Month: June 2012

During the migration of a production system from Solaris 10 to RedHat Enterprise Linux 5, I discovered that I had a problem with a couple of my LDAP scripts.  The commands being run were standard ldapsearch and ldapmodify commands in a format similar to the following:

ldapsearch -h hostname.domain.com -p 389 -b o=organisation -D cn=admin -w password cn=foobar

ldapmodify -h hostname.domain.com -p 389 -b o=organisation -D cn=admin -w password -f updates.ldif

Each time I ran the commands I got the following error:

SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available:

It turns out that the versions of the ldapsearch and ldapmodify commands that comes with RHEL5 are based on the standard OpenLDAP code.  The OpenLDAP code defaults to expecting an SASL authentication mechansim on the server-side.  Given that the LDAP server I am connecting to is a iPlanet 5.1 LDAP server, it is not configured to understand the SASL authentication types.

The solution is to add the -x option to the commands:

ldapsearch -x -h hostname.domain.com -p 389 -b o=organisation -D cn=admin -w password cn=foobar

ldapmodiy -x -h hostname.domain.com -p 389 -b o=organisation -D cn=admin -w password -f updates.ldif

This command option specifies that the command should be executed using simple authentication instead of SASL.

Image Credit: Ohio State University

Yesterday in my post on Solaris 10 Password Policy Enforcement, I outlined the steps necessary to implement the password requirements that have been decided upon in my system environment.  This post will outline the same process on the RHEL5 systems that I admin.  While the policy requirements are the same, the implementation is vastly different.

Desired Policy

To re-cap, here is the policy that is to be applied to normal users:

• at least 8 characters in length
• no more than 20 characters in length
• contain at least on letter
• contain at least one number
• forced to change at least every 180 days
• 15 minute lockout after 5 unsuccessful attempts

Implementation Differences with Solaris 10

While there were a couple of pieces of the desired password policy that I was unable to implement on Solaris 10, the ease of which the others were configured wins the game hands down.  The PAM module setup on Solaris makes it dead simple to update the policy.  All you have to do is to change the various tunable settings.  And they are all listed in fairly understandable verbiage, no complex or arcane settings.

On the RHEL5 systems I had to delve into the vagaries of PAM module attributes and ordering.  As always, it is important to make backups of any files to protect yourself and allow for disaster recovery. To implement the requirements, I had to edit two files on the system:

1. /etc/login.defs
2. /etc/pam.d/system-auth

Implementation Process

It is important during this process to recognize that if you set the PAM requirements incorrectly you can get burned to the point that the root user will be unable to login, forcing you to boot into single-user mode to recover or to boot the system from a live cd and revert the authentication files.

Setting the password expiration requirement and length setting

Before we get into this please note the warning notice from the login.defs file manpage on a RHEL5 system

Much of the functionality that used to be provided by the shadow password suite is now handled by PAM. Thus, /etc/login.defs is no longer used by programs such as: login(1), passwd(1), su(1). Pleaserefer to the corresponding PAM configuration files instead.

It is still important to configure the password length in the login.defs file so that we can account for legacy codebases.

1. Open /etc/login.defs in your favorite editor
2. Set the attribute of PASS_MAX_DAYS to be 180
3. Set the attribute of PAS_MIN_LEN to be 9

Setting the password complexity requirements

Now here is where the going gets real interesting.  Before we look at /etc/pam.d/system-auth a strong caution

Backup up the file before you alter it and open a backup terminal session as the root user before continuing.  If you put the wrong attributes in place or put the PAM directives in the wrong order you will lock yourself, root user and all, out of the system.  At that point you have two options: single user mode recovery from the console or use a live cd to boot the machine and revert to the backup after mounting the filesystem.  Oh, and it is wise to give yourself a delay with either GRUB or LILO because without the delay you won’t be able to change the boot option to allow the single user mode recovery option.

So, the file involved in this process is /etc/pam.d/system-auth and before I go into some of the nitty gritty, here’s the configuration I ended up using:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so deny=6 unlock_time=900
auth sufficient pam_unix.so nullok try_first_pass nodelay
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
 
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account required pam_tally2.so per_user
 
password required pam_passwdqc.so min=disabled,disabled,12,9,9 max=20 similar=deny enforce=users retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
 
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

The retries requirement is implemented using the following line

auth        required      pam_tally2.so deny=6 unlock_time=900

The complexity and length requirements are implements using the following line

password    required      pam_passwdqc.so min=disabled,disabled,12,9,9 max=20 similar=deny enforce=users retry=3

The following line is set to ensure that the retries count is maintained even if the counter for the pam_tally2 module is corrupted

account     required      pam_tally2.so per_user

References

Rather than go into the details of each individual attribute and how they interact, here are the resources used to develop this ruleset.  They contain an large amount of valuable information.

When trying to sort my cthub XML file recently I found out that my code from the post on sorting the role listing had stopped working.

Turns out that there was an error introduced into the format of this file when upgrading from Contribute 3.11.

As you are no doubt aware, when at least one admin upgrades to Contribute 4 or Contribute CS3 (aka 4.1) all the admins have to since there are upgrades made to the XML files that control the site. Well it appears that this upgrade makes the cthub file non-valid XML.

Take a look at this file and look for the tag font_use_css inside the group_list_item child node of the group_list node. In a copy of the cthub file that was upgraded you will find that this standalone tag is missing the appropriate closing slash. If you compare this against a copy of the cthub file from before the upgrade, assuming you made a backup, you will find that the tag is properly closed.

Since this file is the master file with all of the role information for the site, I wonder if this XML error is causing unknown instability in the system somewhere.

While this is an easy fix, I will be posting some code that you can run to fix this, since editing a file like this by hand can be a real pain.

One of the annoyances I have found with the Contribute Client is that in the Administration interface section, when adding a user, the menu of roles is not sorted for you. The list that appears when you reassign a user or when you create a new role, is sorted for you.

Each time that a new role is added, the client updates the hub file, adding the new role to the end of the list.

In investigating this I found that the hub file is just an XML file. This file is stored in the root _mm folder of the website that you are managing. Note that this file is connection specific, so if you are managing multiple websites, the location of this control file will vary. And if you are managing a large deployment by having multiple sites with a single directory structure, you will have a different _mm folder and hub file for each site, even though they are physically on the same server they are treated differently by the logic of the software.

In the process of troubleshooting the LDAP user problems I was experiencing I found that by default the logging of info and debug messages is turned off by default for the OEM jrun install that is part of Contribute Publishing Server 3.11.

In order to enable these logging levels you have to edit the sevrer configuration xml file. This file should be located in the configuration directory of your jrun4 server’s WEB-INF folder.

The name of the file is: ckm.xml

Open this file in your favorite editor and look for the following section:

/usr/Macromedia_CPS/logs/out.log /usr/Macromedia_CPS/logs/err.log true true true

By default the logger is only set to show error messages. This section also shows the location of the error logs and the output logs.

Note, that enabling this you will get larger log files, since this will log all connections to the LDAP server by the Contribute client(s) that you have installed. You may find it necessary to open the admin console and set a max log file size to control this.