Question about authenticating OpenVOS users using an external OpenLDAP server
I'm trying to figure out if could be posible for an OpenVOS module (OpenVOS 17.0.2) to trap the user and password information entered at login prompt from an SSH terminal emulator and validate that data on an external OpenLDAP server...
Could be configured maybe using the OpenVOS LDAP software as a client machine of the external LDAP server ? Can I redirect registration_admin PAM in such way to validate on an external OpenLDAP server ?
Thanks and best regards,
Hi Eduardo! Here is a method to accomplish your goal. Most LDAP servers have a provision for communicating via the RADIUS protocol. If you can configure a RADIUS service in the LDAP environment, then all releases of VOS since 14.4 know how to authenticate users against RADIUS. Basically, you register the users on VOS as you normally would, but then you set the "Password Type" to "external" on the second page of the update user function of registration_admin. If a VOS user has a different name in the LDAP/RADIUS database, you can fill in the External Name field and VOS will map the VOS user name to the External Name when it sends out a message via RADIUS. The login command, the ftp client, and the ssh daemon have all been modified to work with RADIUS. Everything you need to know is documented in the VOS System Administrator's Guide: Registration and Security, and your friendly CAC stands ready to answer questions. We have many customers using RADIUS and it works well.
If your copy of OpenLDAP doesn't have a RADIUS server, take a look at the Freeradius software that we have on the VOS anonymous ftp site. It is in the /pub/vos/posix/ga/v-series directory. There should be a way to hookup OpenLDAP and Freeradius -- I haven't tried it, but I'm sure that there is some way to do this.
If you have any additional questions, please let us know. Thanks, PG.
Thank you !
Tags for this Thread