Custom setup for Novell Account Management

id username (i.e. [@id networkusername@])

To start the process, type in the command as root

->[@username-sled10:~ # namsetup@]

There is a YaST module that is suppose to create the eDirectory Object and setup the PAM on the workstation, but it has some bugs. So to fix this, I created this script (/sbin/namsetup) which I install via RPM during the initial installation the workstation.

Enabled eDirectory Users (LUM)
LUM allows eDirectory users to log into the SLED workstation as if they were installed on the local workstation. A workstation object is created is created in eDirectory controling access to the workstation.

There is a YaST module that is suppose to do this with a nice GUI, but for some reason it doesn't work. So I created a custom script that will perform all the heavy lifting for you.

To start the process, type in the command

setupnam

Enter in the requested information and select the context of the user.

After the script runs successfully, a new object will be created in the eDirectory tree in the context you specified above.

Before eDirectory users can login, they need to be associated with this workstation. How this is done is beyond the purpose of this document, but once a user is associated with a workstation, they will be able to login using their eDirectory username and password.

To test that it is working, use the command
id username (i.e. id brandtb)

select context in "Manually Enter Context" ${array[*]};

->[+/sbin/namsetup+]

#!/bin/bash

##############################################################################

# namsetup #

# Author: Bob Brandt projects@brandt.ie #

# This program was created to help administrators setup LUM on workstations. #
# Although I have been unable to get LUM to work by using the YaST2 LUM #
# compoment, I found a Novell TID (3994289) which describes how to setup #
# LUM on SLED10 workstation. In this TID it explains how to modify text #
# files directly, a task I definitely don't want my junior Administrators #
# performing. #

# Comments can be used but must be preceeded by a hash symbol (#) #
# All Comments are to be preceded by a hash symbol (#) (Maximum of 78 chars) #
# #

# Set the defaults
defaultLinuxConfigContext=${defaultLinuxConfigContext:-""}
defaultSSLPort=${defaultSSLPort:-"636"}
defaultLDAPServer=${defaultLDAPServer:-"ldap:389"}
defaultBackupServer=${defaultBackupServer:-"ldap1:389,ldap2:389,ldap3:389"}
defaultAdminUser=${defaultAdminUser:-"admin"}
defaultWorkstationContext=${defaultWorkstationContext:-""}
version="0.5.1"

# Below is the code responsible for producing a Selection menu #
##############################################################################
function browseldap
{
current=$1
parent=`echo $current | sed 's|^[^,]*,||'`
if [ "$current" == "$parent" ]; then
parent=""
fi
filter="(|(objectClass=organization)(objectClass=organizationalUnit)(objectClass=country)(objectClass=locality))"

if [ -n "$current" ]; then
currentcontext="\n(Current Context is $current)"
else
currentcontext=""
fi


echo -e "\nSelect the Workstation context in LDAP syntax.$currentcontext"
declare -a array
declare -i i=0

for context in $(ldapsearch -h "$LDAPServer" -b "$current" -x -s one -S dn "$filter" dn | grep "^dn:" | sed 's|^dn: ||'g);
do
array[i++]="$context"
done



PS3="Workstation context: "
if [ -n "$current" ]; then
if [ -n "$parent" ]; then
select context in "Manually Enter Context" "Select Current Context" "$parent" ${array[*]} ;
do
test "$context" && break
done
else
select context in "Manually Enter Context" "Select Current Context" ${array[*]} ;
do
test "$context" && break
done
fi
else
select context in "Manually Enter Context" ${array[*]} ;
do
test "$context" && break
done
fi

case "$context" in
"Manually Enter Context" ) WorkstationContext="" && return ;;
"Select Current Context" ) WorkstationContext="$current" && return ;;
* ) browseldap "$context"
esac
}


##############################################################################
# Below is the code responsible for Redirecting Linux authentication to #
# eDirectory using LUM #
##############################################################################
function run_namconfig
{
echo -e "\n\nDo you wish to continue with this information?"
echo -e "Primary LDAP Server \t\t= $LDAPServer"
echo -e "Secondary Backup LDAP Servers \t= $BackupServer"
echo -e "Admin User \t\t\t= $AdminUser"
echo -e "Linux Config Context \t\t= $LinuxConfigContext"
echo -e "Workstation Context \t\t= $WorkstationContext"
echo -e "SSL Port \t\t\t= $SSLPort"
echo -e -n "(Yes/No): "
read answer
if echo ${answer:0:1} | grep -i "y" > /dev/null ;
then
if [ -n "$AdminPassword" ]; then
AdminPassword="-p $AdminPassword"
fi
if [ -n "$BackupServer" ]; then
BackupServer="-R $BackupServer"
fi
if [ -n "$SSLPort" ]; then
SSLPort="-l $SSLPort"
fi
namconfig add -a "$AdminUser" "$AdminPassword" -r "$LinuxConfigContext" -w "$WorkstationContext" "$SSLPort" -S "$LDAPServer" "$BackupServer"
return $?
else
return 3
fi
}


##############################################################################
# Below is the code responsible for modifing the /etc/nsswitch.conf file #
##############################################################################
function modify_nsswitch
{
if [ -e /etc/nsswitch.conf.nam ]; then
mv -v /etc/nsswitch.conf /etc/nsswitch.conf.nam.bkp
cp -v /etc/nsswitch.conf.nam /etc/nsswitch.conf
fi
}


##############################################################################
# Below is the code responsible for modifing the /etc/pam.d files #
##############################################################################
function modify_pamd
{
mv -v /etc/pam.d/common-account /etc/pam.d/common-account.nam
grep -v "pam_nam.so" /etc/pam.d/common-account.nam > /etc/pam.d/common-account
echo -e "account\trequired\tpam_nam.so\tuse_first_pass" >> /etc/pam.d/common-account
echo "'/etc/pam.d/common-account' modified for nam"

mv -v /etc/pam.d/common-password /etc/pam.d/common-password.nam
grep -v "pam_nam.so" /etc/pam.d/common-password.nam > /etc/pam.d/common-password
echo -e "password\trequired\tpam_nam.so\ttry_first_pass" >> /etc/pam.d/common-password
echo "'/etc/pam.d/common-password' modified for nam"

mv -v /etc/pam.d/common-session /etc/pam.d/common-session.nam
grep -v "pam_nam.so" /etc/pam.d/common-session.nam > /etc/pam.d/common-session
echo -e "session\toptional\tpam_nam.so" >> /etc/pam.d/common-session
echo "'/etc/pam.d/common-session' modified for nam"
}


##############################################################################
# Below is the code responsible for modifing the pam_unix2.conf file #
##############################################################################
function modify_pam_unix2
{
mv -v /etc/security/pam_unix2.conf /etc/security/pam_unix2.conf.nambkp
grep -v "call_modules=nam" /etc/security/pam_unix2.conf.nambkp > /etc/security/pam_unix2.conf
echo "auth: call_modules=nam" >> /etc/security/pam_unix2.conf
echo "'/etc/security/pam_unix2.conf' modified for nam"
}


##############################################################################
# Below is the code responsible for running the LUM cache deamon (namcd) #
# instead of the name server cache deamon (nscd) #
##############################################################################

function start_namcd
{
chkconfig ncsd off
chkconfig namcd on
rcnscd stop
rcnamcd restart
}


##############################################################################
# Below is the code responsible for displaying the help screen. #
##############################################################################
function display_help
{
echo -e "\n ${0##*/} [Options]\n"
echo -e " Options:"
echo -e " -r | --config-context = The LDAP context of the Linux/Unix config object"
echo -e " that contains the list of workstation contexts."
echo -e " -w | --context = The LDAP format, the context where the server or"
echo -e " workstation object will be created."
echo -e " -l | --ssl-port = LDAP SSL port to be used. (636 is default)"
echo -e " -S | --ldap-server = The preferred LDAP eDirectory server to be used."
echo -e " Can be specified by IP address or DNS name."
echo -e " -R | --backup-server = A comma-separated list of other LDAP servers. Can"
echo -e " be specified by IP address or DNS name."
echo -e " -a | --admin-user = The fully qualified LDAP administrator's username."
echo -e " -p | --admin-password = The administrators password."
echo -e " -c | --cache = Refresh the NAM Cache."
echo -e " -k | --ssl-key = Import the SSL certificate file into the workstation."
echo -e " -h, --help = show this help"
echo -e " -v, --version = output version\n"

exit 0
}


##############################################################################
# Below is the code responsible for displaying the version screen. #
##############################################################################
function display_version
{
echo -e "\nGNU ${0##*/} $version\n"
echo -e "This program is distributed in the hope that it will be useful,"
echo -e "but WITHOUT ANY WARRANTY; without even the implied warranty of"
echo -e "MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the"
echo -e "GNU General Public License for more details.\n"
echo -e "Originally written by Bob Brandt <projects@brandt.ie>.\n"
exit 0
}


##############################################################################
# Below is the main code of the script #
##############################################################################


# Process all the parameters. Since we do not know what order the parameters will
# be given, we need to process all the parameters before we act upon them.
while [ "$1" != "" ]; do
case "$1" in
"-r" |"--config-context" )
shift
LinuxConfigContext="$1"
;;
"-w" | "--context" )
shift
WorkstationContext="$1"
;;
"-l" | "--ssl-port" )
shift
SSLPort="$1"
;;
"-S" | "--ldap-server" )
shift
LDAPServer="$1"
;;
"-R" | "--backup-server" )
shift
BackupServer="$1"
;;
"-a" | "--admin-user" )
shift
AdminUser="$1"
;;
"-p" | "--admin-password" )
shift
AdminPassword="$1"
;;
"-k" | "--ssl-key" )
namconfig -k
exit $?
;;
"-c" | "--cache" | "--refresh" | "cache_refresh" )
namconfig cache_refresh
exit $?
;;

"/?" | "/h" | "-?" | "-h" | "--help" )
display_help
exit 0
;;
"/v" | "-v" | "--version" )
display_version
exit 0
;;
* )
echo "Options Error: option $1 not recognized."
display_help
exit 1
;;
esac
shift
done


# Make sure the user is root
if ! [ "`id -u`" == "0" ]; then
echo "You must be root to run this script!" && exit 1

if ! [ -x "/usr/bin/namconfig" ]; then
echo "Novell NAM (LUM) must be installed to use this script!" && exit 2

# Get defaults from /etc/nam.conf
if [ -f "/etc/nam.conf" ]; then
temp=`grep "^base-name=" /etc/nam.conf | sed 's|[^=]*=||'`
defaultLinuxConfigContext=${temp:-$defaultLinuxConfigContext}
temp=`grep "^ldap-ssl-port=" /etc/nam.conf | sed 's|[^=]*=||'`
defaultSSLPort=${temp:-$defaultSSLPort}
temp=`grep "^preferred-server=" /etc/nam.conf | sed 's|[^=]*=||'`
defaultLDAPServer=${temp:-$defaultLDAPServer}
temp=`grep "^alternative-ldap-server-list=" /etc/nam.conf | sed 's|[^=]*=||'`
defaultBackupServer=${temp:-$defaultBackupServer}
temp=`grep "^admin-fdn=" /etc/nam.conf | sed -e 's|[^=]*=||' -e 's|.*cn=||' -e 's|,.*||'`
defaultAdminUser=${temp:-$defaultAdminUser}
temp=`grep "^workstation-context=" /etc/nam.conf | sed 's|[^=]*=||'`
defaultWorkstationContext=${temp:-$defaultWorkstationContext}

if [ -z "$LDAPServer" ]; then
while true;
do
echo -e -n "Enter the preferred LDAP eDirectory server to be used.\n[$defaultLDAPServer]: "
read LDAPServer
LDAPServer=${LDAPServer:-$defaultLDAPServer}
if ping -c 1 $LDAPServer > /dev/null;
then
echo "" && break
fi
echo "The server ($LDAPServer) does not appear to be live!"
done

if [ -z $BackupServer ]; then
echo -e -n "Enter a comma-separated list of other LDAP servers.\n[$defaultBackupServer]: "
read BackupServer
BackupServer=${BackupServer:-$defaultBackupServer}
fi

if [ -z "$LinuxConfigContext" ]; then
echo -e "\nSelect the Linux/Unix config object context in LDAP syntax."
declare -a array
declare -i i=1

array[0]="$defaultLinuxConfigContext"
for context in $(ldapsearch -h "$LDAPServer" -x -s sub "(objectClass=uamPosixConfig)" dn | grep "^dn:" | sed 's|.*cn=[^,]*,||');
do
# Make sure that the value is not already present.
test="false"
for (( j=0 ; j <= i ; j++ ))
do
if echo "$context" | sed 's| ||g' | grep -i `echo "${array[j]}" | sed 's| ||g'` > /dev/null
then
test="true"
break
fi
done

if [ "$test" == "false" ]; then
array[i++]="$context"
fi
done

PS3="Linux/Unix config object context: "
select context in "Manually Enter Context" ${array[@]};
do
if ! [ "$context" ]; then
context=""
fi
break
done
if [ "$context" == "Manually Enter Context" ] || [ -z "$context" ];
then
echo -e -n "Manually enter the Linux/Unix config object context in LDAP syntax.\n[$defaultLinuxConfigContext]: "
read LinuxConfigContext
LinuxConfigContext=${LinuxConfigContext:-$defaultLinuxConfigContext}
else
LinuxConfigContext=$context
fi
fi
if [ -z "$WorkstationContext" ]; then
browseldap ""

defaultWorkstationContext=${defaultWorkstationContext:-$LinuxConfigContext}
if [ -z "$WorkstationContext" ]; then
echo -e -n "Manually enter the Workstation context in LDAP syntax.\n[$defaultWorkstationContext]: "
read WorkstationContext
WorkstationContext=${WorkstationContext:-$defaultWorkstationContext}
fi
fi

if [ -z "$AdminUser" ]; then
defaultAdminUser=${defaultAdminUser:-"admin"}
while true;
do
echo -e -n "\nEnter the administrator's username\n[$defaultAdminUser]: "
read AdminUser

AdminUser=${AdminUser:-$defaultAdminUser}
temp=`ldapsearch -h $LDAPServer -x -s sub -LLL cn=$AdminUser dn`

if [ -z "$temp" ]; then
echo -e "Sorry but the username ($AdminUser) does not appear in the directory."
elif [ "`echo $temp | sed -e 's|^dn: ||' -e 's|dn: |\n|g'| wc -l`" == "1" ]; then
AdminUser="`echo $temp | sed -e 's|^dn: ||' -e 's|dn: |\n|g'| wc -l`"
break
else
PS3="Administrator's LDAP FDN: "
echo -e "\nThe username ($AdminUser) matches multiple users. Select one."
select AdminUser in `echo $temp | sed -e 's|dn: ||g'`
do
if ! [ "$AdminUser" ]; then
AdminUser=""
fi
break
done
if [ "$AdminUser" ]; then
break
fi
fi
done
fi

# Assign defaults incase any variables are missing
SSLPort=${SSLPort:-$defaultSSLPort}

run_namconfig && modify_nsswitch && modify_pamd && modify_pam_unix2 && start_namcd && sleep 2s && namconfig -k
status=$?
if [ "$status" == "0" ]; then
echo -e "workstation-context=$WorkstationContext\n" >> /etc/nam.conf

echo -e "You can now verify that eDirectory users resolve on the workstation using (id username).\n"
id --help
fi
exit $status

nce these scripts are on the server (and tweaked to your specific installation) run:
->[@machine:~ # chkconfig novell-idm 35 @]

->[+/etc/init.d/novell-idm+]
(:div style="border-style:ridge; border-width:2px; background-color:#ffffcc; margin-left:50px; overflow:auto; width:650px; height:250px;":)
[@
#!/usr/bin/env bash
##############################################################################
# #
# /etc/init.d/novell-idm #
# and its symbolic link #
# /usr/sbin/rcnovell-idm #
# #
# Author: Bob Brandt (projects@brandt.ie) #
# #
# This init.d script is used to control the Novell IDM MySQL and JBoss #
# Service and is based on the standard SuSE init.d scripts. #
# This is the main script that is used to control the other init.d scripts #
# during boot. It ensures that the services are started and stopped in the #
# correct order. #
# #
##############################################################################
#
### BEGIN INIT INFO
# Provides: novell-idm
# Required-Start: $network
# Required-Stop:
# Default-Start: 3 5
# Default-Stop: 0 1 6
# Description: Start Novell IDM MySQL and JBoss Service
### END INIT INFO

# First reset status of this service
. /etc/rc.status
rc_reset

# Return values acc. to LSB for all commands but status:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - insufficient privilege
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running

# Set default options
NOVL_MYSQL_START_SCRIPT=${NOVL_MYSQL_START_SCRIPT:="/etc/init.d/novell-mysql"}
NOVL_JBOSS_START_SCRIPT=${NOVL_JBOSS_START_SCRIPT:="/etc/init.d/novell-jboss"}
export NOVL_MYSQL_START_SCRIPT
export NOVL_JBOSS_START_SCRIPT
startdelay="1s"

# Check for installation errors
if [ ! -x ${NOVL_MYSQL_START_SCRIPT} ]; then
echo -n "Novell MySQL Start Script, ${NOVL_MYSQL_START_SCRIPT} does not exist."
rc_status -s
exit 6
fi
if [ ! -x ${NOVL_JBOSS_START_SCRIPT} ]; then
echo -n "Novell JBoss Start Script, ${NOVL_JBOSS_START_SCRIPT} does not exist."
rc_status -s
exit 6
fi

# Check for installation errors
if [ ! -h "/usr/sbin/rcnovell-idm" ]; then
ln -s "/etc/init.d/novell-idm" "/usr/sbin/rcnovell-idm"
fi

case "$1" in
start)
echo "Starting Novell IDM Applications"
$NOVL_MYSQL_START_SCRIPT start && sleep $startdelay && $NOVL_JBOSS_START_SCRIPT start $2
rc_status
;;
stop)
echo "Stopping Novell IDM Applications"
$NOVL_JBOSS_START_SCRIPT stop $2 && $NOVL_MYSQL_START_SCRIPT stop
rc_status
;;
restart)
$0 stop $2
sleep $startdelay
$0 start $2
rc_status
;;
status)
echo "Checking for Novell IDM Applications"
$NOVL_JBOSS_START_SCRIPT status $2 && $NOVL_MYSQL_START_SCRIPT status
rc_status
;;
* ) echo "Usage: $0 {start|stop|status|restart} [debug|nodebug]" && exit 1 ;;
esac
rc_exit
@]
(:divend:)

->[+/etc/init.d/novell-mysql+]
(:div style="border-style:ridge; border-width:2px; background-color:#ffffcc; margin-left:50px; overflow:auto; width:650px; height:250px;":)
[@
#!/usr/bin/env bash
##############################################################################
# #
# /etc/init.d/novell-mysql #
# and its symbolic link #
# /usr/sbin/rcnovell-mysql #
# #
# Author: Bob Brandt (projects@brandt.ie) #
# #
# This init.d script is used to control the Novell IDM MySQL Service and is #
# based on the standard SuSE init.d scripts. #
# #
##############################################################################
#
### BEGIN INIT INFO
# Provides: novell-mysql
# Required-Start: $network
# Required-Stop:
# Default-Start: 3 5
# Default-Stop: 0 1 6
# Description: Start Novell IDM MySQL Service
### END INIT INFO

# First reset status of this service
. /etc/rc.status
rc_reset

# Return values acc. to LSB for all commands but status:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - insufficient privilege
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running

# Set default options
NOVL_MYSQL_BASE_FOLDER=${NOVL_MYSQL_BASE_FOLDER:="/opt/novell/idm/mysql"}
NOVL_MYSQL_BINARY=${NOVL_MYSQL_BINARY:="${NOVL_MYSQL_BASE_FOLDER}/bin/mysqld_safe"}
NOVL_MYSQLADMIN_BINARY=${NOVL_MYSQLADMIN_BINARY:="${NOVL_MYSQL_BASE_FOLDER}/bin/mysqladmin"}
NOVL_MYSQL_MY_CNF_FILE=${NOVL_MYSQL_MY_CNF_FILE:="${NOVL_MYSQL_BASE_FOLDER}/my.cnf"}
NOVL_MYSQL_USERNAME=${NOVL_MYSQL_USERNAME:="mysql"}
export NOVL_MYSQL_BASE_FOLDER
export NOVL_MYSQL_BINARY
export NOVL_MYSQLADMIN_BINARY
export NOVL_MYSQL_MY_CNF_FILE
export NOVL_MYSQL_USERNAME

# Check for installation errors
if [ ! -d ${NOVL_MYSQL_BASE_FOLDER} ]; then
echo -n "Novell MySQL Directory, ${NOVL_MYSQL_BASE_FOLDER} does not exist."
rc_status -s
exit 6
fi
if [ ! -f ${NOVL_MYSQL_BINARY} ]; then
echo -n "Novell MySQL binary file, ${NOVL_MYSQL_BINARY} does not exist."
rc_status -s
exit 6
fi
if ! id $NOVL_MYSQL_USERNAME > /dev/null 2>&1
then
echo -n "The ${NOVL_MYSQL_USERNAME} user does not exist."
rc_status -s
exit 6
fi

# If the Symbolic link is not present, create it.
if [ ! -h "/usr/sbin/rcnovell-mysql" ]; then
ln -s "/etc/init.d/novell-mysql" "/usr/sbin/rcnovell-mysql"
fi

case "$1" in
start)
echo -n "Starting Novell MySQL Application"
$0 status > /dev/null 2>&1 || $NOVL_MYSQL_BASE_FOLDER/start-mysql.sh start
rc_status -v
;;
stop)
echo -n "Stopping Novell MySQL Application"
$0 status > /dev/null 2>&1 && $NOVL_MYSQL_BASE_FOLDER/stop-mysql.sh stop
rc_status -v
;;
restart)
$0 stop
sleep 1s
$0 start
rc_status
;;
status)
echo -n "Checking for Novell MySQL Application"
checkproc "$NOVL_MYSQL_BINARY"
rc_status -v
;;
*) echo "Usage: $0 {start|stop|status|restart}" && exit 1 ;;
esac
rc_exit
@]
(:divend:)

Enabled eDirectory Users (LUM)
LUM allows eDirectory users to log into the SLED workstation as if they were installed on the local workstation. A workstation object is created is created in eDirectory controling access to the workstation.

There is a YaST module that is suppose to do this with a nice GUI, but for some reason it doesn't work. So I created a custom script that will perform all the heavy lifting for you.

To start the process, type in the command

setupnam

Enter in the requested information and select the context of the user.

After the script runs successfully, a new object will be created in the eDirectory tree in the context you specified above.

Before eDirectory users can login, they need to be associated with this workstation. How this is done is beyond the purpose of this document, but once a user is associated with a workstation, they will be able to login using their eDirectory username and password.

To test that it is working, use the command
id username (i.e. id brandtb)

(:title Custom setup for Novell Account Management:)

Novell Account Management (NAM) is very simply a method of using eDirectory as the authentication source for all your corporate sources. (i.e. NT, Active Directory, Unix, Linux AS/400 systems would all look to eDirectory for username/password queries.) This is ideal as each individual would have only one username and password to maintain.

Specifically with Linux, Novell uses the terminology Linux User Management (LUM), however this encompasses more than just usernames and password.
Because Linux systems use UIDs and GIDs to identify users and groups, eDirectory users and groups must be made Posix enabled (i.e. given a unique number and group assignment). Also, Novell uses a model similar to the Microsoft Domain method, where it creates an object for the workstation/server in eDirectory to control you has access to this device. Groups are associated with the workstation object and if a user is a member of one of those groups, he is allowed to access the workstation.
On the workstation side of things, a PAM (Pluggable Authentication Module) is created that reads its workstation object details from eDirectory and determines whether a user is allowed access or not.
There is a YaST module that is suppose to create the eDirectory Object and setup the PAM on the workstation, but it has some bugs. So to fix this, I created this script (SETUPNAM) which I install via RPM during the initial installation the workstation.

setupnam.sh

setupnam.rpm