Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.


  Search this Thread
Old 01-29-2009, 01:16 PM   #1
LQ Newbie
Registered: Jun 2007
Posts: 9

Rep: Reputation: 0
Question Authenticating SSH against Windows Active Direcotory using LDAP over SSL

I'm running RHEL 5.2 on a few servers and I would like to authenticate the SSH users against the Windows 2003 SP2 AD. I would like to keep the ports that I need to open to a minimum, and would like to utilize LDAP over SSL to accomplish this. I have some initial questions to get me going...

Does anyone know if there is any documentation out on this configuration? I can't seem to find any and I've been searching the web for about a week now. For this specific configuration... i.e., not using kerberos, winbind, or samba.

If not, can anyone send me in a right direction as to where to start? My first thoughts were to create a CSR and get that signed by the windows AD server. Then import that back to Linux, placing in /etc/openldap/cacerts. Or, is it easier to just import the ad domain cert to the linux server?

Once the certificates are verified, I know I will need to some configurations in ldap.conf, nsswitch, and hosts files. But, I'll get to that once I can even get a trust set up.

By the way, the Linux servers are on the Internal network and the Windows AD server is in the DMZ, so I'm thinking I will also need to update resolv.conf as well.

Any thoughts or direction would be very appreciated.
Old 01-29-2009, 01:28 PM   #2
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976
to do this over ldaps as correctly and nicely as possible, you should check out the MSSFU AD extensions will will provide proper places for (and management of, afaik) gid and uid management etc. It's possible to use existing attributes in AD, e.g. their fax number, to store a uid if desired, but ultimately a schema extension is better, especially if you are expecting it to scale and remain managable.
Old 01-29-2009, 01:49 PM   #3
LQ Newbie
Registered: Jun 2007
Posts: 9

Original Poster
Rep: Reputation: 0
Thank You for the information, I will check with our windows admins on that. My first goal is to get the trust set up and verified between the Linux and the Windows server. Any thoughts?


authentication, directory, ldap, ssh, windows

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Logging in via SSH while authenticating against Active Directory. rurounikakita Linux - Enterprise 7 02-23-2008 10:57 PM
Problem authenticating Apache - LDAP - Active Directory using a AD group mrcoffee11 Linux - Server 0 11-10-2007 07:53 AM
authenticating through one ldap server that uses other ldap servers & active director dreamm Linux - Server 1 02-21-2007 09:22 AM
Authenticating Against Active Directory LDAP Question pyotr1 Linux - General 2 09-30-2006 07:25 PM
Authenticating Linux against Windows 2003 Active Directory Builder Linux - Enterprise 26 08-30-2005 04:56 AM > Forums > Enterprise Linux Forums > Linux - Enterprise

All times are GMT -5. The time now is 09:45 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration