This is an old revision of the document!
LDAP Integration
ILRI uses an Active Directory server for user authentication, which is primarily used for Exchange e-mail services. Currently users have an Active Directory username and password for their Windows-centric single sign on and e-mail, and then they have a separate account for use with the HPC. There exists functionality in Linux to look at Active Directory for user authentication.
This was working once, using a slightly customized PAM module. In order to use the module several steps are needed. Download the module source and compile it as shown below:
- Compile the code:
gcc -fPIC -c pam_cgiar_ldap.c
- Link the code:
ld -x –shared -o pam_cgiar_ldap.so pam_cgiar_ldap.o –lldap
The Active Directory server must not only be a domain controller, but must be running the global catalog service (port 3268) in order for our LDAP queries to work properly.
pam_cgiar_ldap.c:
#define DEFAULT_USER "nobody" #include <stdio.h> /* * here, we make definitions for the externally accessible functions * in this file (these definitions are required for static modules * but strongly encouraged generally) they are used to instruct the * modules include file to define their prototypes. */ #define PAM_SM_AUTH #define PAM_SM_ACCOUNT #define PAM_SM_SESSION #define PAM_SM_PASSWORD #include <security/pam_modules.h> #include <security/_pam_macros.h> #include <lber.h> //for ldap #include <ldap.h> //for ldap #include <string.h> //added by lavila #include <syslog.h> //added by Alan to compile on newer Linux int testBind(char* loginDN, char* password) { struct timeval timeOut = {10,0}; /* 10 second connection timeout */ int returnValue=0; char* pass2; pass2=password; char tempPass[100]; //strcpy(tempPass,pass2); strcat(loginDN,"@cgiar.org"); //syslog (LOG_ERR, "pam_cgiar_ldap: user %s, password %s",loginDN,password ); LDAP *ld; int version = LDAP_VERSION3; ldap_set_option( NULL, LDAP_OPT_PROTOCOL_VERSION, &version); ldap_set_option( NULL, LDAP_OPT_NETWORK_TIMEOUT, &timeOut); ld = ldap_init("172.26.12.11" , 389 ); if (ld==NULL) printf("\nproblems connecting\n"); int rc; //if (ldap_simple_bind_s( ld, loginDN,password)!= LDAP_SUCCESS ) if (ldap_simple_bind_s( ld, loginDN,password)!= LDAP_SUCCESS ) { returnValue =0; syslog (LOG_ERR, "pam_cgiar_ldap: -->ldap authentication failed"); } else { returnValue=1; syslog (LOG_ERR, "pam_cgiar_ldap: -->ldap authentication ok"); } /* FILE* outFile; outFile=fopen ("/salida.txt","w"); fprintf(outFile,"\nuser:%s\n",loginDN); // if (rc==PAM_SUCCESS) fprintf(outFile,"\nPassword: %s\n",password); fclose(outFile); */ // return(0); return (returnValue); } /* --- authentication management functions --- */ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,const char **argv) { int retval,rc; const char *user=NULL; char *p; //syslog (LOG_ERR, "illegal option %s", argv[i]); /* * authentication requires we know who the user wants to be */ retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS) { D(("get user returned error: %s", pam_strerror(pamh,retval))); return retval; } // rc=pam_get_item (pamh, PAM_AUTHTOK, (const void **) &p); if (user == NULL || *user == '\0') { D(("username not known")); retval = pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER); if (retval != PAM_SUCCESS) return PAM_USER_UNKNOWN; } // user = NULL; /* clean up */ // return PAM_SUCCESS; //changes introduced by lavila // I still cannot put this module on top of the stack // I have to put it at least on second place // or my password information returns null when using get_itme //maybe I should use pam_start to load pamh rc=pam_get_item (pamh, PAM_AUTHTOK, (const void **) &p); // if (rc == PAM_SUCCESS) char luser[100]; strcpy(luser,user); // if (p!=NULL) /* { FILE* outFile; outFile=fopen ("/salida.txt","w"); fprintf(outFile,"\nuser:%s\n",user); fprintf(outFile,"\nPassword1: %s\n",p); fclose(outFile); rc = testBind(luser,p); }*/ rc = testBind(luser,p); // rc=0; if (rc==1) return PAM_SUCCESS; else return PAM_AUTH_ERR; // return PAM_USER_UNKNOWN; //lavila, en esta funcion debo hacer la validacion } PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc ,const char **argv) { return PAM_SUCCESS; // return PAM_USER_UNKNOWN; } /* --- account management functions --- */ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc ,const char **argv) { return PAM_SUCCESS; } /* --- password management --- */ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc ,const char **argv) { return PAM_SUCCESS; } /* --- session management --- */ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc ,const char **argv) { return PAM_SUCCESS; } PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc ,const char **argv) { return PAM_SUCCESS; } /* end of module definition */ #ifdef PAM_STATIC /* static module data */ /*struct pam_module_pam_permit_modstruct = { "pam_permit",*/ struct pam_module_pam_cgiar_ldap_modstruct = { "pam_cgiar_ldap", pam_sm_authenticate, pam_sm_setcred, pam_sm_acct_mgmt, pam_sm_open_session, pam_sm_close_session, pam_sm_chauthtok }; #endif