are part of the nss_ldap package. The nss_ldap and pam_ldap installation To setup the Linux authentication with the Lotus Domino LDAP server it is necessary to download two PAM modules, the nss_ldap and the pam_ldap. Those modules will latter in the process be compiled and installed in the Linux workstation that will authenticate in the Lotus Domino LDAP service: Compiling nss_ldap e pam_ldap After copying the two modules to the Linux desktop, you have to unzip, compile and setup them. To do that, use the following commands: gunzip *tgz tar -xvf cd nss_ldap ./configure make make install cd .. cd pam_ldap ./configure make make install Making a ldap search using PAM Now that PAM has the new modules installed, you can validate access from the Linux desktop to the Lotus Domino LDAP service using the following command: Ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta The results can span more than one screen, so you can use “| more” to page the output. It should show the ldap schema objects that the user “mcosta” has in the Lotus Domino server directory . Setting up the ldap.conf file Now it is possible to setup the “/etc/ldap.conf” file, so that the Linux desktop will be able to use the Lotus Domino LDAP server for authentication and user information. The following lines should be used (let all the other lines as comments): host domino.br.ibm.com base o=ibm uri ldap://domino.br.ibm.com binddn cn=ldapbind,o=ibm bindpw pawws0rd rootbinddn cn=ldapbind,o=ibm pam_password clear ssl no Setting up the ldap.secrets file Completing the PAM configuration (ldap.secret) You will now need to create the “/etc/ldap.secret” file that holds the password for the rootdn user (specified in /etc/ldap.conf). This user will be used whenever the Linux root user makes a ldap search. To do this you should run the following commands: creating ldap.secret echo passw0rd >/etc/ldap.secret chmod ou-rw /etc/ldap.secret Please note that the “/etc/ldap.secret” file will be only accessible by the root user.
What is nss_ldap and pam_ldap? The nss_ldap is a LDAP module for the “Solaris Nameservice Switch” (NSS). NSS is a set of C libraries with extensions needed to access information in a LDAP directory service that will be used instead of the “Network Information Service” (NIS) or flat files (that is the Linux default); the nss_ldap is necessary so that the Linux desktop can use their native LDAP service. The pam_ldap is used to integrate the LDAP authentication into the PAM API. Using the pam_ldap enables users to authenticate and change password using a LDAP service. Both modules are part of the nss_ldap package. The nss_ldap and pam_ldap installation To setup the Linux authentication with the Lotus Domino LDAP server it is necessary to download two PAM modules, the nss_ldap and the pam_ldap. Those modules will latter in the process be compiled and installed in the Linux workstation that will authenticate in the Lotus Domino LDAP service: Compiling nss_ldap e pam_ldap After copying the two modules to the Linux desktop, you have to unzip, compile and setup them. To do that, use the following commands: gunzip *tgz tar -xvf cd nss_ldap ./configure make make install cd .. cd pam_ldap ./configure make make install Making a ldap search using PAM Now that PAM has the new modules installed, you can validate access from the Linux desktop to the Lotus Domino LDAP service using the following command: Ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta The results can span more than one screen, so you can use “| more” to page the output. It should show the ldap schema objects that the user “mcosta” has in the Lotus Domino server directory . Setting up the ldap.conf file Now it is possible to setup the “/etc/ldap.conf” file, so that the Linux desktop will be able to use the Lotus Domino LDAP server for authentication and user information. The following lines should be used (let all the other lines as comments): host domino.br.ibm.com base o=ibm uri ldap://domino.br.ibm.com binddn cn=ldapbind,o=ibm bindpw pawws0rd rootbinddn cn=ldapbind,o=ibm pam_password clear ssl no Setting up the ldap.secrets file Completing the PAM configuration (ldap.secret) You will now need to create the “/etc/ldap.secret” file that holds the password for the rootdn user (specified in /etc/ldap.conf). This user will be used whenever the Linux root user makes a ldap search. To do this you should run the following commands: creating ldap.secret echo passw0rd >/etc/ldap.secret chmod ou-rw /etc/ldap.secret Please note that the “/etc/ldap.secret” file will be only accessible by the root user.
What is nss_ldap and pam_ldap? The nss_ldap is a LDAP module for the “Solaris Nameservice Switch” (NSS). NSS is a set of C libraries with extensions needed to access information in a LDAP directory service that will be used instead of the “Network Information Service” (NIS) or flat files (that is the Linux default); the nss_ldap is necessary so that the Linux desktop can use their native LDAP service. The pam_ldap is used to integrate the LDAP authentication into the PAM API. Using the pam_ldap enables users to authenticate and change password using a LDAP service. Both modules are part of the nss_ldap package. The nss_ldap and pam_ldap installation To setup the Linux authentication with the Lotus Domino LDAP server it is necessary to download two PAM modules, the nss_ldap and the pam_ldap. Those modules will latter in the process be compiled and installed in the Linux workstation that will authenticate in the Lotus Domino LDAP service: Compiling nss_ldap e pam_ldap After copying the two modules to the Linux desktop, you have to unzip, compile and setup them. To do that, use the following commands: gunzip *tgz tar -xvf cd nss_ldap ./configure make make install cd .. cd pam_ldap ./configure make make install Making a ldap search using PAM Now that PAM has the new modules installed, you can validate access from the Linux desktop to the Lotus Domino LDAP service using the following command: Ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta The results can span more than one screen, so you can use “| more” to page the output. It should show the ldap schema objects that the user “mcosta” has in the Lotus Domino server directory . Setting up the ldap.conf file Now it is possible to setup the “/etc/ldap.conf” file, so that the Linux desktop will be able to use the Lotus Domino LDAP server for authentication and user information. The following lines should be used (let all the other lines as comments): host domino.br.ibm.com base o=ibm uri ldap://domino.br.ibm.com binddn cn=ldapbind,o=ibm bindpw pawws0rd rootbinddn cn=ldapbind,o=ibm pam_password clear ssl no Setting up the ldap.secrets file Completing the PAM configuration (ldap.secret) You will now need to create the “/etc/ldap.secret” file that holds the password for the rootdn user (specified in /etc/ldap.conf). This user will be used whenever the Linux root user makes a ldap search. To do this you should run the following commands: creating ldap.secret echo passw0rd >/etc/ldap.secret chmod ou-rw /etc/ldap.secret Please note that the “/etc/ldap.secret” file will be only accessible by the root user.
Extending the Domino LDAP Schema Creating a subform “LDAP posixAccount Schema” Now it is necessary to extend the domino ldap schema to allow the Linux desktop to authenticate in the Domino LDAP server. This is needed because the standard Domino ldap schema does not have all the necessary fields to support the posixAccount schema that is used by Linux. Open the Domino Directory (names.nsf) with the IBM Lotus Domino Designer, create a new subform named “LDAP posixAccount” and add the following fields: Field: UIDNumber Datatype: Text Field Type: Editable Default Value Formula: @Text(@Integer(1000 + (@Random * 1000))); Field: GIDNumber Datatype: Text Field Type: Computed Formula: UIDNumber Field: homedirectory Datatype: Text Field Type: Computed Formula: "/home/" + @LowerCase(shortname); Field: loginshel Datatype: Text Field Type: Computed Formula: "/bin/bash" Field: $objectclass Datatype: Text Input Multi-Value Separator(s): Comma, Semicolon Display Multi-Value Separator: Semicolon Field Type: Computed Formula: "posixAccount" : "posixGroup"; It is very important to observe that the use of a random function to define userid and groupid has effect only for demonstration purposes and proof of concepts. In production environment, Domino agents should be used to set this values according to the naming standards in use. Save the “LDAP posixAccount Schema” subform: Insert the new subform into the existing “$PersonExtensibleSchema” subform and then refresh (edit and save) the person documents of the users that will authenticate in the Linux desktop: Note. For larger address books with many users you can set up an agent in the name and address book to refresh all the users. Reloading the LDAP Schema In order to publish your changes, you must reload the Domino ldap schema. In the IBM Lotus Domino server console run the following command: tell ldap reload schema The new LDAP schema will be in use by the LDAP Service: Verifying the new fields in the Domino LDAP Schema Let’s make a simple test running ldapsearch to validate that the new fields are retrieved by LDAP clients and the LDAP schema was correctly extended: ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta You should have more than one output screen:
Extending the Domino LDAP Schema Creating a subform “LDAP posixAccount Schema” Now it is necessary to extend the domino ldap schema to allow the Linux desktop to authenticate in the Domino LDAP server. This is needed because the standard Domino ldap schema does not have all the necessary fields to support the posixAccount schema that is used by Linux. Open the Domino Directory (names.nsf) with the IBM Lotus Domino Designer, create a new subform named “LDAP posixAccount” and add the following fields: Field: UIDNumber Datatype: Text Field Type: Editable Default Value Formula: @Text(@Integer(1000 + (@Random * 1000))); Field: GIDNumber Datatype: Text Field Type: Computed Formula: UIDNumber Field: homedirectory Datatype: Text Field Type: Computed Formula: "/home/" + @LowerCase(shortname); Field: loginshel Datatype: Text Field Type: Computed Formula: "/bin/bash" Field: $objectclass Datatype: Text Input Multi-Value Separator(s): Comma, Semicolon Display Multi-Value Separator: Semicolon Field Type: Computed Formula: "posixAccount" : "posixGroup"; It is very important to observe that the use of a random function to define userid and groupid has effect only for demonstration purposes and proof of concepts. In production environment, Domino agents should be used to set this values according to the naming standards in use. Save the “LDAP posixAccount Schema” subform: Insert the new subform into the existing “$PersonExtensibleSchema” subform and then refresh (edit and save) the person documents of the users that will authenticate in the Linux desktop: Note. For larger address books with many users you can set up an agent in the name and address book to refresh all the users. Reloading the LDAP Schema In order to publish your changes, you must reload the Domino ldap schema. In the IBM Lotus Domino server console run the following command: tell ldap reload schema The new LDAP schema will be in use by the LDAP Service: Verifying the new fields in the Domino LDAP Schema Let’s make a simple test running ldapsearch to validate that the new fields are retrieved by LDAP clients and the LDAP schema was correctly extended: ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta You should have more than one output screen:
Extending the Domino LDAP Schema Creating a subform “LDAP posixAccount Schema” Now it is necessary to extend the domino ldap schema to allow the Linux desktop to authenticate in the Domino LDAP server. This is needed because the standard Domino ldap schema does not have all the necessary fields to support the posixAccount schema that is used by Linux. Open the Domino Directory (names.nsf) with the IBM Lotus Domino Designer, create a new subform named “LDAP posixAccount” and add the following fields: Field: UIDNumber Datatype: Text Field Type: Editable Default Value Formula: @Text(@Integer(1000 + (@Random * 1000))); Field: GIDNumber Datatype: Text Field Type: Computed Formula: UIDNumber Field: homedirectory Datatype: Text Field Type: Computed Formula: "/home/" + @LowerCase(shortname); Field: loginshel Datatype: Text Field Type: Computed Formula: "/bin/bash" Field: $objectclass Datatype: Text Input Multi-Value Separator(s): Comma, Semicolon Display Multi-Value Separator: Semicolon Field Type: Computed Formula: "posixAccount" : "posixGroup"; It is very important to observe that the use of a random function to define userid and groupid has effect only for demonstration purposes and proof of concepts. In production environment, Domino agents should be used to set this values according to the naming standards in use. Save the “LDAP posixAccount Schema” subform: Insert the new subform into the existing “$PersonExtensibleSchema” subform and then refresh (edit and save) the person documents of the users that will authenticate in the Linux desktop: Note. For larger address books with many users you can set up an agent in the name and address book to refresh all the users. Reloading the LDAP Schema In order to publish your changes, you must reload the Domino ldap schema. In the IBM Lotus Domino server console run the following command: tell ldap reload schema The new LDAP schema will be in use by the LDAP Service: Verifying the new fields in the Domino LDAP Schema Let’s make a simple test running ldapsearch to validate that the new fields are retrieved by LDAP clients and the LDAP schema was correctly extended: ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta You should have more than one output screen:
Extending the Domino LDAP Schema Creating a subform “LDAP posixAccount Schema” Now it is necessary to extend the domino ldap schema to allow the Linux desktop to authenticate in the Domino LDAP server. This is needed because the standard Domino ldap schema does not have all the necessary fields to support the posixAccount schema that is used by Linux. Open the Domino Directory (names.nsf) with the IBM Lotus Domino Designer, create a new subform named “LDAP posixAccount” and add the following fields: Field: UIDNumber Datatype: Text Field Type: Editable Default Value Formula: @Text(@Integer(1000 + (@Random * 1000))); Field: GIDNumber Datatype: Text Field Type: Computed Formula: UIDNumber Field: homedirectory Datatype: Text Field Type: Computed Formula: "/home/" + @LowerCase(shortname); Field: loginshel Datatype: Text Field Type: Computed Formula: "/bin/bash" Field: $objectclass Datatype: Text Input Multi-Value Separator(s): Comma, Semicolon Display Multi-Value Separator: Semicolon Field Type: Computed Formula: "posixAccount" : "posixGroup"; It is very important to observe that the use of a random function to define userid and groupid has effect only for demonstration purposes and proof of concepts. In production environment, Domino agents should be used to set this values according to the naming standards in use. Save the “LDAP posixAccount Schema” subform: Insert the new subform into the existing “$PersonExtensibleSchema” subform and then refresh (edit and save) the person documents of the users that will authenticate in the Linux desktop: Note. For larger address books with many users you can set up an agent in the name and address book to refresh all the users. Reloading the LDAP Schema In order to publish your changes, you must reload the Domino ldap schema. In the IBM Lotus Domino server console run the following command: tell ldap reload schema The new LDAP schema will be in use by the LDAP Service: Verifying the new fields in the Domino LDAP Schema Let’s make a simple test running ldapsearch to validate that the new fields are retrieved by LDAP clients and the LDAP schema was correctly extended: ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta You should have more than one output screen:
Extending the Domino LDAP Schema Creating a subform “LDAP posixAccount Schema” Now it is necessary to extend the domino ldap schema to allow the Linux desktop to authenticate in the Domino LDAP server. This is needed because the standard Domino ldap schema does not have all the necessary fields to support the posixAccount schema that is used by Linux. Open the Domino Directory (names.nsf) with the IBM Lotus Domino Designer, create a new subform named “LDAP posixAccount” and add the following fields: Field: UIDNumber Datatype: Text Field Type: Editable Default Value Formula: @Text(@Integer(1000 + (@Random * 1000))); Field: GIDNumber Datatype: Text Field Type: Computed Formula: UIDNumber Field: homedirectory Datatype: Text Field Type: Computed Formula: "/home/" + @LowerCase(shortname); Field: loginshel Datatype: Text Field Type: Computed Formula: "/bin/bash" Field: $objectclass Datatype: Text Input Multi-Value Separator(s): Comma, Semicolon Display Multi-Value Separator: Semicolon Field Type: Computed Formula: "posixAccount" : "posixGroup"; It is very important to observe that the use of a random function to define userid and groupid has effect only for demonstration purposes and proof of concepts. In production environment, Domino agents should be used to set this values according to the naming standards in use. Save the “LDAP posixAccount Schema” subform: Insert the new subform into the existing “$PersonExtensibleSchema” subform and then refresh (edit and save) the person documents of the users that will authenticate in the Linux desktop: Note. For larger address books with many users you can set up an agent in the name and address book to refresh all the users. Reloading the LDAP Schema In order to publish your changes, you must reload the Domino ldap schema. In the IBM Lotus Domino server console run the following command: tell ldap reload schema The new LDAP schema will be in use by the LDAP Service: Verifying the new fields in the Domino LDAP Schema Let’s make a simple test running ldapsearch to validate that the new fields are retrieved by LDAP clients and the LDAP schema was correctly extended: ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta You should have more than one output screen:
Extending the Domino LDAP Schema Creating a subform “LDAP posixAccount Schema” Now it is necessary to extend the domino ldap schema to allow the Linux desktop to authenticate in the Domino LDAP server. This is needed because the standard Domino ldap schema does not have all the necessary fields to support the posixAccount schema that is used by Linux. Open the Domino Directory (names.nsf) with the IBM Lotus Domino Designer, create a new subform named “LDAP posixAccount” and add the following fields: Field: UIDNumber Datatype: Text Field Type: Editable Default Value Formula: @Text(@Integer(1000 + (@Random * 1000))); Field: GIDNumber Datatype: Text Field Type: Computed Formula: UIDNumber Field: homedirectory Datatype: Text Field Type: Computed Formula: "/home/" + @LowerCase(shortname); Field: loginshel Datatype: Text Field Type: Computed Formula: "/bin/bash" Field: $objectclass Datatype: Text Input Multi-Value Separator(s): Comma, Semicolon Display Multi-Value Separator: Semicolon Field Type: Computed Formula: "posixAccount" : "posixGroup"; It is very important to observe that the use of a random function to define userid and groupid has effect only for demonstration purposes and proof of concepts. In production environment, Domino agents should be used to set this values according to the naming standards in use. Save the “LDAP posixAccount Schema” subform: Insert the new subform into the existing “$PersonExtensibleSchema” subform and then refresh (edit and save) the person documents of the users that will authenticate in the Linux desktop: Note. For larger address books with many users you can set up an agent in the name and address book to refresh all the users. Reloading the LDAP Schema In order to publish your changes, you must reload the Domino ldap schema. In the IBM Lotus Domino server console run the following command: tell ldap reload schema The new LDAP schema will be in use by the LDAP Service: Verifying the new fields in the Domino LDAP Schema Let’s make a simple test running ldapsearch to validate that the new fields are retrieved by LDAP clients and the LDAP schema was correctly extended: ldapsearch –v –x –D cn=ldapbind,o=ibm –w passw0rd –H ldap://domino.br.ibm.com –b o=ibm uid=mcosta You should have more than one output screen:
Enabling the Domino LDAP server as the default Linux directory The authconfig command Now with the authconfig command, it is finally possible to enable the Domino LDAP server as the default directory for authentication and user information. As the root user, run the following command: authconfig User Information Configuration In the “User Information Configuration” option it is possible to define where Linux will search for user information (let’s point it to our Domino LDAP service): Authentication Configuration In the “Authentication Configuration” option it is possible to choose where the Linux desktop will authenticate the users (again our Domino LDAP Service): Authenticating a Domino user in the Linux After all the configurations have been finished and the authconfig command is commited, it should be possible to authenticate in the Linux workstation using the Domino LDAP users as shown in the next picture: Creating home directories for the Domino users Note that the user does not have a home directory (as specified in the Domino LDAP in the “homedirectory” variable). The root user can be used to create a directory for the user and change the user rights for the Domino user to behave as a native Linux user, as follows: Verifying user information (the id command) As you can see, if the user “mcosta” runs the “id” command, the user information for this user is retrieved from the Domino Directory and then displayed in the output:
Enabling the Domino LDAP server as the default Linux directory The authconfig command Now with the authconfig command, it is finally possible to enable the Domino LDAP server as the default directory for authentication and user information. As the root user, run the following command: authconfig User Information Configuration In the “User Information Configuration” option it is possible to define where Linux will search for user information (let’s point it to our Domino LDAP service): Authentication Configuration In the “Authentication Configuration” option it is possible to choose where the Linux desktop will authenticate the users (again our Domino LDAP Service): Authenticating a Domino user in the Linux After all the configurations have been finished and the authconfig command is commited, it should be possible to authenticate in the Linux workstation using the Domino LDAP users as shown in the next picture: Creating home directories for the Domino users Note that the user does not have a home directory (as specified in the Domino LDAP in the “homedirectory” variable). The root user can be used to create a directory for the user and change the user rights for the Domino user to behave as a native Linux user, as follows: Verifying user information (the id command) As you can see, if the user “mcosta” runs the “id” command, the user information for this user is retrieved from the Domino Directory and then displayed in the output:
Enabling the Domino LDAP server as the default Linux directory The authconfig command Now with the authconfig command, it is finally possible to enable the Domino LDAP server as the default directory for authentication and user information. As the root user, run the following command: authconfig User Information Configuration In the “User Information Configuration” option it is possible to define where Linux will search for user information (let’s point it to our Domino LDAP service): Authentication Configuration In the “Authentication Configuration” option it is possible to choose where the Linux desktop will authenticate the users (again our Domino LDAP Service): Authenticating a Domino user in the Linux After all the configurations have been finished and the authconfig command is commited, it should be possible to authenticate in the Linux workstation using the Domino LDAP users as shown in the next picture: Creating home directories for the Domino users Note that the user does not have a home directory (as specified in the Domino LDAP in the “homedirectory” variable). The root user can be used to create a directory for the user and change the user rights for the Domino user to behave as a native Linux user, as follows: Verifying user information (the id command) As you can see, if the user “mcosta” runs the “id” command, the user information for this user is retrieved from the Domino Directory and then displayed in the output:
Enabling the Domino LDAP server as the default Linux directory The authconfig command Now with the authconfig command, it is finally possible to enable the Domino LDAP server as the default directory for authentication and user information. As the root user, run the following command: authconfig User Information Configuration In the “User Information Configuration” option it is possible to define where Linux will search for user information (let’s point it to our Domino LDAP service): Authentication Configuration In the “Authentication Configuration” option it is possible to choose where the Linux desktop will authenticate the users (again our Domino LDAP Service): Authenticating a Domino user in the Linux After all the configurations have been finished and the authconfig command is commited, it should be possible to authenticate in the Linux workstation using the Domino LDAP users as shown in the next picture: Creating home directories for the Domino users Note that the user does not have a home directory (as specified in the Domino LDAP in the “homedirectory” variable). The root user can be used to create a directory for the user and change the user rights for the Domino user to behave as a native Linux user, as follows: Verifying user information (the id command) As you can see, if the user “mcosta” runs the “id” command, the user information for this user is retrieved from the Domino Directory and then displayed in the output:
Enabling the Domino LDAP server as the default Linux directory The authconfig command Now with the authconfig command, it is finally possible to enable the Domino LDAP server as the default directory for authentication and user information. As the root user, run the following command: authconfig User Information Configuration In the “User Information Configuration” option it is possible to define where Linux will search for user information (let’s point it to our Domino LDAP service): Authentication Configuration In the “Authentication Configuration” option it is possible to choose where the Linux desktop will authenticate the users (again our Domino LDAP Service): Authenticating a Domino user in the Linux After all the configurations have been finished and the authconfig command is commited, it should be possible to authenticate in the Linux workstation using the Domino LDAP users as shown in the next picture: Creating home directories for the Domino users Note that the user does not have a home directory (as specified in the Domino LDAP in the “homedirectory” variable). The root user can be used to create a directory for the user and change the user rights for the Domino user to behave as a native Linux user, as follows: Verifying user information (the id command) As you can see, if the user “mcosta” runs the “id” command, the user information for this user is retrieved from the Domino Directory and then displayed in the output:
Setting up Lotus Domino to allow password change for LDAP users Configuration Document and user rights in the ACL To allow password change via the Domino LDAP server some changes have to be done as follows: Edit the server “Configuration Document” in the Basics section and check the field “Use these settings as the default settings for all servers” as follows: Then in the “LDAP” tab, verify that the field “Allow LDAP users write access:” is “yes” to allow password change via LDAP access. Finally, make sure that the “ldapbind/ibm” has permission to edit users (can be manager) in the name and address book ACL and that in the ACL advanced properties the “maximum internet name and password” is at least “Editor” as follows: Changing a user password After you have saved the configuration document and setup the name and address book ACL rights, you should restart the IBM Lotus Domino Server and then test the password change using your Linux prompt as a regular Linux user:
Setting up Lotus Domino to allow password change for LDAP users Configuration Document and user rights in the ACL To allow password change via the Domino LDAP server some changes have to be done as follows: Edit the server “Configuration Document” in the Basics section and check the field “Use these settings as the default settings for all servers” as follows: Then in the “LDAP” tab, verify that the field “Allow LDAP users write access:” is “yes” to allow password change via LDAP access. Finally, make sure that the “ldapbind/ibm” has permission to edit users (can be manager) in the name and address book ACL and that in the ACL advanced properties the “maximum internet name and password” is at least “Editor” as follows: Changing a user password After you have saved the configuration document and setup the name and address book ACL rights, you should restart the IBM Lotus Domino Server and then test the password change using your Linux prompt as a regular Linux user:
Setting up Lotus Domino to allow password change for LDAP users Configuration Document and user rights in the ACL To allow password change via the Domino LDAP server some changes have to be done as follows: Edit the server “Configuration Document” in the Basics section and check the field “Use these settings as the default settings for all servers” as follows: Then in the “LDAP” tab, verify that the field “Allow LDAP users write access:” is “yes” to allow password change via LDAP access. Finally, make sure that the “ldapbind/ibm” has permission to edit users (can be manager) in the name and address book ACL and that in the ACL advanced properties the “maximum internet name and password” is at least “Editor” as follows: Changing a user password After you have saved the configuration document and setup the name and address book ACL rights, you should restart the IBM Lotus Domino Server and then test the password change using your Linux prompt as a regular Linux user:
Setting up Lotus Domino to allow password change for LDAP users Configuration Document and user rights in the ACL To allow password change via the Domino LDAP server some changes have to be done as follows: Edit the server “Configuration Document” in the Basics section and check the field “Use these settings as the default settings for all servers” as follows: Then in the “LDAP” tab, verify that the field “Allow LDAP users write access:” is “yes” to allow password change via LDAP access. Finally, make sure that the “ldapbind/ibm” has permission to edit users (can be manager) in the name and address book ACL and that in the ACL advanced properties the “maximum internet name and password” is at least “Editor” as follows: Changing a user password After you have saved the configuration document and setup the name and address book ACL rights, you should restart the IBM Lotus Domino Server and then test the password change using your Linux prompt as a regular Linux user:
Troubleshooting Ldapsearch The ldapsearch command is the best way to validate that the Linux desktop will reach and access the Domino LDAP service. If you can’t run the ldapsearch searches that this document asks you to do, don’t go ahead with the next step because you can loose access to the Linux workstation. Password change from the Linux desktop If password change does not work verify user rights for the ldapbind user in the names and address book access control list. You should also verify that in the advanced access control list the maximum access is at least Editor. User root cannot login anymore! If you did some mistake and cannot login with the root user to the Linux desktop anymore don’t get desperate! You still having a way out! Do a ctrl+alt+del in the Linux desktop and restart the system in the single user mode typing “Linux 1” in the Lilo prompt (you should have an option like this in Grub). Then after you are in the root prompt, edit the file /etc/nsswitch.conf (make a backup copy of the file before) and remove all the ldap references on the file. Now that you have seen the hard work to recover the system, there is a trick! When configuring the system you can let some root sessions open that will allow you to recover the login properties without having to restart the system in recover mode.
The IBM Lotus Domino server shows each day that it is the most flexible and easy to setup messaging and collaboration solution in the market, because it is based on open standards and protocols. This document is just another example on how Domino can be used to reduce the total cost of ownership of your IT environment and solutions. Note that it is very important to remember that the solution described here is not the more complete solution from IBM to integrate Linux authentication in a LDAP service. IBM Tivoli software has solutions in this area that can do much more, like user management, access control, system management and security control. You can find more information about those capabilities accessing http://www.tivoli.com or http://www-306.ibm.com/software/tivoli/solutions/security/.