IntroductionWorking with multiple vservers we started thinking about using a single user database for all authentications. Since we are using a MS Server with Exchange and so on it was decided that the Active Directory (AD) of that Server is our User database.
Next we had to get everything under Linux configured to authenticate against our AD, which meant we had to configure PAM to use our AD. Now there are two ways to do that: Winbind and LDAP. Winbind was used before and we had some real bad problems when the Windows Server has been restarted so we thought of using LDAP. Beside that, we did not want to install Samba on all Vservers.
Now to get LDAP working there are some small thoughts you have to consider: First, you need openldap (or similar) to get information from LDAP, but to authenticate you have to use at least kerberos. There are other ways also, but i wanted to keep it as simple as possible and security measurements (clear text passwords,...) were not in consideration at this point.
Our System:
- Windows Server 2003
- Debian Linux testing (at this point)
WindowsYou will have to adjust also the Windows Server since it has to add some more Fields for Unix to the Active Directory. Depending on your system there are multiple ways and they are all explained in the links i added at the end. We used Microsofts Services for Unix 3.5 (SFU).
Then i added a new user ldapauth for the communication, and i adjusted my own user for testing, which means i activated the Unix Attributes and set everything.
ldapsearchFirst i had to get ldapsearch working. For that i installed ldap-client
apt-get install ldap-client libnss-ldap
and then i backuped the
/etc/ldap/ldap.conf file because i made a symbolic link to
/etc/libnss_ldap.conf:
HOST yourhost.com
base ou=Users,dc=your,dc=host,dc=com
uri ldap://yourhost.com/
ldap_version 3
binddn cn=ldapauth,ou=Users,dc=your,dc=host,dc=com
bindpw password
nss_base_passwd ou=Users,dc=your,dc=host,dc=com?one
ss_base_shadow ou=Users,dc=your,dc=host,dc=com?one
nss_base_group ou=Groups,dc=your,dc=host,dc=com?one
nss_map_attribute rfc2307attribute mapped_attribute
nss_map_objectclass rfc2307objectclass mapped_objectclass
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_objectclass posixGroup Group
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute shadowLastChange pwdLastSet
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
ssl off
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
Then i was able to use ldapsearch:
ldapsearch -x -Hldap://yourdomain.com/ "(cn=User Name),dc=your,dc=domain,dc=com" -W -DAdministrator
passwd
Now i had to change the
/etc/nsswitch.conf:
passwd: ldap files
group: ldap files
shadow: ldap files
normally getent passwd should first show the activated AD User and then the linux user. I had some troubles get it working correctly and used strace getent passwd to see that my users from AD have been parsed but somehow did not return in the list. Unfortunately i am not sure anymore what i have done to get this working, but i am pretty sure that it was some change in the
/etc/libnss_ldap.conf.
KerberosNow after we have got ldap talking with AD we need kerberos installed for PAM.
apt-get instal heimdal-clients libpam-heimdal
and then i had to configure the
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = YOURDOMAIN.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
YOURDOMAIN.COM = {
kdc = yourdomain.com:88
admin_server = yourdomain.com
default_domain = yourdomain.com
}
[domain_realm]
yourdomain.com = YOURDOMAIN.COM
.yourdomain.com = YOURDOMAIN.COM
[login]
krb4_convert = true
krb4_get_tickets = false
You can test it with:
kinit testuser
PAMNow finally i had to configure the pam configuration files:
account sufficient pam_ldap.so
account required pam_unix.so
auth sufficient pam_krb5.so ccache=/tmp/krb5cc_%u
auth sufficient pam_ldap.so use_first_pass
auth required pam_unix.so nullok_secure
password required /lib/security/pam_ldap.so use_authtok md5
password required pam_unix.so nullok obscure min=4 max=8 md5
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
Enjoy!
Links:
