000032399 - How to configure the Novell eDirectory service for RSA Security Analytics PAM authentication

Document created by RSA Customer Support Employee on Jun 30, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032399
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: 10.4.x, 10.5.x
Platform: CentOS
O/S Version: EL6
Platform (Other):  Novell eDirectory
ResolutionThe configuration for PAM E-Directory is similar to PAM LDAP configuration. The only change is that it contains O=Edir_tree_name in base and binddn's.
Below is the sample configuration.
[root@localhost ~]# vi /etc/nslcd.conf
uid nslcd
gid ldap
uri ldap://192.168.1.10:390
base CN=PAM-DC-NDS,O=sagar-edir
binddn cn=pam-euser1,O=sagar-edir
bindpw Dlp123@1
scope  group  sub
scope  hosts  sub
pagesize 1000
referrals off
filter passwd (&(objectClass=*))
#filter shadow (&(objectClass=*))
#filter group  (objectClass=*)
#map    group  uniqueMember     member
#tls_cacertdir /etc/openldap/cacerts
#tls_reqcert never
bind_timelimit 3
timelimit 3
scope sub

[root@localhost ~]#vi /etc/pam_ldap.conf
uri ldap://192.168.1.10:390
base CN=PAM-DC-NDS,O=sagar-edir
binddn cn=pam-euser1,o=sagar-edir
bindpw *****
pam_password nds
nss_map_attribute userPassword authPassword
pam_filter objectclass=user
scope sub
pam_password nds
nss_map_attribute userPassword authPassword
## additional options to try
pam_login_attribute uid
pam_member_attribute gid
nss_map_attribute uniqueMember member
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User

[root@localhost ~]#vi /etc/openldap/ldap.conf
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
uri ldap://192.168.1.10:390
base O=sagar-edir
TLS_CACERTDIR /etc/openldap/cacerts
NotesuidNumber for user and gidNumber for Groups need to be defined in order for Security Analytics to work. 

By default, users and groups in eDirectory do not have uid and gid numbers.  It is necessary to extend the AD schema to add these attributes.
More information on PAM/LDAP/start_tls Authentication via Novell eDirectory for Linux can be found here.

Attachments

    Outcomes