Differences

This shows you the differences between two versions of the page.

--- ldap_integration [2009/08/14 09:10] – Added code for pam_cgiar_ldap.c aorth
+++ ldap_integration [2009/08/18 11:35] – alan
@@ Line 1: / Line 1: @@
 ===== LDAP Integration =====
-ILRI uses an Active Directory server for user authentication, which is primarily used for Exchange e-mail services.  Currently users have an Active Directory username and password for their Windows-centric single sign on and e-mail, and then they have a separate account for use with the HPC.  There exists functionality in Linux to look at Active Directory for user authentication.
+ILRI uses an Active Directory server for user authentication, which is primarily used for Exchange e-mail services.  Active Directory is Microsoft's version of LDAP with a little special sauce.  Currently users have an Active Directory username and password for their Windows-centric single sign on and e-mail, and then they have a separate account for use with the HPC.  There exists functionality in Linux to look at Active Directory for user authentication.
-~~NOLINEBREAK~~
-<code c>
-#define DEFAULT_USER "nobody"
+<note warning>ILRI's Active Directory servers are configured to [[http://support.microsoft.com/kb/326690|disallow anonymous binds]] so we need to use a special account account which is allowed to perform queries.  Robert Okal has given me an account to perform queries, the name is ''bioinfohpc''</note>
+The Active Directory server must not only be a domain controller, but must be running the [[http://technet.microsoft.com/en-us/library/cc978012.aspx|global catalog service]] (port 3268) in order for our LDAP queries to work properly.  ILRI Kenya's Active Directory servers are:
+  * 172.26.0.218 <- running a global catalog server (port 3268)
+  * 172.26.0.219
+  * 172.26.0.220 <- running a global catalog server (port 3268)
-#include <stdio.h>
+This was working once, using a //slightly// customized PAM module.  In order to use the module several steps are needed.  Download the module source and edit the code to point to the correct server, then compile it as shown below:
+  * Compile the code:  ''gcc -fPIC  -c pam_cgiar_ldap.c''
+  * Link the code:  ''ld -x --shared -o pam_cgiar_ldap.so –lldap pam_cgiar_ldap.o''
+**pam_cgiar_ldap.c**:
+<code c>
+#define DEFAULT_USER "nobody"
+#include <stdio.h>
 /*
  * here, we make definitions for the externally accessible functions
  * in this file (these definitions are required for static modules
  * but strongly encouraged generally) they are used to instruct the
  * modules include file to define their prototypes.
  */
 #define PAM_SM_AUTH
 #define PAM_SM_ACCOUNT
 #define PAM_SM_SESSION
 #define PAM_SM_PASSWORD
 #include <security/pam_modules.h>
 #include <security/_pam_macros.h>
 #include <lber.h> //for ldap
 #include <ldap.h> //for ldap
 #include <string.h> //added by lavila
 #include <syslog.h> //added by Alan to compile on newer Linux
 int testBind(char* loginDN, char* password)
 {
   struct timeval timeOut = {10,0};    /* 10 second connection timeout */
   int returnValue=0;
   char* pass2;
   pass2=password;
   char tempPass[100];
   //strcpy(tempPass,pass2);
   strcat(loginDN,"@cgiar.org");
   //syslog (LOG_ERR, "pam_cgiar_ldap: user %s, password %s",loginDN,password );
   LDAP *ld;
   int version = LDAP_VERSION3;
   ldap_set_option( NULL, LDAP_OPT_PROTOCOL_VERSION, &version);
   ldap_set_option( NULL, LDAP_OPT_NETWORK_TIMEOUT, &timeOut);
+  ld = ldap_init("172.26.0.218" , 389 );
-  ld = ldap_init("172.26.12.11" , 389 );
   if (ld==NULL) printf("\nproblems connecting\n");
   int rc;
   //if (ldap_simple_bind_s( ld, loginDN,password)!= LDAP_SUCCESS )
   if (ldap_simple_bind_s( ld, loginDN,password)!= LDAP_SUCCESS )
     {
       returnValue =0;
       syslog (LOG_ERR, "pam_cgiar_ldap: -->ldap authentication failed");
     }
   else
  {
    returnValue=1;
   syslog (LOG_ERR, "pam_cgiar_ldap: -->ldap authentication ok");
   }
 /*
   FILE* outFile;
   outFile=fopen ("/salida.txt","w");
   fprintf(outFile,"\nuser:%s\n",loginDN);
  // if (rc==PAM_SUCCESS)
   fprintf(outFile,"\nPassword: %s\n",password);
  fclose(outFile);
   */
 //  return(0);
   return (returnValue);
 }
 /* --- authentication management functions --- */
 PAM_EXTERN
+int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,const char **argv)
-int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc
-			,const char **argv)
 {
     int retval,rc;
     const char *user=NULL;
     char *p;
 //syslog (LOG_ERR, "illegal option %s", argv[i]);
     /*
      * authentication requires we know who the user wants to be
      */
     retval = pam_get_user(pamh, &user, NULL);
     if (retval != PAM_SUCCESS) {
 	D(("get user returned error: %s", pam_strerror(pamh,retval)));
 	return retval;
     }
    // rc=pam_get_item (pamh, PAM_AUTHTOK, (const void **) &p);
     if (user == NULL || *user == '\0') {
 	D(("username not known"));
 	retval = pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER);
 	if (retval != PAM_SUCCESS)
 	    return PAM_USER_UNKNOWN;
     }
    // user = NULL;                                            /* clean up */
    // return PAM_SUCCESS;
   //changes introduced by lavila
  // I still cannot put this module on top of the stack
  // I have to put it at least on second place
  // or my password information returns null when using get_itme
  //maybe I should use pam_start to load pamh
   rc=pam_get_item (pamh, PAM_AUTHTOK, (const void **) &p);
  // if (rc == PAM_SUCCESS)
    char luser[100];
    strcpy(luser,user);
  // if (p!=NULL)
  /* {
     FILE* outFile;
     outFile=fopen ("/salida.txt","w");
     fprintf(outFile,"\nuser:%s\n",user);
     fprintf(outFile,"\nPassword1: %s\n",p);
     fclose(outFile);
     rc = testBind(luser,p);
   }*/
     rc = testBind(luser,p);
 //  rc=0;
  if (rc==1)
   return PAM_SUCCESS;
  else return PAM_AUTH_ERR;
 	   // return PAM_USER_UNKNOWN;
    //lavila, en esta funcion debo hacer la validacion
 }
 PAM_EXTERN
 int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc
 		   ,const char **argv)
 {
      return PAM_SUCCESS;
 //	    return PAM_USER_UNKNOWN;
 }
 /* --- account management functions --- */
 PAM_EXTERN
 int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc
 		     ,const char **argv)
 {
      return PAM_SUCCESS;
 }
 /* --- password management --- */
 PAM_EXTERN
 int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc
 		     ,const char **argv)
 {
      return PAM_SUCCESS;
 }
 /* --- session management --- */
 PAM_EXTERN
 int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc
 			,const char **argv)
 {
     return PAM_SUCCESS;
 }
 PAM_EXTERN
 int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc
 			 ,const char **argv)
 {
      return PAM_SUCCESS;
 }
 /* end of module definition */
 #ifdef PAM_STATIC
 /* static module data */
 /*struct pam_module_pam_permit_modstruct = {
     "pam_permit",*/
 struct pam_module_pam_cgiar_ldap_modstruct = {
     "pam_cgiar_ldap",
     pam_sm_authenticate,
     pam_sm_setcred,
     pam_sm_acct_mgmt,
     pam_sm_open_session,
     pam_sm_close_session,
     pam_sm_chauthtok
 };
 #endif
 </code>