LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Password
Red Hat This forum is for the discussion of Red Hat Linux.

Notices


Reply
  Search this Thread
Old 04-29-2011, 04:08 AM   #1
wilslm
LQ Newbie
 
Registered: Apr 2011
Posts: 17

Rep: Reputation: 0
RHEL Authenticate to Active Directory


All,

I manage to get RHEL Authenticate to Active Directory using LDAP and Kerberos. When a user authenticate to the Unix, the Unix system will check (using Kerberos) to the AD.

However I just found out that when the RHEL (LDAP) did the authentication to the AD (to ensure that the RHEL has the right permission to query the LDAP database), it uses simple bind which send the username/password unencrypted over the network.

1) Can We use Kerberos as well? for the initial authentication described above?

2) If Not possible, is there a way to encrypt the username/password in the storage (ldap.conf -because it's world readble)? I know that for tranmission I can use SSL.

Thanks,
 
Old 04-29-2011, 05:27 AM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 652Reputation: 652Reputation: 652Reputation: 652Reputation: 652Reputation: 652
You can use TLS/SSL but it's easier to just remove the bind account from "Domain Users" and add it to "Domain Guests", the exposure is fairly minimal then and you don't have to maintain certs.
 
Old 04-29-2011, 08:23 AM   #3
wilslm
LQ Newbie
 
Registered: Apr 2011
Posts: 17

Original Poster
Rep: Reputation: 0
kbp: Yes, that is also the alternative but from the performance perpective this is quite heavy since the *nix boxes are required to do SSL/TLS handshake everytime they request something to the LDAP.

I am thinking of using Kerberos but was wondering whether this functionality is available on RHEL?
 
Old 04-30-2011, 06:17 AM   #4
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 652Reputation: 652Reputation: 652Reputation: 652Reputation: 652Reputation: 652
You may have it around the wrong way, the authentication should be kerberos and the naming services are via ldap. You should find that the ldap query is simply a lookup to determine the users uid and primary gid, can you confirm ?
 
Old 05-02-2011, 06:54 AM   #5
wilslm
LQ Newbie
 
Registered: Apr 2011
Posts: 17

Original Poster
Rep: Reputation: 0
hey kbp,

Thanks for the reply. Currently I can confirm that the user authentication is done through Kerberos. However when LDAPclient did the initial query to the LDAP server (in this case AD), it uses simple bind wrapped in the SSL/TLS so it's encrypted.

My question is whether it is possible to use kerberos for this authentication? Someone told me to use GSSAPI (?)
 
Old 05-02-2011, 11:59 PM   #6
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 652Reputation: 652Reputation: 652Reputation: 652Reputation: 652Reputation: 652
I haven't tried it .. a quick search seems to indicate that it can be done but may not be straight forward (custom compile etc..). Hopefully someone else may have more information for you...

cheers
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Getting Samba to authenticate against Active Directory lqkums Linux - Newbie 2 02-19-2009 07:33 AM
Authenticate Active Directory with Mandrake 10.1? johnson8707 Mandriva 2 10-29-2008 07:18 AM
Does anyone here authenticate against Active Directory? humbletech99 Linux - Security 6 04-25-2008 10:49 AM
Cannot configure Linux to authenticate against Active Directory Cyberitas Linux - Enterprise 4 11-01-2007 11:56 AM
apache authenticate to Active Directory zuessh Linux - Software 1 07-08-2005 03:29 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat

All times are GMT -5. The time now is 01:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration