Categories
SmartOS

Enable LDAP Authentication on SmartOS

At home I have a SmartOS hypervisor running a few services on a few VMs. I want to use an LDAP server as a source of user account information, so on each VM I issue the following (obviously filling in the correct details in the angle brackets). You probably want to replace with the OU containing users that you wish to grant login access to your servers:

ldapclient -v manual \
-a defaultServerList= \
-a authenticationMethod=simple \
-a credentialLevel=proxy \
-a proxydn=<DN of bind user> \
-a "proxypassword=<password of bind user>" \
-a domainname= \
-a defaultSearchBase= \
-a defaultSearchScope=sub \
-a serviceSearchDescriptor=group: \
-a "serviceSearchDescriptor=shadow: \
-a "serviceSearchDescriptor=passwd:"

eg.

ldapclient -v manual \
-a defaultServerList=192.168.0.389 \
-a bindTimeLimit=5 \
-a authenticationMethod=simple \
-a credentialLevel=proxy \
-a proxydn=uid=admin,ou=system \
-a "proxypassword=G0d1m@Du11@rd" \
-a domainname=example.com \
-a defaultSearchBase=dc=example,dc=com \
-a defaultSearchScope=sub \
-a serviceSearchDescriptor=group:ou=groups,dc=example,dc=com \
-a serviceSearchDescriptor=shadow:ou=users,dc=example,dc=com \
-a serviceSearchDescriptor=passwd:ou=users,dc=example,dc=com

You’ll probably want to edit /etc/nsswitch.conf after successfully configuring the system lcapclient  as by default hosts are looked up first by /etc/hosts and then by ldap query. I don’t store host information in LDAP so I usually set the line:

hosts: files ldap

to

hosts: files dns

In /etc/pam.conf, change any instance of:

login auth required pam_unix_auth.so.1

to

login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1

and

other auth required pam_unix_auth.so.1

to

other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1

That’s it! Finally, reboot your system.