· Location of VRTSatlocal.conf

· / var/VRTSat/.VRTSat/profile  (in UNIX & Linux)

· C:\Prpgram Files\VERITAS\Security\Authentication\systemprofile (in Windows 64-bit)

· C:\Prpgram Files (x86)\VERITAS\Security\Authentication\systemprofile (in Windows 32-bit)

VRTSatLocal.conf file must contain the following section:
   [Security\Authentication\Authentication
   Broker\AtPlugins\ldap\DomainInfos\ldap\ DomainName]

where DomainName is the name of the LDAP domain you are using.

For example:
   [Security\Authentication\Authentication
   Broker\AtPlugins\ldap\DomainInfos\ldap\VSS]

Each DomainInfos section should include the following information:

Note:

All of the optional fields have default values set in the main [Security\Authentication\Authentication Broker\AtPlugins\ldap] section. If you want these defaults to be overridden for a particular domain, set the new value in the section for that domain. Setting a new value for one domain does not affect the values for another.

· "Server"="serverName"

(Required) Defines the LDAP server. serverName can be a host name, fully-qualified host name, or IP address of the LDAP server.

For example:

"Server"="my_ldap_server.example.com"

· "GroupBaseDN"="OU=groups,dc=name,dc=name"

(Required) Contains the LDAP distinguished name (DN) of the group container for the intended LDAP domain.

For example:

"GroupBaseDN"="OU=group,dc=example,dc=com"

· "UserBaseDN"="OU=people,dc=name,dc=name"

(Required) Contains the LDAP distinguished name (DN) for the user container for the intended LDAP domain.

For example:

"UserBaseDN"="OU=people,dc=example,dc=com"

· "GroupObjClass"="className"

(Optional) Name of the LDAP Object class which describes how groups within a domain are to be stored in LDAP. The default is "posixGroup". If you override the default here, the new value will affect only this specific domain.

· "UserObjClass"="className"

(Optional) Name of the LDAP Object class which describes how users/people in the domain are to be stored in LDAP. The default is "posixAccount". If you override the default here, the new value will affect only this specific domain.

· "GroupAttr"="cnAttributeName"

(Optional) Name of the attribute within the group object class which used to store the group name. The default is "cn". If you override the default here, the new value will affect only this specific domain.

· "UserAttr"="UIDAttributeName"

(Optional) Name of the attribute within the user object class which used to store the unique user identifier. The default is "uid". If you override the default here, the new value will affect only this specific domain.

· "GroupGIDAttr"="GIDAttributeName"

(Optional) Name of the attribute within the group object class which used to store the group ID. The default is "gidNumber". If you override the default here, the new value will affect only this specific domain.

· "UserGIDAttr"="GIDAttributeName"

(Optional) Name of the attribute within the user object class which used to store the group IDs of the groups the user belongs to. The default is "gidNumber". If you override the default here, the new value will affect only this specific domain.

VRTSatLocal.conf file must contain the following section:
[Security\Authentication\Authentication
Broker\AtPlugins\ldap\ServerInfos\ ServerName]

This section must include:

· "IsDefault"=dword-value

Indicates whether the local host is the default LDAP server.

o Local host is the default LDAP server- "IsDefault"=dword:00000001

o Local host is not the default LDAP server- "IsDefault"=dword:00000000

· "URL"="ldap://your_ldap_server.com"

Defines the LDAP directory server URL.

· "SSLEnabled"=dword-value

Defines whether SSL is enabled between the LDAP plugin and the LDAP server.

o SSL is turned on- "SSLEnabled"=dword:00000001

o SSL is turned off- "SSLEnabled"=dword:00000000

Note:

The LDAP plugin only supports SSL server authentication.

· "SSLType"=dword:00000000

Indicates that server-only SSL is being used. (In the future, mutually authenticated SSL will be supported.)

· "TrustedCACertsPresent"=dword-value

Indicates whether the CA-trusted certificate chain is present. Valid only when SSLEnabled is on ( dword:00000001).

o CA-trusted certificate chain is present- "TrustedCACertsPresent"=dword:00000001

o CA-trusted certificate chain is not present- "TrustedCACertsPresent"=dword:00000000

 

 

1. Please get the following information of an LDAP Server:

· FQDN of LDAP Server:           ______________________________________

· IP Address of LDAP Server:  ______________________________________

· Is it in DNS?

· Is there any Firewall between the LDAP Server & system running VRTSat?

· A proxy user,   AdminUser (a.k.a, bind-user), with access privilege to browse the LDAP's search tree.

 

2. From any system with LDAP client software, execute ' ldapsearch' command to find out whether useful LDAP information for any LDAP user can be retrieved from the LDAP Server, say qaldap.foo.com , by LDAP's AdminUser, say ccs-qa, used in VRTSatlocal.conf

# ldapsearch -L -h qaldap.foo.com -p 389 -D "cn=ccs-qa,ou=ApplicationUsers,o=foo" -w b7r8fjy -b "ou=internal,o=foo" "uid=e120662"

version: 1

dn: uid=E120662,ou=People,ou=NA,ou=internal,o=foo

mail: john.harris@foo.com

uid: E120662

givenName: John

sn: Harris

o: Foo International

objectClass: Top

objectClass: Person

objectClass: inetOrgPerson

objectClass: organizationalPerson

objectClass: hworgperson

objectClass: ndsLoginProperties

cn: Hiris,Dan

 

3. Determine the starting point of LDAP queries on the LDAP server.

 

# ldapsearch -v -h qaldap.foo.com -b '' -s base '(objectlass=*)' NamingContext

 

ldapsearch: started Wed Apr 29 14:09:49 2009

 

ldap_init( qaldap.foo.com, 389 )

filter pattern: (objectlass=*)

returning: NamingContext

filter is: (objectlass=*)

ldapsearch: ignoring LDAP response message type 0x61 (bind result)

 

 

 

4. Determine the top level organization units, using namingContext, (say dc=veritas,dc=com), derived in the above step 2, on the LDAP server.

 

# ldapsearch  -h qaldap.foo.com -b “dc=veritas,dc=com” -s subtree '(objectclass=organizationalunit)'

 

ou=Groups, dc=veritas,dc=com

objectClass=top

objectClass=organizationalUnit

 

ou=People, dc=veritas,dc=com

objectClass=top

objectClass=organizationalunit

ou=People

 

5. List all the users in the LDAP server,

 

# ldapsearch -x -h mtv2850-01.mvw.spt.Veritas.com -b dc=example,dc=com

# extended LDIF

#

# LDAPv3

# base <dc=example,dc=com> with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#

 

# example.com

dn: dc=example,dc=com

objectClass: dcObject

objectClass: organization

objectClass: top

o: example.com

dc: example

 

# Manager, example.com

dn: cn=Manager,dc=example,dc=com

objectClass: organizationalRole

cn: Manager

 

# Marketing, example.com

dn: ou=Marketing,dc=example,dc=com

objectClass: organizationalUnit

ou: Marketing

...

# Jane Doe, Marketing, example.com

dn: cn=Jane Doe,ou=Marketing,dc=example,dc=com

objectClass: inetOrgPerson

cn: Jane Doe

givenName: Jane

sn: Doe

uid: jdoe

telephoneNumber: 3453321

roomNumber: T33

 

6. Troubleshooting the queries on the LDAP server:

· the LDAP server is unreachable

· the LDAP port is not reachable

· the proxy user,   AdminUser (a.k.a, bind-user), is not authorized to browse the LDAP's search tree.

 

7. Assume that VRTSat is already installed and will use LDAP-based authentication on a broker domain, say, FOOLDAP.

 

# cd /opt/VRTSat/bin

# ./vssat showversion

vssat version: 4.3.34.4

# ./vssat showallbrokerdomains     ( Does FOOLDAP exist?)

# ./vssat addbrokerdomain --domain  ldap:FOOLDAP --broker qaldap.foo.com

(Note: LDAPserverName: qaldap.foo.com in this example)

# ./vssat showallbrokerdomains     ( Does AOLLDAP exist now?)

 

 

8. Stop  vxatd before manually modifying VRTSatlocal.conf file.

 

# /etc/init.d/vxatd stop (UNIX/LINUX) (net stop vrtsat  (in Windows))

# cd /var/VRTSat/.VRTSat/profile

# rm  VRTSatlocal.conf.lock

 

9. Ensure that the client system is running VRTSat with Root Broker (RB) and Authentication Broker (AB).

# /opt/VRTSat/bin/vxatd -a -r

# cp VRTSatlocal.conf VRTSatlocal.conf-orig

 

 

10. You can configure VRTSat for LDAP-based authentication in two ways:

· Using 'addldapdomain' option of the vssat command

· Manually modifying VRTSatlocal.conf

 

11. Configure VRTSat using 'addldapdomain' option of the vssat command in VRTSat 4.4 or above:

 

# /etc/init.d/vxatd stop

# /opt/VRTSat/bin/vssat showversion

 

# /opt/VRTSat/bin/vssat addldapdomain --domainname FOOLDAP --server_url ldap:// qaldap.foo.com --user_base_dn cn= ccs-qa,o=Foo --group_base_dn “dc=groups,o=Foo --schema_type rfc2307

 

Another Example,

 

# /opt/VRTSat/bin/vssat addldapdomain --domainname FOOLDAP --server_url ldap:// qaldap.foo.com --user_base_dn ou=people,dc=foo,dc=com --group_base_dn “dc=group,dc=foo,dc=com -schema_type rfc2307

 

· Please edit VRTSatlocal.conf, and change

    "PluginSharedLibFileName"="/opt/VRTSat/lib/libauthldap.so"

 "IsEnabled"=dword:00000001

 

 "AuthType"="BOB"

 "AdminUserPassword"="<Enter_password>"

 "AdminUser"="cn=ccs-qa,ou=ApplicationUsers,o=foo"

 

· Please restart vxatd:  /etc/init.d/vxatd start

 

· To authenticate an LDAP user, say e120662, via LDAP , please do:

 

# /opt/VRTSat/bin/vssat authenticate --domain ldap: FOOLDAP --prplname e120662

 

 

12. Method II: Configure VRTSat manually  for LDAP-based authentication.

 

# /etc/init.d/vxatd stop  (In UNIX/LINUX)

  net stop vrtsat                (In Windows)

# /opt/VRTSat/bin/vssat showversion

 

[Security]
[Security\Authentication]
[Security\Authentication\Authentication Broker]
"Mode"=dword:00000003  
"DebugLogFileName"="/var/VRTSat/vxatd.log"
"UpdatedDebugLogFileName"="/var/VRTSat/vxatd.log"
"CredDetailsFileName"="/var/VRTSat/vrtsat_broker.txt"
"UserName"="root"
"DomainName"="root@sfHos1.foo.com"
"DomainType"="vx"
"BrokerName"="sfHos1.foo.com"
"IsPBXExchangeInstalled"=dword:00000001
"UpdatedSSLIOPServiceID"="VxAT_SSLIOPBroker"
"CurrentSSLIOPServiceID"="VxAT_SSLIOPBroker"
"UpdatedSSLServiceID"="VxAT_SSLBroker"
"CurrentSSLServiceID"="VxAT_SSLBroker"
"UpdatedServiceID"="VxAT_Broker"
"CurrentServiceID"="VxAT_Broker"
"UpdatedPBXPort"=dword:00000614
"CurrentPBXPort"=dword:00000614
"AcceptTimeOut"=dword:00000014
"UpdatedBrokerPort"=dword:00000b05
"CurrentBrokerPort"=dword:00000b05
"BrokerPort"=dword:00000000
"SnapShotDirectory"="/var/VRTSatSnapShot"
"Version"="ver4.0.010"
"RootBrokerTag"="sfHos1.foo.com"
"PBXExchangeRetryInterval"=dword:0000001e
"DebugLevel"= dword:00000004  
"ABSerial"=dword:000000f2
"RBSerial"=dword:00000002


[Security\Authentication\Authentication Broker\AtPlugins]
[Security\Authentication\Authentication Broker\AtPlugins\ldap]
"PluginSharedLibFileName"="/opt/VRTSat/lib/libauthldap.so"
"IsEnabled"=dword:00000001
[Security\Authentication\Authentication Broker\AtPlugins\ldap\AuthMechanisms]
[Security\Authentication\Authentication Broker\AtPlugins\ldap\AuthMechanisms\Simple]
"SearchScope"="SUB"
"AuthType"="BOB"
"AdminUserPassword"=" ****"
"UserBaseDN"=" ou=internal,o=foo"
"GroupBaseDN"=" ou=group,ou=internal,o=foo"
"UserObjClass"="inetOrgPerson"
"GroupObjClass"="posixGroup"
"AuxUserObjClass"=""
"AuxGroupObjClass"=""
"UserAttr"="uid"
"UserGIDAttr"="gidNumber"
"GroupAttr"="cn"
"GroupGIDAttr"="gidNumber"
"PasswordAttr"=""
"AdminUser"=" cn=ccs-qa,ou=ApplicationUsers,o=foo"
[Security\Authentication\Authentication Broker\AtPlugins\ldap\ServerInfos]
[Security\Authentication\Authentication Broker\AtPlugins\ldap\ServerInfos\ qaldap.foo.com]
"SSLType"=dword:00000000
"IsDefault"=dword:00000001
"SSLEnabled"=dword:00000000
"TrustedCACertsPresent"=dword:00000000
"URL"="ldap://qaldap.foo.com"  
[Security\Authentication\Authentication Broker\AtPlugins\ldap\DomainInfos]
[Security\Authentication\Authentication Broker\AtPlugins\ldap\DomainInfos\ldap]
[Security\Authentication\Authentication Broker\AtPlugins\ldap\DomainInfos\ldap\ FOOLDAP]
"Server"="qaldap.foo.com"  
 

· Please restart vxatd:  

o /etc/init.d/vxatd start  (in UNIX/LINUX)

o net start vrtsat     (in Windows)

 

· To authenticate an LDAP user, say e126626, via LDAP , please do:

 

# /opt/VRTSat/bin/vssat authenticate --domain ldap: FOOLDAP --prplname e120662

 

 

· Please collect the data and examine the log file:

o /var/VRTSat/vxatd.log          (UNIX/LINUX)

o C:\Program Files\VERITAS\Security\Authentication\bin\vxatd.log      (WINDOWS)

o VRTSatlocal.conf

o Outputs of

o vssat showversion

o vssat showcred

o vssat showallbrokerdomains

 

 

 

[root@mtv2850-01 LDAP_LAB]# /usr/bin/ldapsearch -vLx  -b "dc=example,dc=com" "(cn=Foo Smith)"

 

version: 1

 

#

# LDAPv3

# base <dc=example,dc=com> with scope subtree

# filter: (cn=Foo Smith)

# requesting: ALL

#

 

# Foo Smith, Marketing, example.com

dn: cn=Foo Smith,ou=Marketing,dc=example,dc=com

cn: Foo Smith

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

mail: FSmith@yahoo.com

givenName: Foo

sn: Smith

homePostalAddress: 14 San Carlos Street

l: San Jose

st: CA

postalCode: 95124

telephoneNumber: (408)555-1238

uid: fsmith

userPassword:: bXlzZWNyZXQ=

seeAlso: dc=www,dc=example,dc=com

 

# search result

 

# numResponses: 2

# numEntries: 1

 

[root@mtv2850-01 LDAP_LAB ]# /usr/bin/ldapsearch -vLx  -b "dc=example,dc=com" "(sn=Smith)"
 

version: 1

 

#

# LDAPv3

# base <dc=example,dc=com> with scope subtree

# filter: (sn=Smith)

# requesting: ALL

#

 

# Jay Smith, Engineering, example.com

dn: cn=Jay Smith,ou=Engineering,dc=example,dc=com

objectClass: inetOrgPerson

cn: Jay Smith

givenName: Jay

sn: Smith

telephoneNumber: 3452332

roomNumber: E23

 

# Foo Smith, Marketing, example.com

dn: cn=Foo Smith,ou=Marketing,dc=example,dc=com

cn: Foo Smith

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

mail: FSmith@yahoo.com

givenName: Foo

sn: Smith

homePostalAddress: 14 San Carlos Street

l: San Jose

st: CA

postalCode: 95124

telephoneNumber: (408)555-1238

uid: fsmith

userPassword:: bXlzZWNyZXQ=

seeAlso: dc=www,dc=example,dc=com

 

# search result

 

# numResponses: 3

# numEntries: 2