Latest LQ Deal: Linux Power User Bundle
Go Back > Forums > Linux Forums > Linux - General
User Name
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.


  Search this Thread
Old 08-11-2011, 12:23 PM   #1
LQ Newbie
Registered: Dec 2008
Posts: 12

Rep: Reputation: 0
Question Authentication against Active Directory (very confused)

I am trying to configure a fresh minimal install of Centos 6 (Redhat 6) to authenticate against my companies Active Directory. I apologize if this is a basic question but I have been reading many how-to articles and I am very confused as to how to do this. Each article seems to describe a different method for accomplishing the same thing. Some include Kerberos others seem to simply say all i need is a pam_ldap module and nsswitch. I have followed a few but have not had luck and some how-to articles seem out of date as they mention non existent config files or the config files don't relate to the packages they tell me to install. Because I am to the point of just spinning my wheels I came here to ask for help. Any input would be greatly appreciated. What packages are needed to get this working? What are the options for setting this up?

One how to I have tried to follow was this one. Which seems very simple but the ldap.conf does not exist until I installed the openldap-clients package with yum. That package however was not mentioned in the client. After installing I did edit that file and also tried editing the pam_ldap.conf as it seemed like the correct file to edit but I still cannot su - <ad_user>.

I have linux experience and some ldap/ad experience but I have never configured something like this before. Currently we have a set of linux machines that do authenticate against our AD instance but they were made by a consultant who set them up a very long time ago. So I do know its possible to do with our AD server. There are tons of mis-configured things on those machines and they are very out of date. Hence I am creating a new base template and then we will re build all those machines onto instances of that template.

Last edited by startoftext; 08-11-2011 at 12:29 PM. Reason: adding more info about what I have tried
Old 08-11-2011, 02:13 PM   #2
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977
OK, so unless I'm mistaken, you've not understood your own requirements. you don't just want to authenticate, you want authentication AND user information. This might seem like petty differences, but the two things are TOTALLY independent of each other, and simply all line up to give an end to end solution.

The authentication side is actually easy with either LDAP or Kerberos. I recommend LDAP as Kerberos as a protocol can just be very very confusing. But to authenticate you need to know WHO you want to authenticate as in the first place, and in LDAP land, that's done by binding to the LDAP server (AD) with the correct LDAP DN.

So your problem is to get that information in the first place - so you need to get the POSIX data from somewhere. Do you have POSIX extensions installed on AD? I don't actually know what provides it on newer systems, but it used to be with the MSSFU AD Schema pack, for w2k. Were I work we run 2008 DC's and they do provide full posix data values, which only need a small amount of mangling on the Linux side to be useful.

The thing I always bleat on about is to divide and conquer...

1) happily get to be able to retrieve AD details using the ldapsearch tool
2) use authconfig-tui to enable ldap info and auth
3) configure /etc/nslcd.conf (and restart the nslcd service) (new in rhel6) and be able to run "getent passwd" and "getent group" to be able to return the ldap accounts happily
4) configure /etc/pam_ldap.conf in a largely similar vein to nslcd.conf (previously they both used the single /etc/ldap.conf file) to allow logins.
Old 08-11-2011, 03:17 PM   #3
LQ Newbie
Registered: Dec 2008
Posts: 12

Original Poster
Rep: Reputation: 0
Thanks for the reply acid_kewpie.

1) I can query AD using ldapsearch.
2) When you say authconfig-tui I assume you mean gui. If so its a minimal install of centos so there is no X and that came from above so I cant install X. What does this gui program do? I am sure there is a commandline method also.
3/4) So do I understand you correctly in saying that both these need to be configured? Dont they do the same thing? Is there a reason/difference?

I maybe was not totally clear about my requirements. I just need authentication really. Although I guess by user information you mean email address phone number and other metadata about people in ldap. That would be cool... I suppose not needed by me at the moment. So are you saying its a totally different set of steps to get that working?

Thanks again for your help.
Old 08-11-2011, 03:25 PM   #4
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977
i said authconfig-tui becuase i meant authconfig-tui. tui = text user interface.

the difference is exactly what i've described. 3) get user account details. I mean POSIX data, not email addresses: Homedir, uid, gid, shell, gecos. 4) prove you are a specific given user.
Old 10-25-2011, 10:35 AM   #5
LQ Newbie
Registered: Aug 2011
Posts: 20

Rep: Reputation: Disabled
did you ever get this figured out? if not i spent an obscene amount of time on this recently and not have it working pretty well. let me know.


active directory, centos, ldap

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Authentication Active Directory finsh Linux - Networking 2 01-12-2011 01:18 AM
Active Directory Authentication zenix SUSE / openSUSE 29 03-22-2007 10:00 AM
VSFTPD With Active Directory Authentication bigchump Linux - Software 1 07-07-2006 02:36 AM
Active Directory authentication? cwhitmore Mandriva 3 03-09-2005 11:25 AM
active directory authentication mozilla Linux - Networking 2 02-21-2005 04:55 AM > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 03:45 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration