Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000032399 - How to configure the Novell eDirectory service for RSA Security Analytics PAM authentication

Document created by RSA Customer Support

on Jun 30, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 2Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000032399
Applies To	RSA Product Set: Security Analytics RSA Product/Service Type: SA Security Analytics Server RSA Version/Condition: 10.4.x, 10.5.x Platform: CentOS O/S Version: EL6 Platform (Other): Novell eDirectory
Resolution	The configuration for PAM E-Directory is similar to PAM LDAP configuration. The only change is that it contains O=Edir_tree_name in base and binddn's. Below is the sample configuration. [root@localhost ~]# vi /etc/nslcd.conf uid nslcd gid ldap uri ldap://192.168.1.10:390 base CN=PAM-DC-NDS,O=sagar-edir binddn cn=pam-euser1,O=sagar-edir bindpw Dlp123@1 scope group sub scope hosts sub pagesize 1000 referrals off filter passwd (&(objectClass=)) #filter shadow (&(objectClass=)) #filter group (objectClass=) #map group uniqueMember member #tls_cacertdir /etc/openldap/cacerts #tls_reqcert never bind_timelimit 3 timelimit 3 scope sub [root@localhost ~]#vi /etc/pam_ldap.conf uri ldap://192.168.1.10:390 base CN=PAM-DC-NDS,O=sagar-edir binddn cn=pam-euser1,o=sagar-edir bindpw **** pam_password nds nss_map_attribute userPassword authPassword pam_filter objectclass=user scope sub pam_password nds nss_map_attribute userPassword authPassword ## additional options to try pam_login_attribute uid pam_member_attribute gid nss_map_attribute uniqueMember member nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User [root@localhost ~]#vi /etc/openldap/ldap.conf # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never uri ldap://192.168.1.10:390 base O=sagar-edir TLS_CACERTDIR /etc/openldap/cacerts
Notes	uidNumber for user and gidNumber for Groups need to be defined in order for Security Analytics to work. By default, users and groups in eDirectory do not have uid and gid numbers. It is necessary to extend the AD schema to add these attributes. More information on PAM/LDAP/start_tls Authentication via Novell eDirectory for Linux can be found here.

Attachments

Outcomes

0 Comments

Recommended Content