LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Linux Answers > Networking
User Name
Password

Notices

By battletroll at 2010-05-07 10:54
LDAP/Active Directory integration Configuration:

Required Packages:
openldap
openssl
nss_ldap(pam_ldap)
cyrus-sasl
krb5-libs
krb5-auth-dialog
krb5-workstation
pam_krb5
system-config-authentication (Should be installed by default)
nscd
ntpd

1st there is a couple naming convention I tried to use:
FQDN or fqdn = Fully Qualified Domain Name
ipaddr = ip address
subdomain.domain.com = example of domain structure
servername = DUH!


I believe that's all of the packages, but I am not %100 sure for each distro.
By installing the packages listed above with yum/apt/zypper, the system SHOULD get all the
necessary dependant packages that need to be installed too.

Remember /etc/ldap.conf and /etc/openldap/ldap.conf are 2 different files and are for different applications.

/etc/ldap.conf: # Used by pam to perform authentication.
/etc/openldap/ldap.conf: # Used by the openldap tools and application to connect.
/etc/krb5.conf: # Used to bind to kerberos
/etc/nsswitch.conf: # Used to define where to collect user info (local 1st, network 2nd)
/etc/sysconfig/authconfig: # Used to tell the system what applications to use to authenticate.
/etc/ntp/steptickers # Used for lock sync at boot
/etc/ntp/ntpserver # servers to use by ntpd
/etc/ntp.conf # configure system to use or act as a stratum 1,2 10 server (10 is no source available use BIOS clock)

####################################################################################################

How To configure:
Start by getting the certificate from the Active Directory server. The windows certificate will be
<servername.domainname>.crt. This has to be converted to a PEM format. CRT is a DER format.
To do this use the following commands

openssl x509 –in input.crt –inform DER –out output.crt –outform PEM

Place the newly converted certificate in /etc/pki/tls/certs or in a drectory the openldap
application can read. I used /etc/openldap/cacerts.

---------------------------------------------------------------------------

Ensure kerberos is configured correctly.
You can verify this with kinit <AD username>. This will prompt you for a password.
If configured correctly you will receive a token from AD.

LDAP DOES NOT need to be configured for this to work
(See below for configuring the /etc/krb5.conf file)

----------------------------------------------------------------------------

Next you want to configure the /etc/openldap/ldap.conf. Again, this file IS NOT the same as
/etc/ldap.conf. Only the basic information is necessary here.

HOST = The LDAP server
URI = The ldap://<ipaddr> to use. If use tls/SSL use ldaps://<ipaddr>
BASE = The root to start searching from in the AD tree (Notice I start below the root domain)
TLS_REQCERT = Whether or not to request a certificate from the server
TLS_CACERT = The root cert form AD that was converted earlier(This can be any dir openldap can access)
SSL start_tls = Use TLS to do basic encryption to AD

If you are using SE_LINUX ensure the context is corect.
Use semanage to set the context if is it wrong.

------------------------------------------------------------------------
# To configure /etc/ldap.conf do the following:
# (To avoid DNS lookups place the IP/FQDN in the /etc/hosts/file
# 192.168.0.1 myhost.example.com

uri = ldap://<fqdn> or ldaps://<fqdn>
#host = same as above. This can be the IP or FQDN.
(Only use uri or host)
base = Same as above
ldap_version = not necessary if doing version 3, it is the default
binddn = User acct to connect to AD ad querry informaion with.
(MS admins should limit the access as much as possible to this account, ex..guest)
bindpw = password used to connect to AD by user specified above
scope = sub specifies to search the tree from base and below
(Remember base is specified above)
timelimit = Time for ldap querry to wait
#ssl = I use sasl so ssl is not used.
nss_map_objectclass = maps the LDAP attribute posixAccount to User
nss_map_objectclass = maps the LDAP attribute shadowAccount to User
nss_map_objectclass = maps the LDAP attribute posixGroup to Group
nss_map_objectclass = maps the UNIX attribute uid to sAMAccountName
nss_map_objectclass = maps the LDAP attribute uidNmuber to uidNmber
nss_map_objectclass = maps the LDAP attribute gidNumber to gidNumber
nss_map_objectclass = maps the LDAP attribute cn = sAMAccountName
nss_map_objectclass = maps the LDAP attribute homeDirectory to unixHomeDirectory
(you must have the path mounted or tell the system to create dirs for this to work)
nss_map_objectclass = maps the LDAP attribute gecos to name
pam_login_attribute = assignes the pam userid to sAMAccountName
pam_filter = filters pam for user iformation
nss_base_passwd = specifies the nss_ldap base, the sub at the end tells it to search base and below
nss_base_shadow = same as above
nss_base_group = same as above but collects group info
tls_cacert = path to the converted pem certificte from AD
tls_reqcert = Never request a certificate, it is already installed above.
bind_policy = Fixes a problem when booting to stop hangs at messagesbus(Fedora/Redhat)
(There is a chiken/egg problem here.)


** If you need to add attributes jus follow the syntax above for mapping
-------------------------------------------------------------------------

Tells the system where to get its User/Group/Password info from.
I only use it for auth and group membership.

/etc/nsswhich
passwd: = Use local files first, winbind, then LDAP
shadow: = Use local files first, then LDAP
group: = Use local files first, winbind, then LDAP

You can use more but with LDAP you will need to map the attribute above.

------------------------------------------------------------------------

/etc/sysconfig/authconfig: (Fedora/Redhat not sure about the rest)

This is self explanitory. It is either yes or no. I recommend using LDAP for user info and Kerberos
for Auth. This howto is for that specific configuration.

This can be configured with system-config-authentication
Do not modify the setting if you are configuring the files manually.

Run:
system-config-authentication (In runlevel 5 a gui will pop up, in runlevel 3 this will use ncurses)
Select LDAP on the user-information tab.
Select kerberos on the Authentication tab.
On the last tab select create home directory if you want the system to create the home dir for you.
Click OK.


This will also configure PAM for you

The final steps are simple
ensure nscd, cyrus-sasl start at reboot.

chkconfig nscd on
chkconfig saslauthd on

That should be about it.

------------------------------------------------------------------------
The files I use are listed below:
#########################################################################
FILES: #
#########################################################################

/etc/openldap/ldap.conf

HOST <FQDN> #This can be an IP
URI ldaps://<ipaddr> # Use ldaps if port 636 is used
BASE cn=users,dc=subdomain,dc=domain,dc=com # Base domain to start search from
TLS_REQCERT never # Request a Cert from server
TLS_CACERT /etc/openldap/cacerts/certificate.pem # ENSURE this is the right cert and not from a different domain
BINDDN ldapman@subdomain.domain.com # User to connect as
SSL start_tls # Start tls for simple encryption

------------------------------------------------------------------------
/etc/ldap.conf

uri ldaps://<fqdn hostname>/ # Same as above
#host <ip address> # IP address of server
base cn=users,dc=subdomain,dc=domain,dc=com # Search base
ldap_version 3 # Version
binddn cn=ldapman,ou=ServiceAccts,dc=subdomain,dc=domain,dc=com # User to bind as
bindpw <user passwd> # Users password
scope sub # search base, "sub"ordinate too
timelimit 30
#ssl start_tls # SSL not used same as above
#
# Active Directory attributes that correspond with LDAP
#
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute cn sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute loginShell loginShell
nss_map_attribute uniqueMember member
nss_map_attribute gecos name
pam_login_attribute sAMAccountName # Login name from Windows
pam_filter objectclass=User
nss_base_passwd dc=subdomain,dc=domain,dc=com?sub
nss_base_shadow dc=subdomain,dc=domain,dc=com?sub
nss_base_group dc=subdomain,dc=domain,dc=com?sub
tls_cacert /etc/openldap/cacerts/<servername.domainname.pem> # Path to server cert issued by AD
tls_reqcert never # Never request a certificate from the server
bind_policy soft # hard/soft hard retries, soft fails

---------------------------------------------------------------------------
/etc/nsswhich.conf
#
# Controls where linux looks for user/pass info and what order
#
passwd: files winbind ldap
shadow: files ldap
group: files winbind ldap

#hosts: db files nisplus nis dns
hosts: files dns

# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files

netgroup: files

publickey: nisplus

automount: files
aliases: files nisplus

-------------------------------------------------------------------------

To set this you can use system-config/authentication or manually
toggle which methods you want to use

/etc/sysconfig/authconfig

USEWINBINDAUTH=yes
USEKERBEROS=yes
USESYSNETAUTH=no
USEPAMACCESS=yes
USEMKHOMEDIR=yes
FORCESMARTCARD=no
USESMBAUTH=no
USESMARTCARD=no
USELDAPAUTH=no
USEDB=no
USEWINBIND=yes
USESHADOW=yes
PASSWDALGORITHM=md5
USEHESIOD=no
USELDAP=yes
USELOCAUTHORIZE=yes
USEPASSWDQC=no
USECRACKLIB=yes
USENIS=no

--------------------------------------------------------------------------

/etc/krb5.conf
#
# This must function correctly
#
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
DOMAIN.COM = {
kdc = <FQDN>:88
admin_server = <FQDN>:749
default_domain = domain.com
}

[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}


---------------------------------------------------------------------
/etc/ntp/steptickers

123.123.123.123 # ipaddr of time source


---------------------------------------------------------------------
/etc/ntp/ntpservers

123.123.123.123 # ipaddr of time source

---------------------------------------------------------------------
/etc/ntp.conf

remove lines that specify the default server and replace with your info

server 123.123.123.123


---------------------------------------------------------------------

After all of this is complete you should be able to do:

kinit <Domain Admin Acct>
password:

net ads join -U <Domain Admin Acct>
password:

net ads testjoin -U <Domain Admin Acct>
password: # Test server comunication

ldapsearch -D "binddn@domain.com" -x -W # -D is the user
# -x turns off encryption
# -W prompts for a password

wbinfo -u # List domain users
wbinfo -g # List domain groups
wbinfo -t # Check domain trust

after setting the nsswitch.conf run:

getent passwd # Should list users
getent group # Should list groups

MAKE SURE HOME DIRS ARE AVAILABLE FOR DOMAIN USERS/GROUPS!!!

Attempt to login

Should Work

by g33ky on Fri, 2010-06-18 08:16
Hi,

Can you tell me which distro are you using ?

Thx,

by vintage2010 on Thu, 2011-03-31 09:59
I had the great experience to work with battletroll on getting the linux side configured correctly for AD Authentication. The instructions/guide written are clear and easy to follow. At times, I would get confused and shoot an email only to get a response with more help.

MAJOR KUDOS !!!!!!


  



All times are GMT -5. The time now is 05:31 AM.

Main Menu
Advertisement

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration