LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices

Reply
 
LinkBack Search this Thread
Old 01-29-2009, 12:16 PM   #1
calipryss
LQ Newbie
 
Registered: Jun 2007
Posts: 9

Rep: Reputation: 0
Question Authenticating SSH against Windows Active Direcotory using LDAP over SSL


I'm running RHEL 5.2 on a few servers and I would like to authenticate the SSH users against the Windows 2003 SP2 AD. I would like to keep the ports that I need to open to a minimum, and would like to utilize LDAP over SSL to accomplish this. I have some initial questions to get me going...

Does anyone know if there is any documentation out on this configuration? I can't seem to find any and I've been searching the web for about a week now. For this specific configuration... i.e., not using kerberos, winbind, or samba.

If not, can anyone send me in a right direction as to where to start? My first thoughts were to create a CSR and get that signed by the windows AD server. Then import that back to Linux, placing in /etc/openldap/cacerts. Or, is it easier to just import the ad domain cert to the linux server?

Once the certificates are verified, I know I will need to some configurations in ldap.conf, nsswitch, and hosts files. But, I'll get to that once I can even get a trust set up.

By the way, the Linux servers are on the Internal network and the Windows AD server is in the DMZ, so I'm thinking I will also need to update resolv.conf as well.

Any thoughts or direction would be very appreciated.
 
Old 01-29-2009, 12:28 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,344

Rep: Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945
to do this over ldaps as correctly and nicely as possible, you should check out the MSSFU AD extensions will will provide proper places for (and management of, afaik) gid and uid management etc. It's possible to use existing attributes in AD, e.g. their fax number, to store a uid if desired, but ultimately a schema extension is better, especially if you are expecting it to scale and remain managable.
 
Old 01-29-2009, 12:49 PM   #3
calipryss
LQ Newbie
 
Registered: Jun 2007
Posts: 9

Original Poster
Rep: Reputation: 0
Thank You for the information, I will check with our windows admins on that. My first goal is to get the trust set up and verified between the Linux and the Windows server. Any thoughts?
 
  


Reply

Tags
authentication, directory, ldap, ssh, windows


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Logging in via SSH while authenticating against Active Directory. rurounikakita Linux - Enterprise 7 02-23-2008 09:57 PM
Problem authenticating Apache - LDAP - Active Directory using a AD group mrcoffee11 Linux - Server 0 11-10-2007 06:53 AM
authenticating through one ldap server that uses other ldap servers & active director dreamm Linux - Server 1 02-21-2007 08:22 AM
Authenticating Against Active Directory LDAP Question pyotr1 Linux - General 2 09-30-2006 06:25 PM
Authenticating Linux against Windows 2003 Active Directory Builder Linux - Enterprise 26 08-30-2005 03:56 AM


All times are GMT -5. The time now is 07:47 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration