 |
» |
|
|
|
This chapter discusses how to configure realms for Lightweight
Directory Access Protocol (LDAP) and Oracle. These realms can be
configured only after setting up LDAP or the Oracle server. For
information on setting up the LDAP server, see Chapter 16 “LDAP™ Authentication”. For information on setting up the Oracle
server, see Chapter 17 “Oracle Authentication”. Configuring
Realms for LDAP | |
To configure each realm using LDAP, you must specify the directory server,
search base, and other parameters necessary to find profiles for the
users in the realm. Complete the following steps to configure realms for LDAP: From the navigation
tree, click Local Realms. On the Local Realms screen, click
New Local Realm to open the Local Realm
Attributes screen. In the Name field, enter the
name of the realm to map to the defined LDAP location. This name
does not have to be a DNS host name. However HP recommends that
the realm name corresponds with the domain name. This way, the user
recognizes the user@realm syntax which resembles their e-mail address. From the Realm Type drop-down
list, select Authentication. In the User Profile Storage field,
select LDAP. The user storage parameters for LDAP appear when you
select LDAP from the User Profile Storage drop-down list. These
parameters identify a section of the directory tree on one or more
LDAP servers where the HP-UX AAA software will attempt to retrieve
user profiles. In the User Storage Parameters
Field, enter the Policy-Pointer, and select the Filter
Type and the LDAP Directory Window. Policy-Pointer
- Enter the Distinguished name (DN) for the HP-UX AAA software to
locate the policy object in configured directories. A policy may
be assigned with a policy pointer so that it will apply to every
incoming request for users in this realm. This field is only required
if you are implementing policy stored on an LDAP server. See “Authentication and
Policy With LDAP ” for more information
on policy. Filter-Type - Check the CIS
or BIN check-box to allow the HP-UX AAA software to treat the user
id either as BIN (binary, case-sensitive) or CIS (not case-sensitive).
When CIS is used, a user id normalization will be done to convert
all the characters to upper case before issuing the LDAP search
operation. A NAI (RFC 2486) conformation check is done to reject
any user with non-RFC-2486 characters in the id. LDAP Directory Window - Select
New LDAP Directory or the name of an existing LDAP Directory.
In the LDAP screen that appears, configure the LDAP
directory using the information described in Table 7-3 “Values for Configuring Realms for LDAP”. Table 7-3 Values for Configuring Realms for LDAP Value | Description |
|---|
Directory Name | Start of a directory configuration. Give
a name to the directory, which can be an arbitrary string. If the
name contains spaces or tabs, the string must be enclosed in single or
double quotes. | Host | Name of the host on which the LDAP directory
server runs. The value must be a fully qualified DNS name, although
an IP address also works. Both traditional IP (IPv4) and IPv6 address
formats are supported. The HP-UX AAA Server can resolve DNS name
format entries to IPv4 and IPv6 addresses. Enter an
IPv4 address in dotted-quad notation. Enter an IPv6 address in IPv6
Literal format notation. For example: IPv4 address- 192.0.2.0
IPv6 address- fedc:ba98:7654:3210:fedc:ba98:7654:3210 |
| Port (Optional) | Port number on which the directory server is
running. Default value is 389. | Administrator | Special user ID used when an authenticated
search is allowed on the LDAP directory server. This administrator
does not need to be a real administrator of the LDAP directory server, but
must have read access to all the users (and their passwords). Intended
to be authenticated by the AAA server. | Password | Password for Administrator to bind (authenticate)
itself to the LDAP directory server. | Search Base | Pointer into the directory where the
search for users in a realm starts. Specifying a search base improves
server performance by limiting the scope of search operations on user
information for a particular realm. A search base contains a list
of A-V pairs that trace a path from a location in the directory's
schema to the top of the directory. For example, a search base of o=hp, c=US represents a search for one of the users on the
following tree: c=US
____________|_______
|
o=hp
________|__________________________
| | | |
uid=Joe uid=Bob uid=Dawn uid=Maria |
The A-V pairs used depend on the schema
of your particular directory server. | | | |  | NOTE: It is more efficient
to start your search lower in the directory structure rather than
higher. HP recommends that you eliminate spaces between Search Base
components (i.e., instead of ou=abc, o=cde, c=us, use ou=abc,o=cde,c=us). | | | | |
| Filter | Filter flag allows authentication to
be based either on the LDAP uid attribute, which normally is CIS,
or on the AAA Server User-Id attribute, which is normally BIN. User-Id
is a AAA Server-specific RADIUS attribute. This optional flag defaults
to uid. | | | |  | IMPORTANT: With multiple LDAP directory servers,
the Filter used for lookups must be consistent across all directories
specified for a particular realm. Potential filters are uid, User-Id
or some other key that uniquely identifies a subject to be authenticated
on the system. Currently, the LDAP module does not enforce the use
of consistent filters, but using inconsistent filters may produce
unpredictable authentication failures. | | | | |
| Authentication Type | AUTO
performs a search as the configured Administrator (searches anonymously
if no administrator is configured), anticipating the password is
in the result. It binds as the user if the password is not available.
This mode makes the AAA server flexible in accommodating LDAP directories.
If directories are configured to return passwords with search, AUTO
is equivalent to SEARCH. BIND binds as the user for
authentication. SEARCH performs a search
as the configured Administrator and expects the user's password
in the search result.
|
In the LDAP screen, click Save. In the Local Realms screen’s
Security Method field, select the authentication methods to authenticate
users for the realm. If you are using TTLS-PAP, TTLS-MSCHAP, or
TTLS-CHAP, select Password Authentication.
For all other methods, select EAP Authentication and
choose at least one EAP method from the drop-down list. Repeat steps 6 and 7 for each
redundant directory you wish to use for failover. Complete any remaining optional
fields as necessary for your configuration. Click Create. From the navigation tree, click
Save Configuration If you have multiple remote servers you will be prompted
to select and confirm which servers you wish to add the entry to.
Modifying
a Directory ConfigurationComplete the following steps to modify a directory configuration: On the Local Realms
screen, select the name of the directory definition you wish to
modify. Change the values if needed. Click Modify.
Deleting
a Directory ConfigurationComplete the following steps to delete a directory configuration: On the Local Realms
screen, select the name of the directory definition you wish to
delete. Click Delete.
Tuning
the AAA Server to LDAP Server ConnectionThe
AAA server to LDAP server connection can be modified by adding the
following entry to /etc/opt/aaa/aaa.config and then stopping and starting the server: aatv.ProLDAP
{
Retry-Interval 60
Retry-Wait 1
Timeout 60
TCP-Timeout 3
Debug 0
} |
|
Retry-Interval
sets the number of seconds for the AAA server to wait before trying
to reconnect to a LDAP directory server when a realm has failover
directory servers configured. Default value is 60 seconds. Retry-Wait sets the number
of seconds that the AAA server will wait before attempting to connect
to the same failover LDAP server. When all failover directory servers
configured for a realm are down, the AAA server will try to reconnect
to one every time an access request is received. In that situation,
this parameter guarantees that the software does not spend too much
time in trying to reconnect those directory servers. Default value
is 1 second. Timeout sets the number of
seconds that an LDAP connection will remain open when the AAA server
has not been able to successfully perform any successful LDAP operation.
This parameter allows better handling of the situation where the
LDAP directory times out client connections. TCP-Timeout sets the number
of seconds that the AAA server will wait for an LDAP server when
trying to establish the Transmission Control Protocol (TCP) connection. Debug determines whether
OpenLDAP debug messages should be written to the AAA server radius.debug file. A value of 0 disables writing these messages;
a value of -1 enables writing these messages. The syntax of this
property follows a block syntax that is different from the other
aaa.config variables.
Configuring
Realms for Oracle | |
To authenticate users stored in an Oracle database, you must
configure the AAA server, run the db_srv daemon on each Oracle host machine, and configure
one or more Oracle databases with user information according to
your requirements. See “Configuring
the Oracle Database ” for information on how to configure your Oracle database. Configuring
the HP-UX AAA Server Using Server ManagerFor
each realm using Oracle authentication, you must specify the Oracle server. Complete the following steps to configure the HP-UX AAA Server Manager
for Oracle authentication: From the navigation
tree, click Local Realms to open
the Local Realms screen. Click the New
Realm link to open the Realm Attributes screen. In the Name field, enter the
name of the realm to map to the defined SecurID location. This name
does not have to be a DNS host name. However, HP recommends that
the realm name corresponds with the domain name. This way, the user
recognizes the user@realm syntax that resembles their e-mail address. From the Realm Type drop-down
list, select Authentication. In the User Profile Storage,
select Oracle. When you select Oracle from the User Profile Storage
drop-down list, a drop-down list appears in the User Storage Parameters
section of the form. This drop-down list allows you to create and
modify Oracle configurations for the realm. In the User Storage Parameters
drop-down list, select New Oracle Server,
or the name of an existing Oracle server. Complete the Oracle Server screen
(shown in Figure 7-4 “New Oracle Server Screen”) that appears
by specifying the host name or IP address of the Oracle server (
db_srv daemon), followed by the port number that it uses. You can list an unlimited number of Oracle servers. However,
in this context, you must use the appropriate number of servers
based on the number of requests received, and machine performance.
Each listed server must have a unique DNS name and port. Repeat steps 6 and 7 for each
redundant directory you wish to use. | | | | | NOTE: AAA authentication automatically performs load
balancing and failover in a round robin fashion across all servers
listed for a realm. You cannot configure the functioning of these
features. | | | | |
On the Oracle Server screen,
click Save. Complete any of the remaining
optional fields as necessary for your configuration. Click Create. Repeat these steps as necessary
for your configuration. From the navigation tree, click
Save Configuration. | | | |  | CAUTION: Clicking Save saves the entire server configuration
(access devices, proxies, local realms, users, and server properties)
to the servers you specify. | | | | |
To Configure and Run the db_srv Daemon The db_srv daemon is the client that interfaces with the
Oracle database and the HP-UX AAA servers. You must run a daemon
for each Oracle database you wish to access (but only one db_srv for all AAA connections, since db_srv will fork a child process for each AAA server).
The AAA server automatically performs load balancing and failover
across multiple databases. You should run the daemon by executing the /opt/aaa/bin/start_db_srv.sh script. Before running the script, you must edit the
script's configuration file, /etc/opt/aaa/db_srv.opt, as follows: #! /bin/sh
#########################################################
# WARNING:
# For security purposes, this file should be readable,
# writable and executable only by the aaa owner
# or group aaa (Permission 660)
#########################################################
#########################################################
# You will need to set the following Oracle environment
# variables according to your Oracle configuration.
#########################################################
ORACLE_HOME=<Oracle Home direcotry>
SHLIB_PATH=$SHLIB_PATH:$ORACLE_HOME/lib
DB_SRV_PORT=<db_srv port number>
DB_SRV_ORA_UID=<Oracle username>
DB_SRV_ORA_PWD=<Oracle password>
DB_SRV_ORA_SID=<Oracle SID>
export DB_SRV_PORT DB_SRV_ORA_UID DB_SRV_ORA_PWD DB_SRV_ORA_SID
export ORACLE_HOME SHLIB_PATH |
|
- DB_SRV_PORT=port
Port number that
db_srv scans for incoming authentication requests from
the remote AAA server. Any available port number can be used. However,
typically port numbers greater than 4000 are used, since port numbers
for standard services are usually less than 4000. If multiple
db_srv daemons are running on the same machine, each daemon
must be listening to a different port. - DB_SRV_ORA_UID=userid
Oracle user name used to
access the database. - DB_SRV_ORA_PWD=password
Oracle password used to access
the database. - DB_SRV_ORA_SID=dbid
Oracle ID for the database
to connect to when more than one database exists on the machine.
If the parameter is omitted, the daemon connects to the default
database, which is defined during database installation. - ORACLE_HOME=path
Directory where Oracle database
was installed.
To enable debug logging for troubleshooting purposes, in /opt/aaa/bin/start_db_srv.sh, modify the line: /opt/aaa/bin/db_srv
to
/opt/aaa/bin/db_srv -x |
| | | | | CAUTION: The configuration script /etc/opt/aaa/db_srv.opt contains information that can be used to gain access
to the Oracle database. Read access rights must therefore be limited. | | | | |
|
Printable version
