Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
By battletroll at 2010-05-07 10:54
LDAP/Active Directory integration Configuration:
Required Packages:
openldap
openssl
nss_ldap(pam_ldap)
cyrus-sasl
krb5-libs
krb5-auth-dialog
krb5-workstation
pam_krb5
system-config-authentication (Should be installed by default)
nscd
ntpd
1st there is a couple naming convention I tried to use:
FQDN or fqdn = Fully Qualified Domain Name
ipaddr = ip address
subdomain.domain.com = example of domain structure
servername = DUH!
I believe that's all of the packages, but I am not %100 sure for each distro.
By installing the packages listed above with yum/apt/zypper, the system SHOULD get all the
necessary dependant packages that need to be installed too.
Remember /etc/ldap.conf and /etc/openldap/ldap.conf are 2 different files and are for different applications.
/etc/ldap.conf: # Used by pam to perform authentication.
/etc/openldap/ldap.conf: # Used by the openldap tools and application to connect.
/etc/krb5.conf: # Used to bind to kerberos
/etc/nsswitch.conf: # Used to define where to collect user info (local 1st, network 2nd)
/etc/sysconfig/authconfig: # Used to tell the system what applications to use to authenticate.
/etc/ntp/steptickers # Used for lock sync at boot
/etc/ntp/ntpserver # servers to use by ntpd
/etc/ntp.conf # configure system to use or act as a stratum 1,2 10 server (10 is no source available use BIOS clock)
How To configure:
Start by getting the certificate from the Active Directory server. The windows certificate will be
<servername.domainname>.crt. This has to be converted to a PEM format. CRT is a DER format.
To do this use the following commands
openssl x509 –in input.crt –inform DER –out output.crt –outform PEM
Place the newly converted certificate in /etc/pki/tls/certs or in a drectory the openldap
application can read. I used /etc/openldap/cacerts.
Ensure kerberos is configured correctly.
You can verify this with kinit <AD username>. This will prompt you for a password.
If configured correctly you will receive a token from AD.
LDAP DOES NOT need to be configured for this to work
(See below for configuring the /etc/krb5.conf file)
Next you want to configure the /etc/openldap/ldap.conf. Again, this file IS NOT the same as
/etc/ldap.conf. Only the basic information is necessary here.
HOST = The LDAP server
URI = The ldap://<ipaddr> to use. If use tls/SSL use ldaps://<ipaddr>
BASE = The root to start searching from in the AD tree (Notice I start below the root domain)
TLS_REQCERT = Whether or not to request a certificate from the server
TLS_CACERT = The root cert form AD that was converted earlier(This can be any dir openldap can access)
SSL start_tls = Use TLS to do basic encryption to AD
If you are using SE_LINUX ensure the context is corect.
Use semanage to set the context if is it wrong.
------------------------------------------------------------------------
# To configure /etc/ldap.conf do the following:
# (To avoid DNS lookups place the IP/FQDN in the /etc/hosts/file
# 192.168.0.1 myhost.example.com
uri = ldap://<fqdn> or ldaps://<fqdn>
#host = same as above. This can be the IP or FQDN.
(Only use uri or host)
base = Same as above
ldap_version = not necessary if doing version 3, it is the default
binddn = User acct to connect to AD ad querry informaion with.
(MS admins should limit the access as much as possible to this account, ex..guest)
bindpw = password used to connect to AD by user specified above
scope = sub specifies to search the tree from base and below
(Remember base is specified above)
timelimit = Time for ldap querry to wait
#ssl = I use sasl so ssl is not used.
nss_map_objectclass = maps the LDAP attribute posixAccount to User
nss_map_objectclass = maps the LDAP attribute shadowAccount to User
nss_map_objectclass = maps the LDAP attribute posixGroup to Group
nss_map_objectclass = maps the UNIX attribute uid to sAMAccountName
nss_map_objectclass = maps the LDAP attribute uidNmuber to uidNmber
nss_map_objectclass = maps the LDAP attribute gidNumber to gidNumber
nss_map_objectclass = maps the LDAP attribute cn = sAMAccountName
nss_map_objectclass = maps the LDAP attribute homeDirectory to unixHomeDirectory
(you must have the path mounted or tell the system to create dirs for this to work)
nss_map_objectclass = maps the LDAP attribute gecos to name
pam_login_attribute = assignes the pam userid to sAMAccountName
pam_filter = filters pam for user iformation
nss_base_passwd = specifies the nss_ldap base, the sub at the end tells it to search base and below
nss_base_shadow = same as above
nss_base_group = same as above but collects group info
tls_cacert = path to the converted pem certificte from AD
tls_reqcert = Never request a certificate, it is already installed above.
bind_policy = Fixes a problem when booting to stop hangs at messagesbus(Fedora/Redhat)
(There is a chiken/egg problem here.)
** If you need to add attributes jus follow the syntax above for mapping
-------------------------------------------------------------------------
Tells the system where to get its User/Group/Password info from.
I only use it for auth and group membership.
/etc/nsswhich
passwd: = Use local files first, winbind, then LDAP
shadow: = Use local files first, then LDAP
group: = Use local files first, winbind, then LDAP
You can use more but with LDAP you will need to map the attribute above.
/etc/sysconfig/authconfig: (Fedora/Redhat not sure about the rest)
This is self explanitory. It is either yes or no. I recommend using LDAP for user info and Kerberos
for Auth. This howto is for that specific configuration.
This can be configured with system-config-authentication
Do not modify the setting if you are configuring the files manually.
Run:
system-config-authentication (In runlevel 5 a gui will pop up, in runlevel 3 this will use ncurses)
Select LDAP on the user-information tab.
Select kerberos on the Authentication tab.
On the last tab select create home directory if you want the system to create the home dir for you.
Click OK.
This will also configure PAM for you
The final steps are simple
ensure nscd, cyrus-sasl start at reboot.
chkconfig nscd on
chkconfig saslauthd on
That should be about it.
------------------------------------------------------------------------
The files I use are listed below:
#########################################################################
FILES: #
#########################################################################
/etc/openldap/ldap.conf
HOST <FQDN> #This can be an IP
URI ldaps://<ipaddr> # Use ldaps if port 636 is used
BASE cn=users,dc=subdomain,dc=domain,dc=com # Base domain to start search from
TLS_REQCERT never # Request a Cert from server
TLS_CACERT /etc/openldap/cacerts/certificate.pem # ENSURE this is the right cert and not from a different domain
BINDDN ldapman@subdomain.domain.com # User to connect as
SSL start_tls # Start tls for simple encryption
uri ldaps://<fqdn hostname>/ # Same as above
#host <ip address> # IP address of server
base cn=users,dc=subdomain,dc=domain,dc=com # Search base
ldap_version 3 # Version
binddn cn=ldapman,ou=ServiceAccts,dc=subdomain,dc=domain,dc=com # User to bind as
bindpw <user passwd> # Users password
scope sub # search base, "sub"ordinate too
timelimit 30
#ssl start_tls # SSL not used same as above
#
# Active Directory attributes that correspond with LDAP
#
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute cn sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute loginShell loginShell
nss_map_attribute uniqueMember member
nss_map_attribute gecos name
pam_login_attribute sAMAccountName # Login name from Windows
pam_filter objectclass=User
nss_base_passwd dc=subdomain,dc=domain,dc=com?sub
nss_base_shadow dc=subdomain,dc=domain,dc=com?sub
nss_base_group dc=subdomain,dc=domain,dc=com?sub
tls_cacert /etc/openldap/cacerts/<servername.domainname.pem> # Path to server cert issued by AD
tls_reqcert never # Never request a certificate from the server
bind_policy soft # hard/soft hard retries, soft fails
---------------------------------------------------------------------------
/etc/nsswhich.conf
#
# Controls where linux looks for user/pass info and what order
#
passwd: files winbind ldap
shadow: files ldap
group: files winbind ldap
I had the great experience to work with battletroll on getting the linux side configured correctly for AD Authentication. The instructions/guide written are clear and easy to follow. At times, I would get confused and shoot an email only to get a response with more help.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Can you tell me which distro are you using ?
Thx,
MAJOR KUDOS !!!!!!