SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Sponsor:

Would you like to sponsor this site?
Or buy me a beer?:


Recently Changed Pages:

View All Pages
View All Q Pages


View All Tags


Sign up for Q to post comments.





WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Terms And Conditions for Q users


Pages with comments

PageDateDiscussionTags
2019/05/01 14:08 2 Comments
2019/03/15 16:02 1 Comment
2019/03/15 16:02 1 Comment
2019/03/15 16:02 3 Comments
2017/04/20 15:28 1 Comment
2017/04/20 15:23 1 Comment
2017/04/19 14:44 1 Comment
2017/04/17 20:10 1 Comment
2017/04/17 20:07 1 Comment
2017/04/17 19:58 1 Comment
2017/04/17 19:52 1 Comment

View All Comments

redhatadauth

AD LDAP Authentication for Red Hat

This manual continues where AD Identity Management for Unix stopped. Of course you'll also need Active Directory 2008 R2 Basic Installation and a default installed Red Hat server, I'm using a 5.5 Red Hat Enterprise Linux edition.

Now the default package you need for LDAP authentication (openldap and nss_ldap) are installed by default, but ldapsearch, which makes testing the setup very handy is not. You'll need the openldap-client package for that. You can install the package using yum by issuing the command yum install openldap-clients.

If you want to install from a DVD/CDROM you can use this this tutorial to add the media as a software repository.

Also note that you need a user with UNIX attributes set, as explained here.

Another remark is on the ldap configuration files, there are two and each is used for different purposes:

/etc/ldap.conf: 		# Used by pam to perform authentication.
/etc/openldap/ldap.conf: 	# Used by the openldap tools and application to connect.

Test LDAP

The most simple way to test is LDAP is to do a ldapsearch. If this succeeds and output is returned you know you have a successful LDAP installation on Active Directory and that the bind user is also working properly:

[root@shftstc01 yum.repos.d]# ldapsearch -b DC=nibshf,DC=local -h shftstc03 -x -D srv-unixauthentication@nibshf.local -w Beheer666 uid=nibtest
# extended LDIF
#
# LDAPv3
# base <DC=nibshf,DC=local> with scope subtree
# filter: uid=nibtest
# requesting: ALL
#
 
# Nib Test, Users, 00 - Den Haag, nibshf.local
dn: CN=Nib Test,OU=Users,OU=00 - Den Haag,DC=nibshf,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Nib Test
sn: Test
givenName: Nib
distinguishedName: CN=Nib Test,OU=Users,OU=00 - Den Haag,DC=nibshf,DC=local
instanceType: 4
whenCreated: 20121213095140.0Z
whenChanged: 20121213124812.0Z
displayName: Nib Test
uSNCreated: 16691
uSNChanged: 16731
name: Nib Test
objectGUID:: 0leQmTXcD02mCnB4ZWb59w==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 129998754606125793
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAATSYfnx4kzRyWLpMMVAQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: nibtest
sAMAccountType: 805306368
userPrincipalName: nibtest@nibshf.local
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=nibshf,DC=local
dSCorePropagationData: 20121213095140.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 129998764921175910
uid: nibtest
msSFU30Name: nibtest
msSFU30NisDomain: nibshf
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/nibtest
loginShell: /bin/bash
 
# search reference
ref: ldap://ForestDnsZones.nibshf.local/DC=ForestDnsZones,DC=nibshf,DC=local
 
# search reference
ref: ldap://DomainDnsZones.nibshf.local/DC=DomainDnsZones,DC=nibshf,DC=local
 
# search reference
ref: ldap://nibshf.local/CN=Configuration,DC=nibshf,DC=local
 
# search result
search: 2
result: 0 Success
 
# numResponses: 5
# numEntries: 1
# numReferences: 3

Another error could come from the bind user you're using. The above format works for the ldapsearch command, but it will not work for the command to configure the LDAP client you'll need later on. That command requires the bind user to be in LDAP format:

ldapsearch -b DC=nibshf,DC=local -h shftstc03 -x -D "CN=Service Account UNIX Authentication,OU=Users (Service Accounts),OU=0 - Global,DC=nibshf,DC=local" -w Beheer666 uid=nibtest

AuthConfig

Another test you can do is start authconfig with the probe option. The –probe action instructs authconfig to use DNS and other means to guess at configuration information for the current host, print its guesses if it finds them to standard output, and exit:

[root@shftstc01 yum.repos.d]# authconfig --probe
ldap shftstc03.nibshf.local/DC=,DC=nibshf,DC=local

You can use authconfig to automatically configure all services, leaving a minimum of manual configuration:

authconfig --enableldap --enableldapauth \
       --ldapserver=ldap://shftstc03.nibshf.local \
       --ldapbasedn="DC=nibshf,DC=local" \
       --disablemkhomedir  \
       --update

This command configures the following files, where sometimes adjustments need te be made:

OpenLDAP ldap.conf

The /etc/openldap/ldap.conf is configured like this and does not need any additional configuration:

[root@shftstc01 yum.repos.d]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example, dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
URI ldap://shftstc03.nibshf.local
BASE DC=nibshf,DC=local
TLS_CACERTDIR /etc/openldap/cacerts

Ldap.conf

The /etc/ldap.conf is configured like this and needs some additional configuration:

[root@shftstc01 etc]# cat ldap.conf | grep -v '^[#]' | grep -v '^$'
base DC=nibshf,DC=local
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
uri ldap://shftstc03.nibshf.local
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

This is the final version that you'll need for authentication to work. Additional configuration consists of defining the binddn en bindpw, and uncommenting the “# RFC 2307 (AD) mappings”:

[root@shftstc01 etc]# cat ldap.conf | grep -v '^[#]' | grep -v '^$'
base DC=nibshf,DC=local
binddn CN=Service Account UNIX Authentication,OU=Users (Service Accounts),OU=0 - Global,DC=nibshf,DC=local
bindpw Beheer666
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
uri ldap://shftstc03.nibshf.local
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

System-Auth-Ac

The /etc/pam.d/system-auth-ac file is configured like this, and no additional configuration is required:

[root@shftstc01 pam.d]# cat system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

Nsswitch.conf

The /etc/nsswitch.conf file is configured like this and no additional configuration is required:

[root@shftstc01 etc]# cat nsswitch.conf | grep -v '^#' | grep -v '^$'
passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files ldap
publickey:  nisplus
automount:  files ldap
aliases:    files nisplus

Additional Configuration

Home Directory

Manually create a home directory for the user you created in Active Directory:

[root@shftstc01 etc]# cd /home
[root@shftstc01 home]# mkdir nibtest
[root@shftstc01 home]# ll
total 4
drwxr-xr-x 2 root root 4096 Dec 14 10:16 nibtest
[root@shftstc01 home]# chown nibtest nibtest/
[root@shftstc01 home]# ls -l
total 4
drwxr-xr-x 2 nibtest root 4096 Dec 14 10:16 nibtest

Testing

You can now test if the Red Hat box recognizes the LDAP as a user source:

[root@shftstc01 etc]# getent passwd nibtest
nibtest:*:10000:10000:Nib Test:/home/nibtest:/bin/bash

Logging In

Now you should be able to log on using your AD account:

$ ssh -l nibtest shftstc01
nibtest@shftstc01's password:
Last login: Fri Dec 14 10:16:16 2012 from shftstc04.nibshf.local
/usr/bin/xauth:  creating new authority file /home/nibtest/.Xauthority
-bash-3.2$

Resources

http://www.wmduszyk.com/?p=8944
http://linux.die.net/man/8/authconfig

Extra authconfig options:

[root@shftstc01 yum.repos.d]# authconfig --help
usage: authconfig [options] <--update|--test|--probe>

options:
  -h, --help            show this help message and exit
  --enableshadow, --useshadow
                        enable shadowed passwords by default
  --disableshadow       disable shadowed passwords by default
  --enablemd5, --usemd5
                        enable MD5 passwords by default
  --disablemd5          disable MD5 passwords by default
  --passalgo=<descrypt|bigcrypt|md5|sha256|sha512>
                        hash/crypt algorithm for new passwords
  --enablenis           enable NIS for user information by default
  --disablenis          disable NIS for user information by default
  --nisdomain=<domain>  default NIS domain
  --nisserver=<server>  default NIS server
  --enableldap          enable LDAP for user information by default
  --disableldap         disable LDAP for user information by default
  --enableldapauth      enable LDAP for authentication by default
  --disableldapauth     disable LDAP for authentication by default
  --ldapserver=<server>
                        default LDAP server
  --ldapbasedn=<dn>     default LDAP base DN
  --enableldaptls, --enableldapssl
                        enable use of TLS with LDAP
  --disableldaptls, --disableldapssl
                        disable use of TLS with LDAP
  --ldaploadcacert=<URL>
                        load CA certificate from the URL
  --enablesmartcard     enable authentication with smart card by default
  --disablesmartcard    disable authentication with smart card by default
  --enablerequiresmartcard
                        require smart card for authentication by default
  --disablerequiresmartcard
                        do not require smart card for authentication by
                        default
  --smartcardmodule=<module>
                        default smart card module to use
  --smartcardaction=<0=Lock|1=Ignore>
                        action to be taken on smart card removal
  --enablekrb5          enable kerberos authentication by default
  --disablekrb5         disable kerberos authentication by default
  --krb5kdc=<server>    default kerberos KDC
  --krb5adminserver=<server>
                        default kerberos admin server
  --krb5realm=<realm>   default kerberos realm
  --enablekrb5kdcdns    enable use of DNS to find kerberos KDCs
  --disablekrb5kdcdns   disable use of DNS to find kerberos KDCs
  --enablekrb5realmdns  enable use of DNS to find kerberos realms
  --disablekrb5realmdns
                        disable use of DNS to find kerberos realms
  --enablesmbauth       enable SMB authentication by default
  --disablesmbauth      disable SMB authentication by default
  --smbservers=<servers>
                        names of servers to authenticate against
  --smbworkgroup=<workgroup>
                        workgroup authentication servers are in
  --enablewinbind       enable winbind for user information by default
  --disablewinbind      disable winbind for user information by default
  --enablewinbindauth   enable winbind for authentication by default
  --disablewinbindauth  disable winbind for authentication by default
  --smbsecurity=<user|server|domain|ads>
                        security mode to use for samba and winbind
  --smbrealm=<realm>    default realm for samba and winbind when security=ads
  --smbidmapuid=<lowest-highest>
                        uid range winbind will assign to domain or ads users
  --smbidmapgid=<lowest-highest>
                        gid range winbind will assign to domain or ads users
  --winbindseparator=<\>
                        the character which will be used to separate the
                        domain and user part of winbind-created user names if
                        winbindusedefaultdomain is not enabled
  --winbindtemplatehomedir=</home/%D/%U>
                        the directory which winbind-created users will have as
                        home directories
  --winbindtemplateprimarygroup=<nobody>
                        the group which winbind-created users will have as
                        their primary group
  --winbindtemplateshell=</bin/false>
                        the shell which winbind-created users will have as
                        their login shell
  --enablewinbindusedefaultdomain
                        configures winbind to assume that users with no domain
                        in their user names are domain users
  --disablewinbindusedefaultdomain
                        configures winbind to assume that users with no domain
                        in their user names are not domain users
  --enablewinbindoffline
                        configures winbind to allow offline login
  --disablewinbindoffline
                        configures winbind to prevent offline login
  --winbindjoin=<Administrator>
                        join the winbind domain or ads realm now as this
                        administrator
  --enablewins          enable wins for hostname resolution
  --disablewins         disable wins for hostname resolution
  --enablepreferdns     prefer dns over wins or nis for hostname resolution
  --disablepreferdns    do not prefer dns over wins or nis for hostname
                        resolution
  --enablehesiod        enable hesiod for user information by default
  --disablehesiod       disable hesiod for user information by default
  --hesiodlhs=<lhs>     default hesiod LHS
  --hesiodrhs=<rhs>     default hesiod RHS
  --enablecache         enable caching of user information by default
  --disablecache        disable caching of user information by default
  --enablelocauthorize  local authorization is sufficient for local users
  --disablelocauthorize
                        authorize local users also through remote service
  --enablepamaccess     check access.conf during account authorization
  --disablepamaccess    do not check access.conf during account authorization
  --enablesysnetauth    authenticate system accounts by network services
  --disablesysnetauth   authenticate system accounts by local files only
  --enablemkhomedir     create home directories for users on their first login
  --disablemkhomedir    do not create home directories for users on their
                        first login
  --nostart             do not start/stop portmap, ypbind, and nscd
  --test                do not update the configuration files, only print new
                        settings
  --update, --kickstart
                        opposite of --test, update configuration files with
                        changed settings
  --updateall           update all configuration files
  --probe               probe network for defaults and print them
You could leave a comment if you were logged in.
redhatadauth.txt · Last modified: 2014/05/22 14:27 by sjoerd