Introduction
The HELIOS authentication server (“authsrv”) now supports LDAP authentication against the following LDAP servers:
- Mac OS X Server (“Open Directory”/Password Server)
- Univention Corporate Server (LDAP server)
- OpenLDAP (LDAP server; tested on SUSE 10.2)
The “authsrv” is installed on the HELIOS server and acts as an LDAP client, which accesses the LDAP database read-only.
In the following, we describe the installation and configuration of the “authsrv” for the three LDAP server systems Mac OS X Server, Univention, and OpenLDAP. Please note that the configuration, especially for OpenLDAP, requires some know-how and should therefore be restricted to experienced system integrators.
Note: Customers who wish to use AD/PDC do not need LDAP. Instead, they can use the existing AD/PDC support.
Prerequisites
- HELIOS UB+ product generation on all HELIOS supported platforms, except for Windows
Background on LDAP
- LDAP (Lightweight Directory Access Protocol) is a networking protocol, which runs over TCP/IP, for querying and modifying directory services
- All users and groups are stored in the LDAP database
- The HELIOS supported LDAP version is LDAPv3
- SASL (Simple Authentication and Security Layer) is an encryption selection protocol, which can be used in combination with LDAP, and is needed to communicate with the Apple Password Server.
Password verification
- On Mac OS X Server passwords are created with the Apple “Workgroup Manager” and verified against the Apple Password Server
- On Univention Corporate Server passwords are verified against the NTLM password
- On OpenLDAP the HELIOS password must be set manually
If passwords are stored in LDAP, different encryption methods may be used (HELIOS requires the NTLM or HELIOS password):
| Password encryption method | Description |
| UNIX crypted password | Used by UNIX applications (not recommended) |
| NTLMv1 password | Used by HELIOS and Samba |
| HELIOS password | Used by HELIOS |
Different UNIX platforms supply different LDAP implementations. To some extent these are older or incompatible. Therefore, HELIOS provides current and consistent LDAP libraries for all platforms:
| HELIOS supplied LDAP libraries | Description |
| libldap_s.so1 | LDAP library |
| libsasl2_s.so1 | SASL library |
| sasl2/ | Directory including supported encryption methods used by SASL |
1 Mac OS X: “libldap_s.dylib” and “libsasl2_s.dylib”; RS/6000: “libldap_s.a” and “libsasl2_s.a”
Installation
The HELIOS authentication server includes support for LDAP when installed from HELIOS CD023 or newer.
Set the authentication server preference NameServices according to the used LDAP systems, i.e. for Univention and OpenLDAP add “LDAP” to the list, and for Mac OS X Server add “MACOSX” (but NEVER both values together!).
If the same users are available both locally and via LDAP, you might want to prefer the LDAP user database over the local database. In this case add “+LDAP” instead of “LDAP” to the NameServices list.
In case the system itself authenticates users against LDAP, “+LDAP” is mandatory.
The HELIOS Admin checkbox Prefer LDAP corresponds to “+LDAP”.
Examples:
prefvalue -k 'Programs/authsrv/NameServices' -t str "local,NIS,LDAP" (for Univention and OpenLDAP systems)
prefvalue -k 'Programs/authsrv/NameServices' -t str "local,NIS,MACOSX" (for the Mac OS X Server system)
LDAP client configuration via “authsrv”
The following preferences and attributes should be set via the included Perl scripts:
| Script name | Description |
| ldapMacosxPrefs.pl | LDAP configuration script for Mac OS X Server |
| ldapUniventionPrefs.pl | LDAP configuration script for Univention Corporate Server |
| ldapOpenLDAPPrefs.pl | LDAP configuration script for OpenLDAP |
These scripts are only examples, which have to be edited before use. The values that must be specified depend on the used LDAP server system, e.g.:
- Server name (Mac OS X)
- Server name, bind name / password (Univention)
- Server name, user / group base, bind name / password (OpenLDAP)
LDAP filter preferences
The following preferences, except for LDAP_Port, must be specified with the command:
prefvalue -k 'Programs/authsrv/<preference>' -t str <value>
For LDAP_Port use:
> prefvalue -k 'Programs/authsrv/LDAP_Port' -t int <value>
| Preference | Example value | Description |
| LDAP_Server | localhost | LDAP server name or IP address |
| LDAP_Port | 389 | LDAP server port |
| LDAP_UserBase | dc=HELIOS,dc=de | Base pointer in database |
| LDAP_GroupBase | dc=HELIOS,dc=de | Base pointer in database |
| LDAP_BindDN |
uid=Administrator,cn=users, dc=univention,dc=local |
LDAP bind name |
| LDAP_BindPassword | secret | LDAP bind password |
| LDAP_LongUserFilter | longName=%s | Select LDAP user entry by long name |
| LDAP_UserFilter | cn=%s | LDAP user entry by short name |
| LDAP_UserIDFilter | longName=%d | Select LDAP user entry by user ID |
| LDAP_GroupFilter | cn=%s | Select LDAP user entry by name |
| LDAP_GroupIDFilter | gid=%d | Select LDAP user entry by ID |
| LDAP_GroupMemberFilter |
user=%s
|
Select LDAP user entry by group membership |
LDAP attributes
| Preference | Example name | Description |
| LDAP_UATTR_HeliosPassword | heliosPassword | HELIOS password (generated via HELIOS “authutil” tool) |
| LDAP_UATTR_ClearPassword | clearPassword | Cleartext password (not recommended) |
| LDAP_UATTR_NTPassword | sambaNTPassword | NT hash |
| LDAP_UATTR_Name | uid | User name (e.g. UNIX short name) |
| LDAP_UATTR_LongName | cn | User long name (e.g. UNIX GECOS) |
| LDAP_UATTR_UID | uidNumber | User ID |
| LDAP_UATTR_PGID | gidNumber | Primary group ID |
| LDAP_UATTR_HomeDirectory | homeDirectory | Path to user home directory |
| LDAP_UATTR_AppleID | authAuthority | Apple ID used to identify user to Apple Password Server (only Mac OS X Server) |
| LDAP_GATTR_GID | gidNumber | Group ID |
| LDAP_GATTR_NAME | cn | Group name |
| LDAP_GATTR_AppleID | authAuthority | Apple ID used to identify group to Apple Password Server (only Mac OS X Server) |
Verifying the LDAP connection
To verify the LDAP connection after the installation of the “authsrv”, do the following:
1. Establish a connection to the LDAP server
# socket -v <LDAP_Server> <LDAP_Port>
If the server returns Successfully connected to server. Going into interactive mode., everything is fine. However, if the server connection could not be successfully established in time you will receive a Connection timed out message, or, if there is no LDAP service running on this host or port, a Connection refused message.
Example:
# cd /usr/local/helios
# bin/socket -v ldaphost 389
socket 1.0.0 (c) 2005 by HELIOS Software Garbsen
Trying to connect to ldaphost port 389 ...
Resolving ip address ...
Address is 172.16.3.228.
Opening socket ...
Done.
Connecting to server ...
Done.
Local port is 44590, remote port is 389.
Successfully connected to server.
Going into interactive mode.
2. To check the LDAP server connectivity you may use the “ldapsearch” command line tool, which is usually part of all UNIX systems
The parameters depend on the platform where the command is issued from. Please refer to the corresponding manpages. The output depends on the referred host, i.e. specified by the -h switch (in the folllowing examples “ldaphost”).
# ldapsearch -h <Host Name>
Example call (OpenLDAP for Mac OS X, Linux, Univention):
# ldapsearch -h ldaphost -x -s base -b "" "(objectclass=*)" +
Example call (IBM AIX, Solaris):
# ldapsearch -h ldaphost -s base -b "" "(objectclass=*)" +
Example output:
structuralObjectClass=OpenLDAProotDSE
configContext=cn=config
namingContexts=dc=my-domain,dc=com
supportedControl=1.3.6.1.4.1.4203.1.9.1.1
supportedControl=2.16.840.1.113730.3.4.18
supportedControl=2.16.840.1.113730.3.4.2
supportedControl=1.3.6.1.4.1.4203.1.10.1
supportedControl=1.2.840.113556.1.4.319
supportedControl=1.2.826.0.1.334810.2.3
supportedControl=1.2.826.0.1.3344810.2.3
supportedControl=1.3.6.1.1.13.2
supportedControl=1.3.6.1.1.13.1
supportedControl=1.3.6.1.1.12
supportedExtension=1.3.6.1.4.1.4203.1.11.1
supportedExtension=1.3.6.1.4.1.4203.1.11.3
supportedFeatures=1.3.6.1.1.14
supportedFeatures=1.3.6.1.4.1.4203.1.5.1
supportedFeatures=1.3.6.1.4.1.4203.1.5.2
supportedFeatures=1.3.6.1.4.1.4203.1.5.3
supportedFeatures=1.3.6.1.4.1.4203.1.5.4
supportedFeatures=1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion=3
supportedSASLMechanisms=DIGEST-MD5
supportedSASLMechanisms=CRAM-MD5
entryDN=
subschemaSubentry=cn=Subschema
Only if “ldapsearch” is successful you should continue with the next steps.
3. Start the HELIOS authentication server with the “ldapcheck” command
Note: HELIOS services must not run to perform this step!
By use of this call “authsrv” tries to get, with the currently set preferences, all attributes for <User Name>. The specified user must be a complete and valid LDAP user.
# authsrv ldapcheck <User_Name>
Example:
# cd /usr/local/helios
# sbin/authsrv ldapcheck ldapuser
ldap preliminary check starting...
preference ldap server - 'LDAP_Server':'ldaphost.helios.de' OK
preference using port - 'LDAP_Port':'389' OK
* connected
* got version 2
* set to version 3
* using anonymous bind
* bind OK, now requesting user info for 'ldapuser'
preference user filter - 'LDAP_UserFilter':'uid=%s' OK
preference user base - 'LDAP_UserBase':'cn=users,dc=ldaphost,dc=helios,dc=de' OK
* filter: 'uid=ldapuser'
* user found, now requesting basic attributes
preference user name - 'LDAP_UATTR_Name':'uid' OK
preference user long name - 'LDAP_UATTR_LongName':'cn' OK
preference home dir - 'LDAP_UATTR_HomeDirectory':'homeDirectory' OK
preference uid - 'LDAP_UATTR_UID':'uidNumber' OK
preference pgid - 'LDAP_UATTR_PGID':'gidNumber' OK
* (attribute 'objectClass' detected)
* attribute UID detected
* (attribute 'apple-generateduid' detected)
* (attribute 'apple-mcxflags' detected)
* (attribute 'loginShell' detected)
* attribute PGID detected
* (attribute 'authAuthority' detected)
* clear text password detected
* attribute name detected
* attribute long name detected
* (attribute 'sn' detected)
* attribute homedir detected
* 12 attributes detected
Manually setting up the OpenLDAP server (example for SUSE 10.2)
Note: The following example is simplified. Usually structure and access rights should have a more sophisticated design.
Run “yast” and install the packets “openldap2”, “openldap2-client”, and optionally “yast2-ldap-server”, but do not start the OpenLDAP server immediately.
Edit “/etc/openldap/slapd.conf” according to your needs and especially include the file helios.schema right after “yast.schema”, and ensure that the entries for “rootdn” and “rootpw” match those specified for the HELIOS authentication server (“LDAP_BindDN” and “LDAP_BindPassword”). It may also be necessary to include “nis.schema” instead of “rfc2307bis.schema” to create groups.
Build the root node and nodes for users / groups:
Customize the file root_node.ldif according to your requirements and call the command:
# slapadd -v -l root_node.ldif
Start the OpenLDAP server and check for error messages.
# /etc/rc.d/ldap start
Set up a sample user / group:
Create a HELIOS password via authutil passwd -H -X -p <HELIOS_password>.
Edit sample_user.ldif according to your needs using the just created HELIOS password.
# ldapadd -v -f sample_user.ldif -x -D "cn=Manager,dc=my-domain,dc=com" -w secret
Edit sample_group.ldif according to your needs.
# ldapadd -v -f sample_group.ldif -x -D "cn=Manager,dc=my-domain,dc=com" -w secret
As user root issue the command “slapcat” and verify that the just added sample user is listed.
LDAP server configuration and user management
Mac OS X Server:
User / group administration via “Workgroup Manager” program
Univention Corporate Server:
User / group administration via “Univention Admin” web interface
OpenLDAP:
Manual user / group administration via configuration files or third-party tools.
Configuration files can be:
- ldap.conf (LDAP basic settings for clients)
- ldapfilter.conf (LDAP filter configuration)
- ldapsearchprefs.conf (LDAP search settings)
- ldaptemplates.conf (LDAP output settings)
Uninstallation
To deactivate LDAP support it is sufficient to take this step:
-
Remove the value “LDAP” (Univention, OpenLDAP) or “MACOSX” (Mac OS X Server) from the preference
NameServices:
# prefvalue -k 'Programs/authsrv/NameServices' -t str "local,NIS"
Versions Feedback
Please report errors or make suggestions to: support (at) helios.de.
- Final HELIOS UB+ (December, 2007)
- Preview 2 (July 13, 2007)
- Fixes NTLM for Vista
- Removes user entry from cache if password has been changed
- Fixes for HP IA-64
- Fixes logins against Mac OS X LDAP & Password server
- Home
- Products
File Server Products
- Powerful and fail-safe
- Perfect for mixed networks (Mac, Windows, Web clients)
Cloud Products- Secure access to files anytime and anywhere
- No “Cloud” disadvantages
- For businesses and IT service providers
- For Mac, PC, iPad, iPhone, web
Automation- Server-based workflow automation via hot folders
- Automate applications on remote computers (e.g. Photoshop actions and Acrobat PDF creation)
- Launch scripts depending on file type
- No polling
Marketing & Premedia- Server-based image processing with ICC color management
- Image conversions for Internet and print
- Automation via hot folder
- Certified soft proof with annotations
- Industries
- Solutions
- SupportSupport
Offering professional support and excellent technical resources is very important to us. HELIOS partners offer first level support. Our goal is that every problem and question must be resolved.
Updates & Tech InfoKeep the installation always up to date. Install important updates, read technical information on various topics.
Developers & Advanced StuffHELIOS solutions are often integrated into custom solutions. Here you will find advanced technical information.
MediaAll documentation is available online. We provide great overview and training videos which should help you getting started.
- News
The HELIOS News contains …
Latest Press Release: > HELIOS Universal File Server G8 released … • Latest Newsletter: > HELIOS Newsletter 02/2021 …
- Company
- English
Enterprise Server
Developers / SDK
Retail / Industrial
Newspapers / Publishers
Photographer / Studios
Ad Agencies / Premedia / Printers
Video & Entertainment
Cloud Collaboration
HD Color
Image Processing
Proofing
WebShare Connectivity
Workflow Automation
File Server
Press Releases 
Videos 
Newsletters 
Events