Authenticating SSH against Windows Active Direcotory using LDAP over SSL
Linux - EnterpriseThis forum is for all items relating to using Linux in the Enterprise.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Authenticating SSH against Windows Active Direcotory using LDAP over SSL
I'm running RHEL 5.2 on a few servers and I would like to authenticate the SSH users against the Windows 2003 SP2 AD. I would like to keep the ports that I need to open to a minimum, and would like to utilize LDAP over SSL to accomplish this. I have some initial questions to get me going...
Does anyone know if there is any documentation out on this configuration? I can't seem to find any and I've been searching the web for about a week now. For this specific configuration... i.e., not using kerberos, winbind, or samba.
If not, can anyone send me in a right direction as to where to start? My first thoughts were to create a CSR and get that signed by the windows AD server. Then import that back to Linux, placing in /etc/openldap/cacerts. Or, is it easier to just import the ad domain cert to the linux server?
Once the certificates are verified, I know I will need to some configurations in ldap.conf, nsswitch, and hosts files. But, I'll get to that once I can even get a trust set up.
By the way, the Linux servers are on the Internal network and the Windows AD server is in the DMZ, so I'm thinking I will also need to update resolv.conf as well.
Any thoughts or direction would be very appreciated.
to do this over ldaps as correctly and nicely as possible, you should check out the MSSFU AD extensions will will provide proper places for (and management of, afaik) gid and uid management etc. It's possible to use existing attributes in AD, e.g. their fax number, to store a uid if desired, but ultimately a schema extension is better, especially if you are expecting it to scale and remain managable.
Thank You for the information, I will check with our windows admins on that. My first goal is to get the trust set up and verified between the Linux and the Windows server. Any thoughts?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.