-   Linux - Enterprise (
-   -   Authenticating SSH against Windows Active Direcotory using LDAP over SSL (

calipryss 01-29-2009 01:16 PM

Authenticating SSH against Windows Active Direcotory using LDAP over SSL
I'm running RHEL 5.2 on a few servers and I would like to authenticate the SSH users against the Windows 2003 SP2 AD. I would like to keep the ports that I need to open to a minimum, and would like to utilize LDAP over SSL to accomplish this. I have some initial questions to get me going...

Does anyone know if there is any documentation out on this configuration? I can't seem to find any and I've been searching the web for about a week now. For this specific configuration... i.e., not using kerberos, winbind, or samba.

If not, can anyone send me in a right direction as to where to start? My first thoughts were to create a CSR and get that signed by the windows AD server. Then import that back to Linux, placing in /etc/openldap/cacerts. Or, is it easier to just import the ad domain cert to the linux server?

Once the certificates are verified, I know I will need to some configurations in ldap.conf, nsswitch, and hosts files. But, I'll get to that once I can even get a trust set up.

By the way, the Linux servers are on the Internal network and the Windows AD server is in the DMZ, so I'm thinking I will also need to update resolv.conf as well.

Any thoughts or direction would be very appreciated.

acid_kewpie 01-29-2009 01:28 PM

to do this over ldaps as correctly and nicely as possible, you should check out the MSSFU AD extensions will will provide proper places for (and management of, afaik) gid and uid management etc. It's possible to use existing attributes in AD, e.g. their fax number, to store a uid if desired, but ultimately a schema extension is better, especially if you are expecting it to scale and remain managable.

calipryss 01-29-2009 01:49 PM

Thank You for the information, I will check with our windows admins on that. My first goal is to get the trust set up and verified between the Linux and the Windows server. Any thoughts?

All times are GMT -5. The time now is 12:47 AM.