How to configure vCloud Usage Meter 4.4 LDAP Authentication #VMware
By: Date: 10/10/2021 Categories: VMware Tags:

PurposeThe following information provides a sample configuration on how to get an LDAP setup with Usage Meter. 

Resolution

Pre-requisites:

  1. A configured LDAP server.

Procedure

Below is the sample configuration of a user LDAP authentication with Usage Meter.

  1. Replace the contents of /ec/nslcd.conf with information from your environment. See the example below:
root@photon-machine [ /etc ]# cat /etc/nslcd.conf
uid nslcd
gid ldap

uri ldap://ntitta.lab
base dc=ntitta,dc=lab
binddn CN=service,CN=Users,DC=ntitta,DC=lab
bindpw P@ssw0rd

pagesize 1000
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (objectClass=group)
  1. Configure the nsswitch.conf in the following way:cat /etc/nsswitch.conf
hosts: files resolve dns
networks: files

protocols: files
services: files
ethers: files
rpc: files
passwd: files ldap group: files ldap shadow: files ldap
  1. Configure the system-auth file in the following way:
cat /etc/pam.d/system-auth
# Begin /etc/pam.d/system-auth
auth    required    pam_env.so
auth    required    pam_tally2.so onerr=fail deny=3 unlock_time=900 root_unlock_time=900 file=/var/log/tallylog
auth    sufficient  pam_ldap.so
auth    required    pam_unix.so
auth    optional    pam_faildelay.so delay=4000000
  1. Configure the system-account file in the following way:cat /etc/pam.d/system-account
# Begin /etc/pam.d/system-account
account    sufficient  pam_ldap.so
account    required    pam_tally2.so file=/var/log/tallylog
account    required    pam_unix.so
# End /etc/pam.d/system-account
  1. Configure the system-password file in the following way: cat /etc/pam.d/system-password
# Begin /etc/pam.d/system-password
password    sufficient  pam_ldap.so try_first_pass
password    requisite   pam_cracklib.so     minlen=10 minclass=4 difok=4 maxsequence=0 retry=3 enforce_for_root
password    requisite   pam_pwhistory.so    retry=3 remember=5 enforce_for_root
password    required    pam_unix.so         sha512 shadow use_authtok
# End /etc/pam.d/system-password
  1. Configure the system-session file in the following way: cat /etc/pam.d/system-session
# Begin /etc/pam.d/system-session
session   required    pam_unix.so
session   required    pam_limits.so
session   optional    pam_motd.so
session   optional    pam_lastlog.so showfailed
session   optional    pam_systemd.so
session   optional    pam_ldap.so
# End /etc/pam.d/system-session
  1. Configure the vmware-um-pam file in the following way:
cat /etc/pam.d/vmware-um-pam
auth       sufficient /lib64/security/pam_ldap.so
auth       required   /lib64/security/pam_unix_auth.so
account    sufficient /lib64/security/pam_ldap.so
account    required   /lib64/security/pam_unix_acct.so
  1. The below attributes must exist on the LDAP server for the user who will log into Usage Meter 4.4:
uid           sAMAccountName
uidNumber     objectSid:<yourValue>
gidNumber     primaryGroupID
homeDirectory "/home/$sAMAccountName"
gecos         displayName
loginShell    "/bin/bash"
gidNumber      primaryGroupID

Note:

  • uid must be unique for the user and should not be associated with any existing user in the Usage Meter appliance.  See getent passwd for the full list of used uids.
  • gid must exist in the Usage Meter appliance before configuring the LDAP authentication. Use it to control what kind of privileges you want to give to the user. In most cases, use the usagemeger gid 1002.

Note: Making changes to /etc/pam.d generally needs a reboot to take effect. Once the above config is in place, reboot the appliance and try logging in.

Note: If you move the original config files and create new files, please ensure the permissions of the files are correct.

If configured correctly and when the user is attempted to log in to the Usage Meter web application, you should see the same domain user mapped in getent passwd.

root@photon-machine [ /etc ]# getent passwd
oot:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/dev/null:/bin/false
daemon:x:6:6:Daemon User:/dev/null:/bin/false
messagebus:x:18:18:D-Bus Message Daemon User:/var/run/dbus:/bin/false
systemd-bus-proxy:x:72:72:systemd Bus Proxy:/:/bin/false
systemd-journal-gateway:x:73:73:systemd Journal Gateway:/:/bin/false
systemd-journal-remote:x:74:74:systemd Journal Remote:/:/bin/false
systemd-journal-upload:x:75:75:systemd Journal Upload:/:/bin/false
systemd-network:x:76:76:systemd Network Management:/:/bin/false
systemd-resolve:x:77:77:systemd Resolver:/:/bin/false
systemd-timesync:x:78:78:systemd Time Synchronization:/:/bin/false
nobody:x:65534:65533:Unprivileged User:/dev/null:/bin/false
sshd:x:50:50:sshd PrivSep:/var/lib/sshd:/bin/false
named:x:999:999::/var/lib/bind:/bin/false
polkitd:x:27:1000:PolicyKit Daemon Owner:/etc/polkit-1:/bin/false
nslcd:x:998:998:nslcd ldap user:/:/usr/sbin/nologin
ntp:x:87:87:Network Time Protocol:/var/lib/ntp:/bin/false
usagemeter:x:1000:1002::/home/usagemeter:/bin/bash
umauditor:x:1001:1003::/home/umauditor:/bin/bash
test:*:5000:1002:test:/home/test:/bin/bash                         <---------this is the domain user