Authentication against Active Directory (very confused)
I am trying to configure a fresh minimal install of Centos 6 (Redhat 6) to authenticate against my companies Active Directory. I apologize if this is a basic question but I have been reading many how-to articles and I am very confused as to how to do this. Each article seems to describe a different method for accomplishing the same thing. Some include Kerberos others seem to simply say all i need is a pam_ldap module and nsswitch. I have followed a few but have not had luck and some how-to articles seem out of date as they mention non existent config files or the config files don't relate to the packages they tell me to install. Because I am to the point of just spinning my wheels I came here to ask for help. Any input would be greatly appreciated. What packages are needed to get this working? What are the options for setting this up?
One how to I have tried to follow was this one. http://wiki.freaks-unidos.net/linux%...e-linux-client Which seems very simple but the ldap.conf does not exist until I installed the openldap-clients package with yum. That package however was not mentioned in the client. After installing I did edit that file and also tried editing the pam_ldap.conf as it seemed like the correct file to edit but I still cannot su - <ad_user>.
I have linux experience and some ldap/ad experience but I have never configured something like this before. Currently we have a set of linux machines that do authenticate against our AD instance but they were made by a consultant who set them up a very long time ago. So I do know its possible to do with our AD server. There are tons of mis-configured things on those machines and they are very out of date. Hence I am creating a new base template and then we will re build all those machines onto instances of that template.
OK, so unless I'm mistaken, you've not understood your own requirements. you don't just want to authenticate, you want authentication AND user information. This might seem like petty differences, but the two things are TOTALLY independent of each other, and simply all line up to give an end to end solution.
The authentication side is actually easy with either LDAP or Kerberos. I recommend LDAP as Kerberos as a protocol can just be very very confusing. But to authenticate you need to know WHO you want to authenticate as in the first place, and in LDAP land, that's done by binding to the LDAP server (AD) with the correct LDAP DN.
So your problem is to get that information in the first place - so you need to get the POSIX data from somewhere. Do you have POSIX extensions installed on AD? I don't actually know what provides it on newer systems, but it used to be with the MSSFU AD Schema pack, for w2k. Were I work we run 2008 DC's and they do provide full posix data values, which only need a small amount of mangling on the Linux side to be useful.
The thing I always bleat on about is to divide and conquer...
1) happily get to be able to retrieve AD details using the ldapsearch tool
2) use authconfig-tui to enable ldap info and auth
3) configure /etc/nslcd.conf (and restart the nslcd service) (new in rhel6) and be able to run "getent passwd" and "getent group" to be able to return the ldap accounts happily
4) configure /etc/pam_ldap.conf in a largely similar vein to nslcd.conf (previously they both used the single /etc/ldap.conf file) to allow logins.
Thanks for the reply acid_kewpie.
1) I can query AD using ldapsearch.
2) When you say authconfig-tui I assume you mean gui. If so its a minimal install of centos so there is no X and that came from above so I cant install X. What does this gui program do? I am sure there is a commandline method also.
3/4) So do I understand you correctly in saying that both these need to be configured? Dont they do the same thing? Is there a reason/difference?
I maybe was not totally clear about my requirements. I just need authentication really. Although I guess by user information you mean email address phone number and other metadata about people in ldap. That would be cool... I suppose not needed by me at the moment. So are you saying its a totally different set of steps to get that working?
Thanks again for your help.
i said authconfig-tui becuase i meant authconfig-tui. tui = text user interface.
the difference is exactly what i've described. 3) get user account details. I mean POSIX data, not email addresses: Homedir, uid, gid, shell, gecos. 4) prove you are a specific given user.
did you ever get this figured out? if not i spent an obscene amount of time on this recently and not have it working pretty well. let me know.
|All times are GMT -5. The time now is 08:18 AM.|