eDirectory/LoginMethod

From MicroFocusInternationalWiki
Jump to: navigation, search

Introduction

This wiki provides steps for compiling and using a custom login method for eDirectory. The sample clear text login method provided under NMAS SDK downloads section is used as example (with some necessary modifications)

Details

Points to remember

  • NMAS provides a feature with which custom login methods (and login sequences) can be added to authenticate users to eDirectory
  • Third party login methods can be developed so that they are loaded into eDirectory address space using the above feature
  • NMAS requires third party login methods to be signed by Novell certificate authorities before loading them to eDirectory address space
  • eDirectory's NMAS module (/opt/novell/eDirectory/lib/nds-modules/libnmas.so) does the job of loading the login methods during authentication time
  • The NMAS module can be configured to load the login methods in debug mode. Under debug mode, the modules are loaded without verifying whether they are signed by Novell CAs
  • The debug mode can be used to verify (and test) the functionality of a login method
  • Configuring the debug mode requires replacing /opt/novell/eDirectory/lib/nds-modules/libnmas.so with the debug version of the same and restarting ndsd service (/etc/init.d/ndsd restart)
  • It is important to note that the login method should be compiled on the same machine where eDirectory will be installed (preferably SLES)

Procedure

Download the SDK


wget ftp://sdk.provo.novell.com/ndk/nmas/builds/cross_platform/
novell-nmas-devel-2009.11.11-cross_platform.tar.gz

The login methods are provided under folder nmas_sample_code/login_method. A login method consists of an LSM(Login Server Method) and an LCM (Login Client Method). LSM provides the server side functionality of authentication of user and LCM provides the client side functionality. They are under the folders nmas_login_method/lsm and nmas_login_method/lcm respectively

Unzip the SDK


tar zxvf novell-nmas-devel-2009.11.11-cross_platform.tar.gz

Install Novell eDirectory

Earlier Novell NDK was supplied as a separate package. However, now novell eDirectory package contains the NDK along with it

Download and install eDirectory as follows:


# wget http://164.99.91.1/Builds/eDirectory/88SP6/eDirectory_88SP6_Linux_i586.tar.gz
# tar zxvf eDirectory_88SP6_Linux_i586.tar.gz
# cd eDirectory/setup
# ./nds-install
-> follow the prompts and questions and answer them
# # ndsconfig new -t TREE-NAME -n admin-context -a admin-fqdn -w -n -i -e
#
# # Example:
#
# ndsconfig new -t EDIR-SECURITY -n novell -a admin.novell -w -n -i -e
#

What is where

  • NMAS server sdk includes are in nmas/nmas_server_sdk/sdkinc:

mafds.h  maf.h  methodcb.h  nmasapi.h  nmaserr.h  sasllayr.h  saslmech.h

  • The followign header files are in nmas/nmas_server_sdk/sdkinc_internal:

mafauthn.h  nmasaddr.h  nmasflgs.h  nmaspxy.h   saslapi.h  spmagent.h  spmdclnt.h
mafhdrs.h   nmasext.h   nmasMsg.h   nmassasl.h  sasl.h     spmconst.h  spm.h

  • NMAS Client includes are in nmas_client_sdk/sdkinc:

legacy  nmasaid.h  nmasapi.h  nmasc32.h  nmasclnt.h  nmasconf.h  nmaserr.h  nmasmaf.h  nmasnov.h

  • Legacy NMAS Client includes are in nmas_client_sdk/sdkinc/legacy:

maf.h  NMASLoginInfo.h  nmasTransport.h  readme.txt  sasflegy.h

  • libnmasclnt.so library is there in nmas_client_sdk/linux/bin:

libnmasclnt.so

  • The following libraries are there in nmas_server_sdk/linux/bin

libnmasinst_sa.so  libnmasldap.so  libsasl.so     libspmdclnt.so
libnmasinst.so     libnmas.so      libspmclnt.so  nmasinst

  • The following headers are there in /mnt/dirtech/ccm_wa/idc_n4u/cldap~rosalind-SP7_beta1/cldap/external/ndk/include:

npackoff.h  npackon.h  ntypes.h  unicode.h

  • The following libraries are there in /opt/novell/eDirectory/lib:

jclient.jar         libicui18n.so.21     liblburp.so.0        libnmasclnt.so      libtrappoll.so.0
jssl.jar            libicui18n.so.21.0   liblburp.so.0.0.0    libpdksa.so.0       libtrappoll.so.0.0.0
libdclient.so.0     libicuuc.so          libldapsdk.so        libsal.so           libxi18n.so
libdsutil.so        libicuuc.so.21       libldapsdk.so.0      libsal.so.1         libXis11.so
libdsutil.so.1      libicuuc.so.21.0     libldapsdk.so.0.0.0  libsal.so.1.0.0     libXis11.so.1
libdsutil.so.1.0.0  libJClient_g.so      libldapssl.so        libsassdk.so        libXis11.so.1.0
libemboxmsg.so      libJClient.so        libldapssl.so.0      libsassdk.so.1      nds
libemboxmsg.so.1.0  libJClient.so.1      libldapssl.so.0.0.0  libsassdk.so.1.0.0  ndsimon
libflaim.so         libJClient.so.1.0.0  libldapx.so          libsch.so           nds-install
libflaim.so.1       libjsas.so           libldapx.so.0        libsch.so.1         nds-modules
libflaim.so.1.0.1   libjsas.so.1         libldapx.so.0.0.0    libsch.so.1.0.0     nds-schema
libicudata.so       libjsas.so.1.0.0     libn4u.so.0          libSOAPs11.so       nssl.jar
libicudata.so.21    liblangmani.so       libndssdk.so         libSOAPs11.so.1.0
libicudata.so.21.0  liblangman.so        libndssdk.so.1       libspmclnt.so
libicui18n.so       liblburp.so          libndssdk.so.1.0.0   libtrappoll.so

Compiling the LSM

The LSM comes under the following folder after unzipping novell-nmas-devel-2009.11.11-cross_platform.tar.gz:


/nmas_sample_code/login_method/lsm/unix/Linux/

Mount the SDK share

To compile the LSM, we need to mount the NFS share providing NMAS SDK which can be done using the following command:


mkdir /mnt/dirtech
mount -t nfs dirtech-cm1.labs.blr.novell.com:/home/n4u_cm on /mnt/dirtech

Edit the makefile

Makefile for LSM comes under the following folder:


nmas_sample_code/login_method/lsm/unix/Linux/Linux.mak

Edit the same and put the following contents on the INCLUDE line:


INCLUDE= -I../../../../../../nmas_server_sdk/sdkinc -I../../../../shared/  
-I/mnt/dirtech/ccm_wa/idc_n4u/cldap~rosalind-SP7_beta1/cldap/external/ndk/include/

Small Changes

LSM example provided in the sample code retrieves the value of password for a user from the secret store using an API. For this to succeed, some application should be used to actually put the password to the secret store using NMAS secret store API. To avoid complications for this particular demo, consider making the following changes in nmas_sample_code/login_method/lsm/common/src file:


//      get stored digest type and digest
//      storedPwdLen = sizeof(storedPwd);
//      err = MAF_GetAttribute(mh, NMAS_AID_USER_SECRET_DATA, pwdTag, &storedPwdLen, storedPwd);
//      if (err)
//      {
//              TRACE1("CPWD MAF_GetAttribute (password) = %d", err);
//              goto REPORT_ERROR;
//      }

        strcpy(storedPwd, "secret_passwd");
        storedPwdLen = 6;
        // Verify password length is in range before calling strncmp()
        if (storedPwdLen != pwdLen)
        {
                err = NMAS_E_LOGIN_FAILED;
                TRACE1("CPWD Password length out of range (%d)", err);
                // goto REPORT_ERROR;
        }

The above changes make sure that the LSM doesn't look for passwords in the attribute under secret store. Instead hard coded values are considered for the demo purpose

Make

Execute make as follows:


# cd nmas_sample_code/login_method/lsm/unix/Linux/debug
# make -f ../Linux.mak
... 
gcc -shared -Wl,--version-script=../cpwdlin.map -Wl,-rpath /usr/lib -o lsmcpwdlin.so cpwdlsm.o unix_lsm.o
...
# ls
build.Linux.log  cpwdlsm.o  lsmcpwdlin.so  unix_lsm.o
#

Installing the LSM

LSM can be installed into the default location where it will be looked for by the NDS daemon as follows:


# mkdir -p /var/opt/novell/eDirectory/data/nmas-methods/NMAS/LSM
# scp lsmcpwdlin.so root@<eDirectory server>:/var/opt/novell/eDirectory/data/nmas-methods/NMAS/LSM
# echo "1 lsmcpwdlin.so LSM00000001" > /var/opt/novell/eDirectory/data/nmas-methods/NMAS/LSM/IDLIST.TXT

Create a dummy login sequence and associate it with the LSM just created

A dummy login method with some name can be created and associated with the LSM which has been created and installed. When NDSD loads, the .so file under /var/opt/novell/eDirectory/data/nmas-methods/NMAS/ folder is picked and associated with the dummy login method name. For this run the following commands:


# mkdir /root/nmas_method
# cd /root/nmas_method
# cat > config.txt <<EOF
name=lsmcpwdlin
Vendor=Novell,Inc.
grade=Logged in
methodid =1
EOF
# nmasinst -addmethod admin.novell <Tree> ./config.txt

NOTE: For getting the <Tree>, please run ndsstat command

As described above, the name of the method is lsmcpwdlin and the method ID is 1 (which is same as the method ID echoed into IDLIST.TXT in the previous step

Replace the nmas shared object with the debug version

Under the unzipped folder structure (obtained after unzipping cross-platform code in step 2, we get the following libnmas.so shared object:


nmas_server_sdk/linux/bin/debug/libnmas.so

cp that .so file to the following location:

cp nmas_server_sdk/linux/bin/debug/libnmas.so /opt/novell/eDirectory/lib/nds-modules

Restart NDSD

Restart nds daemon using the following command:


/etc/init.d/ndsd restart

Installing the LCM

LCM Folder

The LCM folder is:


nmas_sample_code/login_method/lcm/linux/src

Small Changes

The LCM .so file usually runs a UI program for the user and picks up the password provided by user in the UI, for authentication purpose. Instead of using the UI program, the LCM can be made to use a hard coded password for verification purposes (temporarily just for the demo) as follows:


Replace the following lines in nmas_sample_code/login_method/lcm/linux/src as follows:

//      stream = popen("/opt/novell/nmas/methods/clrpwd/cpwdgui", "r"); 
//      fgets(pwd, 128, stream);
//      pclose(stream); 


to

        strcpy(pwd, "<root password>");

For example:

        strcpy(pwd, "novell");

Compile the LCM

Replace the contents of build.sh under nmas_sample_code/login_method/lcm/linux/src with the following content and execute ./build.sh to compile it:


gcc -g -fPIC cpwdlcm.c -shared -o libcpwdlcm.so -DUNIX -DLINUX -DNOTRACE -DDS_FOR_UNIX  -DN_PLAT_UNIX 
-DIAPX386 -DDDS_DYNAMIC -I ../../../../../nmas_server_sdk/sdkinc/ -I ../../../../../nmas_server_sdk
/sdkinc_internal/ -I /mnt/dirtech/ccm_wa/idc_n4u/cldap~rosalind-SP7_beta1/cldap/external/ndk/include/

Copy the LCM to the /usr/lib folder

cp libcpwdlcm.so /usr/lib

Install the NMAS client

Install the RPM

NMAS client RPM is under the folder:


nmas_client_sdk/linux/bin

It can be installed using the following commands:


# cd nmas_client_sdk/linux/bin
# rpm -ivh novell-nmasclient.i386.rpm

Create a nmas client configuration

Clients using the NMAS library use the configuration file /etc/nmasclnf.conf. This file can be created as follows:


/opt/novell/nmas/client/bin/ncc -c create
/opt/novell/nmas/client/bin/ncc -ma 1 module=libcpwdlcm.so network_func=LCM00000001

Verify the configuration

The configuration of nmas client can be verified using the following command:


/opt/novell/nmas/client/bin/ncc -mi

Compile the SASLBIND binary

SASL Bind application is at:


nmas_sample_code/nmas_client

Compile the application as follows:


# cd nmas_sample_code/nmas_client

NOTE: Make sure that you have the following includes in the makefile:

# START_CONFIG_SNIP

# include paths
NMAS_SDKINC_PATH        = -I../../nmas_client_sdk/sdkinc -I/mnt/dirtech/ccm_wa/idc_nmas
/nmas_methods_external\#auth\#1~idc_nmas\#2.8.2.3/nmas_methods_external/nwsdk/include/ -I../..
/nmas_client_sdk/sdkinc/
LDAP_SDKINC_PATH        = -I/mnt/dirtech/ccm_wa/idc_n4u/cldap~rosalind-SP7_beta1/cldap/include/

INC_PATHS                       = $(NMAS_SDKINC_PATH) $(LDAP_SDKINC_PATH)

# link libraries

#
# Path to folder containing libnmasclnt.so
#
NMAS_LIB_PATH     = ../../nmas_client_sdk/linux/bin
#
# Path to folder containing modified libldapsdk.so
#
LDAP_LIB_PATH = /opt/novell/eDirectory/lib/

#END_CONFIG_SNIP

Run make:

# make
# ls
idplugin.c  makefile  nmasinfo.c  nmaslogin.c  saslbind  saslbind.c  saslbind.o

Authenticate

Authenticate using the following command:


./saslbind localhost 389 cn=test,o=novell lsmcpwdlin secret_passwd