Authentication against Active Directory (very confused)
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Authentication against Active Directory (very confused)
I am trying to configure a fresh minimal install of Centos 6 (Redhat 6) to authenticate against my companies Active Directory. I apologize if this is a basic question but I have been reading many how-to articles and I am very confused as to how to do this. Each article seems to describe a different method for accomplishing the same thing. Some include Kerberos others seem to simply say all i need is a pam_ldap module and nsswitch. I have followed a few but have not had luck and some how-to articles seem out of date as they mention non existent config files or the config files don't relate to the packages they tell me to install. Because I am to the point of just spinning my wheels I came here to ask for help. Any input would be greatly appreciated. What packages are needed to get this working? What are the options for setting this up?
One how to I have tried to follow was this one. http://wiki.freaks-unidos.net/linux%...e-linux-client Which seems very simple but the ldap.conf does not exist until I installed the openldap-clients package with yum. That package however was not mentioned in the client. After installing I did edit that file and also tried editing the pam_ldap.conf as it seemed like the correct file to edit but I still cannot su - <ad_user>.
I have linux experience and some ldap/ad experience but I have never configured something like this before. Currently we have a set of linux machines that do authenticate against our AD instance but they were made by a consultant who set them up a very long time ago. So I do know its possible to do with our AD server. There are tons of mis-configured things on those machines and they are very out of date. Hence I am creating a new base template and then we will re build all those machines onto instances of that template.
Last edited by startoftext; 08-11-2011 at 12:29 PM.
Reason: adding more info about what I have tried
OK, so unless I'm mistaken, you've not understood your own requirements. you don't just want to authenticate, you want authentication AND user information. This might seem like petty differences, but the two things are TOTALLY independent of each other, and simply all line up to give an end to end solution.
The authentication side is actually easy with either LDAP or Kerberos. I recommend LDAP as Kerberos as a protocol can just be very very confusing. But to authenticate you need to know WHO you want to authenticate as in the first place, and in LDAP land, that's done by binding to the LDAP server (AD) with the correct LDAP DN.
So your problem is to get that information in the first place - so you need to get the POSIX data from somewhere. Do you have POSIX extensions installed on AD? I don't actually know what provides it on newer systems, but it used to be with the MSSFU AD Schema pack, for w2k. Were I work we run 2008 DC's and they do provide full posix data values, which only need a small amount of mangling on the Linux side to be useful.
The thing I always bleat on about is to divide and conquer...
1) happily get to be able to retrieve AD details using the ldapsearch tool
2) use authconfig-tui to enable ldap info and auth
3) configure /etc/nslcd.conf (and restart the nslcd service) (new in rhel6) and be able to run "getent passwd" and "getent group" to be able to return the ldap accounts happily
4) configure /etc/pam_ldap.conf in a largely similar vein to nslcd.conf (previously they both used the single /etc/ldap.conf file) to allow logins.
1) I can query AD using ldapsearch.
2) When you say authconfig-tui I assume you mean gui. If so its a minimal install of centos so there is no X and that came from above so I cant install X. What does this gui program do? I am sure there is a commandline method also.
3/4) So do I understand you correctly in saying that both these need to be configured? Dont they do the same thing? Is there a reason/difference?
I maybe was not totally clear about my requirements. I just need authentication really. Although I guess by user information you mean email address phone number and other metadata about people in ldap. That would be cool... I suppose not needed by me at the moment. So are you saying its a totally different set of steps to get that working?
i said authconfig-tui becuase i meant authconfig-tui. tui = text user interface.
the difference is exactly what i've described. 3) get user account details. I mean POSIX data, not email addresses: Homedir, uid, gid, shell, gecos. 4) prove you are a specific given user.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.