Differences

This shows you the differences between two versions of the page.

--- ldap_integration [2009/08/14 08:49] – created aorth
+++ ldap_integration [2009/08/18 09:37] – alan
@@ Line 1: / Line 1: @@
 ===== LDAP Integration =====
-ILRI uses an Active Directory server for user authentication, which is primarily used for Exchange e-mail services.  Currently users have an Active Directory username and password for their Windows-centric single sign on and e-mail, and then they have a separate account for use with the HPC.  There exists functionality in Linux to look at Active Directory for user authentication.
+ILRI uses an Active Directory server for user authentication, which is primarily used for Exchange e-mail services.  Active Directory is Microsoft's version of LDAP with a little special sauce.  Currently users have an Active Directory username and password for their Windows-centric single sign on and e-mail, and then they have a separate account for use with the HPC.  There exists functionality in Linux to look at Active Directory for user authentication.
+ILRI's Active Directory servers are configure to [[http://support.microsoft.com/kb/326690|disallow anonymous binds]] (you have to authenticate in order to query), so we need to use a semi-privileged account in order to run queries.  Robert Okal has given me an account to perform queries.
+This was working once, using a //slightly// customized PAM module.  In order to use the module several steps are needed.  Download the module source and compile it as shown below:
+  * Compile the code:  ''gcc -fPIC  -c pam_cgiar_ldap.c''
+  * Link the code:  ''ld -x --shared -o pam_cgiar_ldap.so –lldap pam_cgiar_ldap.o''
+The Active Directory server must not only be a domain controller, but must be running the [[http://technet.microsoft.com/en-us/library/cc978012.aspx|global catalog service]] (port 3268) in order for our LDAP queries to work properly.  ILRI Kenya's Active Directory servers are:
+  * 172.26.0.218 <- running a global catalog server (port 3268)
+  * 172.26.0.219
+  * 172.26.0.220 <- running a global catalog server (port 3268)
+**pam_cgiar_ldap.c**:
 <code c>
 #define DEFAULT_USER "nobody"
 #include <stdio.h>
 /*
  * here, we make definitions for the externally accessible functions
  * in this file (these definitions are required for static modules
  * but strongly encouraged generally) they are used to instruct the
  * modules include file to define their prototypes.
  */
 #define PAM_SM_AUTH
 #define PAM_SM_ACCOUNT
 #define PAM_SM_SESSION
 #define PAM_SM_PASSWORD
 #include <security/pam_modules.h>
 #include <security/_pam_macros.h>
 #include <lber.h> //for ldap
 #include <ldap.h> //for ldap
 #include <string.h> //added by lavila
 #include <syslog.h> //added by Alan to compile on newer Linux
 int testBind(char* loginDN, char* password)
 {
   struct timeval timeOut = {10,0};    /* 10 second connection timeout */
   int returnValue=0;
   char* pass2;
   pass2=password;
   char tempPass[100];
   //strcpy(tempPass,pass2);
   strcat(loginDN,"@cgiar.org");
   //syslog (LOG_ERR, "pam_cgiar_ldap: user %s, password %s",loginDN,password );
   LDAP *ld;
   int version = LDAP_VERSION3;
   ldap_set_option( NULL, LDAP_OPT_PROTOCOL_VERSION, &version);
   ldap_set_option( NULL, LDAP_OPT_NETWORK_TIMEOUT, &timeOut);
+  ld = ldap_init("172.26.0.218" , 389 );
-  ld = ldap_init("172.26.12.11" , 389 );
   if (ld==NULL) printf("\nproblems connecting\n");
   int rc;
   //if (ldap_simple_bind_s( ld, loginDN,password)!= LDAP_SUCCESS )
   if (ldap_simple_bind_s( ld, loginDN,password)!= LDAP_SUCCESS )
     {
       returnValue =0;
       syslog (LOG_ERR, "pam_cgiar_ldap: -->ldap authentication failed");
     }
   else
  {
    returnValue=1;
   syslog (LOG_ERR, "pam_cgiar_ldap: -->ldap authentication ok");
   }
 /*
   FILE* outFile;
   outFile=fopen ("/salida.txt","w");
   fprintf(outFile,"\nuser:%s\n",loginDN);
  // if (rc==PAM_SUCCESS)
   fprintf(outFile,"\nPassword: %s\n",password);
  fclose(outFile);
   */
 //  return(0);
   return (returnValue);
 }
 /* --- authentication management functions --- */
 PAM_EXTERN
+int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,const char **argv)
-int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc
-			,const char **argv)
 {
     int retval,rc;
     const char *user=NULL;
     char *p;
 //syslog (LOG_ERR, "illegal option %s", argv[i]);
     /*
      * authentication requires we know who the user wants to be
      */
     retval = pam_get_user(pamh, &user, NULL);
     if (retval != PAM_SUCCESS) {
 	D(("get user returned error: %s", pam_strerror(pamh,retval)));
 	return retval;
     }
    // rc=pam_get_item (pamh, PAM_AUTHTOK, (const void **) &p);
     if (user == NULL || *user == '\0') {
 	D(("username not known"));
 	retval = pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER);
 	if (retval != PAM_SUCCESS)
 	    return PAM_USER_UNKNOWN;
     }
    // user = NULL;                                            /* clean up */
    // return PAM_SUCCESS;
   //changes introduced by lavila
  // I still cannot put this module on top of the stack
  // I have to put it at least on second place
  // or my password information returns null when using get_itme
  //maybe I should use pam_start to load pamh
   rc=pam_get_item (pamh, PAM_AUTHTOK, (const void **) &p);
  // if (rc == PAM_SUCCESS)
    char luser[100];
    strcpy(luser,user);
  // if (p!=NULL)
  /* {
     FILE* outFile;
     outFile=fopen ("/salida.txt","w");
     fprintf(outFile,"\nuser:%s\n",user);
     fprintf(outFile,"\nPassword1: %s\n",p);
     fclose(outFile);
     rc = testBind(luser,p);
   }*/
     rc = testBind(luser,p);
 //  rc=0;
  if (rc==1)
   return PAM_SUCCESS;
  else return PAM_AUTH_ERR;
 	   // return PAM_USER_UNKNOWN;
    //lavila, en esta funcion debo hacer la validacion
 }
 PAM_EXTERN
 int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc
 		   ,const char **argv)
 {
      return PAM_SUCCESS;
 //	    return PAM_USER_UNKNOWN;
 }
 /* --- account management functions --- */
 PAM_EXTERN
 int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc
 		     ,const char **argv)
 {
      return PAM_SUCCESS;
 }
 /* --- password management --- */
 PAM_EXTERN
 int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc
 		     ,const char **argv)
 {
      return PAM_SUCCESS;
 }
 /* --- session management --- */
 PAM_EXTERN
 int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc
 			,const char **argv)
 {
     return PAM_SUCCESS;
 }
 PAM_EXTERN
 int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc
 			 ,const char **argv)
 {
      return PAM_SUCCESS;
 }
 /* end of module definition */
 #ifdef PAM_STATIC
 /* static module data */
 /*struct pam_module_pam_permit_modstruct = {
     "pam_permit",*/
 struct pam_module_pam_cgiar_ldap_modstruct = {
     "pam_cgiar_ldap",
     pam_sm_authenticate,
     pam_sm_setcred,
     pam_sm_acct_mgmt,
     pam_sm_open_session,
     pam_sm_close_session,
     pam_sm_chauthtok
 };
 #endif
 </code>