歡迎您光臨本站 註冊首頁

Authenticate Linux against AD

←手機掃碼閱讀     火星人 @ 2014-03-05 , reply:0

Authenticate Linux against AD

This is from a Wiki page I created on our company intranet. It's not finished, but I've tried to mark those sections as (not finished). We are going to be testing RHEL4 soon, so I can't comment how well this will work on that OS. I apologize if it's too simple, or not detailed enough. It's a work in progress and designed for Unix and Windows admins where I work who may or may not have any experience with LDAP. It also may have mistakes as I haven't gave it a good once-over.

There is one problem that I have with this. After you make this work, if you do a getent passwd, then you can see Microsoft Services For Unix's hash of the user's passwords. I'm still investigating ways to prevent this, but in the interem, I've aliased the getent command to a script that removes the hashes before displaying the results. My workaround is not a good solution, and doesn't provide any security.

If you find errors, have questions, etc., please post here. I'm subscribed, and removed linuxquestions.org from my spam filter  With the right versions of nss_ldap and pam_ldap, and a bit of PAM tweaking, these instructions should work on any server that uses PAM for authentication.
------
Make a backup of ANY file you plan to edit, and ALWAYS have at least one root terminal open (just in case).

Active Directory (not finished)
Allow Anonymous Reads to the AD or create a bind user (prefer bind user)

Install MS Services for Unix (not finished)
www.microsoft.com/sfu/
Install NIS services to update the schema, then disable the NIS server

Install MS Certificate Server (not finished)
This will let AD use SSL

Packages for Linux
Fedora - nss_ldap (Works with version 234-4, does NOT work with version 220)
Gentoo - pam_ldap, nss_ldap (Tested with Gentoo 2005.1)

Older versions of nss_ldap and pam_ldap had bugs that prevented them from working with AD. It's recommended you get the latest stable version.

ldap.conf
On most systems, the LDAP configuration is located in /etc/openldap/ldap.conf and the NSS_LDAP/PAM_LDAP stuff is in /etc/ldap.conf. Our example domain is, surprise, example.com

Here are some of the important things to be configured in /etc/ldap.conf

Base
Because an LDAP server is heirarchal, and can contain many domains, The base variable tells LDAP what base container you will be searching. Because user account information in contained in the Users container in our Active Directory domain, you will set your base to

Code:
base    cn=Users,dc=example,dc=com
If your server authenticates for a sub-domain, for example, adserver.subdomain.example.com, then your base variable should be set to

Code:
base    cn=Users,dc=subdomain,dc=example,dc=com
Host
The host variable is exactly that, the fully qualified domain name (fqn) or IP address of the Active Directory you wish to authenticate against. If you enable SSL (highly recommended), you will have to use the fqdn.

Code:
host    adserver.example.com
For redundancy, OpenLDAP allows you to have multiple hosts separated by a space. Failover timeout depends on if your LDAP libraries allow you to set a timeout using the bind_timelimit variable.

Code:
host    ad1.example.com ad2.example.com
Scope

Code:
scope   sub
SSL
The use of SSL is STRONGLY encouraged. If SSL is not enabled, you will not be able to use the passwd command to change your Active Directory password from Linux. It's worth the extra effort.

To enable SSL, simply change the value of the ssl variable to yes.

Code:
ssl yes
The TLS_CACERT variable is required if you have a self-signed cert or a cert issued by your own CA. This should point to the issuing CA's certificate. You will need to convert the certificate to PEM format. WARNING!!!! This file must be world readable... i.e. don't stick it in /root/ or you will get the infamous "I have no name!" problem.

Code:
TLS_CACERT /etc/ssl/certs/adcert.pem
Bind User
If you don't wish to enable anonymous browsing of your Active Directory, you will need to create a user to bind with in order to use PAM_LDAP. Although this may seem more secure, the ldap.conf file must be readable by world which exposes the bind user's password to everyone. This is the recommended method. The bind user will need to have the rights to view the Active Directory.

Code:
binddn cn=binduser,cn=Users,dc=example,dc=com
bindpwd secret
Root Bind DN
This is the user that root will bind as. The password is stored in the same directory as ldap.conf in a file called ldap.secret. I'd recommend commenting/leaving it out unless you absolutely need it. I don't like the idea of keeping an administrator password in a clear-text file... even if it's only readable by root.

Code:
rootbinddn cn=administrator,cn=Users,dc=example,dc=com
Active Directory Mappings
In order to make PAM_LDAP talk to Active Directory, you must map the normal (read: the universal non-Microsoft) LDAP name for Unix attributes to their equivalent Active Directory names. The details of these mappings are beyond the scope of this document, however they are required for PAM_LDAP/Active Directory integration.

Code:
#
# Active Directory Mappings
#
pam_login_attribute     sAMAccountName
pam_filter              objectclass=User
pam_password            ad
nss_base_passwd         cn=Users,dc=example,dc=com
nss_base_shadow         cn=Users,dc=example,dc=com
nss_base_group          cn=Users,dc=example,dc=com
nss_map_objectclass     posixAccount    User
nss_map_objectclass     shadowAccount   User
nss_map_attribute       uid             sAMAccountName
nss_map_attribute       uidNumber       msSFU30UidNumber
nss_map_attribute       gidNumber       msSFU30GidNumber
nss_map_attribute       cn              sAMAccountName
nss_map_attribute       uniqueMember    member
nss_map_attribute       userPassword    msSFU30Password
nss_map_attribute       homeDirectory   msSFU30HomeDirectory
nss_map_attribute       loginShell      msSFU30LoginShell
nss_map_attribute       gecos           name
nss_map_objectclass     posixGroup      GroupThe nss_base_passwd, nss_base_shadow, and nss_base_group will all need to be changed to suit your enviroment. In general, you can just use the value of the base variable. The example assume a server in the domain example.com. If your Active Directory authenticates for a sub-domain, you will need to adjust accordingly. For example, if your server is called mydc.subdomain.example.com, then these mappings will be

Code:
nss_base_passwd         cn=Users,dc=subdomain,dc=example,dc=com
nss_base_shadow         cn=Users,dc=subdomain,dc=example,dc=com
nss_base_group          cn=Users,dc=subdomain,dc=example,dc=com
Example OpenLDAP Configuration File

Code:
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
# This file should be world readable but not world writable.
base    cn=Users,dc=example,dc=com
host    adserver.example.com
scope   sub
ssl yes
TLS_CACERT /etc/ssl/certs/adcert.pem
binddn cn=binduser,cn=Users,dc=example,dc=com
bindpwd mypassword
#rootbinddn cn=administrator,cn=Users,dc=example,dc=com

#
# Active Directory Mappings
#
pam_login_attribute     sAMAccountName
pam_filter              objectclass=User
pam_password            ad
nss_base_passwd         cn=Users,dc=example,dc=com
nss_base_shadow         cn=Users,dc=example,dc=com
nss_base_group          cn=Users,dc=example,dc=com
nss_map_objectclass     posixAccount    User
nss_map_objectclass     shadowAccount   User
nss_map_attribute       uid             sAMAccountName
nss_map_attribute       uidNumber       msSFU30UidNumber
nss_map_attribute       gidNumber       msSFU30GidNumber
nss_map_attribute       cn              sAMAccountName
nss_map_attribute       uniqueMember    member
nss_map_attribute       userPassword    msSFU30Password
nss_map_attribute       homeDirectory   msSFU30HomeDirectory
nss_map_attribute       loginShell      msSFU30LoginShell
nss_map_attribute       gecos           name
nss_map_objectclass     posixGroup      Group
SSL PEM file Howto
Converting the Active Directory CA Certificate to the pem format

If your Active Directory server doesn't have certificate from Verisign, Thawte, etc., then you will need to import the CA Certificate from you CA server. If you are running Microsoft Certificate Server on your Active Directory server, you can download the CA cert from http://youractivedirectoryserver.you....com/certsrv/. You will need to convert the certificate from DER format to PEM format using the following command

Code:
openssl pkcs7 -in activedirectory.cer -inform DER -out adcert.pem -outform PEM
Save this file in the same place as specified in the TLS_CACERT variable.

NSS_LDAP
The following is an example of an /etc/nsswitch.conf that uses pam_ldap

Code:
# /etc/nsswitch.conf:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $
passwd:      files ldap compat
shadow:      files ldap compat
group:       files ldap compat
hosts:       files dns
networks:    files dns
services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files
automount:   files
aliases:     files
System-Auth
NOTE: We use pam_stack so that everything in pam.d refers to system-auth for simplicity. If you don't use pam_stack, then you'll need to adjust accordingly. Note the use of pam_mkhomedir to automagically create user directories, it makes things simpler.

In /etc/pam.d/system-auth we have

Fedora:

Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account      /lib/security/$ISA/pam_
ldap.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     required      /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/ umask=0
session     optional      /lib/security/$ISA/pam_ldap.so
Gentoo: (debug is on for testing)

Code:
auth required /lib/security/pam_env.so debug
#auth sufficient /lib/security/pam_ldap.so use_first_pass
auth sufficient /lib/security/pam_unix.so likeauth nullok nodelay debug
auth sufficient /lib/security/pam_ldap.so use_first_pass debug
auth required /lib/security/pam_deny.so debug

account sufficient /lib/security/pam_unix.so debug
account sufficient /lib/security/pam_ldap.so debug

password required /lib/security/pam_cracklib.so retry=3 debug
password sufficient /lib/security/pam_ldap.so use_authtok use_first_pass debug
password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok debug
#password sufficient /lib/security/pam_ldap.so use_authtok use_first_pass
password required /lib/security/pam_deny.so debug

session required /lib/security/pam_limits.so debug
session optional /lib/security/pam_unix.so debug
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0
session optional /lib/security/pam_ldap.so debug
《解決方案》

頂一下
《解決方案》

多謝!

[火星人 ] Authenticate Linux against AD已經有445次圍觀

http://coctec.com/docs/service/show-post-42763.html