Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature
Unite your Linux and Active Directory authentication
By Eric Anderson
on
December 16, 2004 (8:00:00 AM)
Share
Print
Comments
Authentication is easily one of the most critical services provided by your network infrastructure. It is the gatekeeper for every resource on your network. Workstations, applications, printers, and files would all be open to the world without a system of ensuring that only those people who need any given resource can gain access to it. Once you have accepted the fact that you need authentication, you must decide whether to stay with one network operating system in the interest of a completely homogenous network, or accept a "best of breed" system that will better fulfill your needs, even though it will complicate your environment. If you choose the second option, often times you are left with a management nightmare, where you have two, three, or even more authentication engines to maintain across your network operating systems.
One way of simplifying your authentication environment is to use a single authentication source for all of your nodes -- Windows, Linux, or Unix. You can authenticate them all against a directory service such as Active Directory or eDirectory. In this article, we'll describe how to unify your Linux and Active Directory environments. With minor changes, this same procedure can be used to authenticate your Linux hosts against eDirectory or any other LDAP compliant directory service.
For the purposes of this article, we have used Fedora Core 1 as a Linux operating system, Windows Server 2003 (in native mode) as the Active Directory Controller, and Microsoft's Services for Unix 3.5 to simplify the extension of the schema. Your Windows 2003 server should be installed as an Active Directory Controller, and your Fedora device can be just a basic installation with the OpenLDAP client tools and libraries. You'll also need updated NSS_LDAP software; the NSS_LDAP software included in the release has a bug that disables schema mapping.
Preliminary Windows proceduresIn this section, we are going to perform the procedures on the Windows device that are a prerequisite to the use of AD to authenticate Linux against Active Directory. These tasks include the installation of Services for Unix, which will perform a schema extension for us.
- Authenticate to the domain controller as a user that has schema admin rights.
- Take note of the structure of your directory service. Specifically, we are looking to note the location of your user and group objects. These objects are often located in a container similar to the following:
CN=UserContainer,DC=NetBIOSDomain,DC=DNSDomain,DC=DNSSuffixOrCN=UserContainer,DC=DNSDomain,DC=DNSSuffixFor example:CN=Users,DC=LanRx,DC=com Or CN=Users,DC=LanRxDomain,DC=LanRx,DC=com - Extract the files from Microsoft's Services for Unix 3.5 to a location such as c:\temp\sfu
- Run
c:\temp\sfu\setup.exeto install the Services for Unix software -Accept the standard installation -Where prompted for "security settings", leave both boxes blank -Where prompted for "username mapping" select "Local Username Mapping Server" and subsequently "Network Information Services" -Select the Windows Domain Name -Reboot server when complete - Create basic user for LDAP bind. We recommend that you set the password to not expire, and that the user not be allowed to change the password. This account should be used only for binding the Linux device to the Active Directory.
Linux integration
Next, we configure the Linux workstation to perform a pure LDAP authentication against the Active Directory controller. We first install the software to permit us to perform schema mapping, then authenticate as superuser. Next, we run rpm -Uvh nss_ldap-207-6.i386.rpm to install the new NSS_LDAP package (or upgrade if it was already installed).
Now we configure the LDAP client on the Linux device to map the POSIX information to point to the domain controller to collect the appropriate attributes within Active Directory:
- Run
mv /etc/ldap.conf /etc/ldap.origto backup your existing /etc/ldap.conf file. - Run
vi /etc/ldap.confto create your ldap.conf file. - Ensure that the following lines exist in the ldap.conf file. These lines will provide the mapping for the PAM/NSS objects to pull the appropriate Unix POSIX attributes out of Active Directory in a manner that can be used by the PAM modules.
- Run
vi /etc/nsswitch.confto edit the nsswitch configuration file. Ensure that the following lines are configured as follows:
shadow: files ldap
passwd: files ldap
group: files ldap
- Run
authconfigto perform the configuration of "Pluggable Authentication." Note: To the best of my knowledge,authconfigis specific to Red Hat Linux distributions. For a sample system-auth configuration file, please see the example configuration file package associated with the article.
a.) Select LDAP to provide NSS information
b.) Select "Use LDAP"
c.) In the "Server" field, confirm that the IP address of the domain controller appears. Note: Do NOT select TLS. TLS is not supported with Active Directory until Certificate Services is installed. It is possible to leverage TLS within this infrastructure, but outside the scope of this document.
d.) In the "BaseDN:" field, add the location of your user accounts to have access to this device i.e. "cn=Users,dc=ad,dc=lanrx,dc=com"
e.) Click Next
f.) Select LDAP to provide authentication
g.) Select "Use Shadow Passwords"
h.) Select "Use MD5 Passwords"
i.) Select "Use LDAP Authentication"
j.) DO NOT SELECT "Use TLS"
k.) Server should be prepopulated with the domain controller
l.) BaseDN should also be prepopulated with the user location
m.) Select OK
- This process writes the /etc/pam.d/system-auth file. Once this process has been completed, you will want to prepend the following lines into the system-auth file prior to the
accountcomponents. Note: This line provides us with the ability to authenticate locally as superuser in the event of a network failure.
account sufficient /lib/security/pam_localuser.so
host 192.168.100.18 base cn=Users,dc=lanrx,dc=com binddn cn=dirsearch,cn=Users, dc=lanrx,dc=com bindpw D1rectory scope sub ssl no nss_base_passwd cn=Users,dc=lanrx,dc=com?sub nss_base_shadow cn=Users,dc=lanrx,dc=com?sub nss_base_group cn=Users,dc=lanrx,dc=com?sub nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_attribute uid sAMAccountName nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute loginShell msSFU30LoginShell nss_map_attribute gecos name nss_map_attribute userPassword msSFU30Password nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_objectclass posixGroup Group nss_map_attribute uniqueMember msSFU30PosixMember nss_map_attribute cn cn pam_login_attribute sAMAccountName pam_filter objectclass=user pam_member_attribute msSFU30PosixMember pam_groupdn cn=unixusergroup,dc=lanrx,dc=com pam_password ad
Above, notice the line for pam_groupdn. It specifies that any user to gain access to this server needs to be a posixMember of this particular user group. Upon successful authentication, the system will verify that the authenticated user is a member of the appropriate group. If the user is a member, authentication will occur. If the user is not a member, the system will notify the user that he needs to be a member of the specified group to authenticate entirely.
- Open the Active Directory Users and Groups management tool. a.) Modify a group object to function as a POSIX group.
- Modify a user object to function as a POSIX user. a.) Locate and activate the tab that says Unix Settings.
- Add the user as a Unix member of the group. a.) After you have added the user as a Unix user, you will also need to come back to the group properties and add the user as a member on the Unix Attributes tab. Otherwise, the user will not be populated in the msSFU30PosixMember attribute.
- This user should now be able to authenticate onto the Linux machine via any desired mechanism, including an SSH session. One thing that can sometimes cause problems authenticating is to have the POSIX home directory be unavailable or not exist. Either you can create the directory manually, or you can run a script to collect the home directories and ensure that the directory exists.
As is the case with any other authentication mechanism, we need to configure the user objects for the users that are to use the system. However, if you are implementing this solution, more than likely your users already have Windows accounts. In that case, all we need to do is to modify the objects to be POSIX compliant.
b.) Right-click on the user group for assignment of a GID.
c.) Click on the Unix Attributes tab.
d.) Populate the NIS Domain dropdown and the GID number as appropriate.
b.) Under Unix Settings, set the UID and GID for the user, as well as the home directory location (on the Linux filesystem /home/). Note: You will need to ensure that the directory exists with the appropriate user object having access to the directory.
c.) Reset the user's password. This causes the AD password and the Unix password attributes to synchronize.
At this point, you should have been able to provide authentication for your user objects against an Active Directory. If you would like example configuration files, you can reach them online with this article. Our intention was to help you find your way in Active Directory authentication. This by no means is a solution for everybody. For instance, many organizations will want to perform all LDAP communication over SSL/TLS, which adds a touch of complexity to your implementation due to some limitations on different software packages. If you experience issues pertaining to your implementation, you are welcome to visit our forums with questions.
Supplemental Scripts
Eric Anderson is a partner and solution architect for LanRx, which specializes in open source solutions and open source integration with commercial software.
Comments
on Unite your Linux and Active Directory authenticationNote: Comments are owned by the poster. We are not responsible for their content.
Backhoes are a potential problem for all WANs. The problem is not specific to Linux or Active Directory.
There are two ways to overcome the potential problem of a downed WAN link preventing user logons. One alternative is redundant WAN links that follow diverse paths. This solution can be both difficult and prohibitively expensive for smaller remote sites.
The other solution is to place an LDAP server at the remote site. This would not only reduce the risk cause by a WAN outage but, it would also reduce the WAN traffic for authentication which, depending on the speed of the WAN, can be a major issue.
It would be very difficult to have OpenLDAP replicate Active Directory, if even possible. The best solution in an Active Directory environment is to place another Active Directory Domain Controller at the remote site.
With eDirectory, this is an easier alternative as eDirectory is available for free and runs on Linux as well as Windows and Netware. The cost would only be for hardware whereas, the Active Directory solution would require a Windows Server license as well as the hardware.
If your environment is OpenLDAP, then the above scenario is no different. Simply place another OpenLDAP server at the remote site and use replication. Again, the cost would only be for the hardware.
If you are just starting to use a directory in a Linux environment, eDirectory is definitely the way to go. It is both free and extremely powerful. So is OpenLDAP. But, eDirectory blows OpenLDAP away when it comes to replication, partitioning and especially management tools. eDirectory is years ahead of any other directory.
There are two ways to overcome the potential problem of a downed WAN link preventing user logons. One alternative is redundant WAN links that follow diverse paths. This solution can be both difficult and prohibitively expensive for smaller remote sites.
The other solution is to place an LDAP server at the remote site. This would not only reduce the risk cause by a WAN outage but, it would also reduce the WAN traffic for authentication which, depending on the speed of the WAN, can be a major issue.
It would be very difficult to have OpenLDAP replicate Active Directory, if even possible. The best solution in an Active Directory environment is to place another Active Directory Domain Controller at the remote site.
With eDirectory, this is an easier alternative as eDirectory is available for free and runs on Linux as well as Windows and Netware. The cost would only be for hardware whereas, the Active Directory solution would require a Windows Server license as well as the hardware.
If your environment is OpenLDAP, then the above scenario is no different. Simply place another OpenLDAP server at the remote site and use replication. Again, the cost would only be for the hardware.
If you are just starting to use a directory in a Linux environment, eDirectory is definitely the way to go. It is both free and extremely powerful. So is OpenLDAP. But, eDirectory blows OpenLDAP away when it comes to replication, partitioning and especially management tools. eDirectory is years ahead of any other directory.
A server at the remote site is also highly desirable for storing files and printing functions. What good is being able to logon if no network services can be accessed?
Placing a server at the remote site not only permits local LDAP authentication, it can also be used as the local print server, mail server, file server and who knows what else. Rsync and a cron job can synchronize the files with the main file store on a nightly basis, if desired. With this architecture, the overall bandwidth requirements of the WAN are greatly reduced as well, improving the responsiveness of the local systems.
Placing a server at the remote site not only permits local LDAP authentication, it can also be used as the local print server, mail server, file server and who knows what else. Rsync and a cron job can synchronize the files with the main file store on a nightly basis, if desired. With this architecture, the overall bandwidth requirements of the WAN are greatly reduced as well, improving the responsiveness of the local systems.
Sorry, can't find any reference to eDirectory as a free product. Care to give some pointers?
<nobr> <wbr></nobr>/Pedro
Openldap replication can save you here. The replication scheme is very flexible, and you are not locked out of talking to a replica just because the master is down. You can even run writeable subtrees that replicate to a central read only master. You can chain replicate through sub masters, replicate to as many slaves as you want etc. etc..
IMHO using AD as the enterprise directory would be a big mistake. Better to leave AD read only and feed it from an open standards compliant central solution, like openldap.
http://www.openldap.org/doc/admin22/config.html#R<nobr>e<wbr></nobr> plicated%20Directory%20Service
IMHO using AD as the enterprise directory would be a big mistake. Better to leave AD read only and feed it from an open standards compliant central solution, like openldap.
http://www.openldap.org/doc/admin22/config.html#R<nobr>e<wbr></nobr> plicated%20Directory%20Service
Better to leave AD read only and feed it from an open standards compliant central solution, like openldap.
Not a good idea. We do that here, and find we're limited by the OpenLDAP solution. We're moving to get rid of it within the next six months and go straight AD.
Not a good idea. We do that here, and find we're limited by the OpenLDAP solution. We're moving to get rid of it within the next six months and go straight AD.
Folks,
Thanks for all the answers regarding OpenLDAP, replication and backhoes. To settle your fears, I'm not in a mixed enviro myself, I *do* have a multi-purpose server at each site that would work wonderfully as an OpenLDAP replication peer/sub, and I am that much more confident about the whole idea of going with OpenLDAP.
Now, this eDirectory stuff will be some new reading, and I look forward to it.
I only hope that OpenLDAP can notify slaves of altered master data, to hopefully shorten refresh time (again, like Hesiod, but with IN records).
Either way, I'm very, very thankful for your replies, and I think I only need a free peerfs.com solution to get me to the day when I respect but no longer fear the backhoe.
- bish
Thanks for all the answers regarding OpenLDAP, replication and backhoes. To settle your fears, I'm not in a mixed enviro myself, I *do* have a multi-purpose server at each site that would work wonderfully as an OpenLDAP replication peer/sub, and I am that much more confident about the whole idea of going with OpenLDAP.
Now, this eDirectory stuff will be some new reading, and I look forward to it.
I only hope that OpenLDAP can notify slaves of altered master data, to hopefully shorten refresh time (again, like Hesiod, but with IN records).
Either way, I'm very, very thankful for your replies, and I think I only need a free peerfs.com solution to get me to the day when I respect but no longer fear the backhoe.
- bish
Why not just use winbind. It seems simpler to setup.
I don't know for sure the author's reason, but, in my experience, samba and winbind do not work well at all with windows 2003 in native mode. The problem is that group membership lookups do not work quite right, making ACLs useless. YMMV, but this article's is an interesting alternative that I may have to try in the future.
-Mark
-Mark
This wastes harddrive space Microsoft servers for linux is not required.
One fix is
http://sadms.sourceforge.net/en/index.html
Linux system intergrate into the windows network.
The world is changing tricks like the article are no longer required.
One fix is
http://sadms.sourceforge.net/en/index.html
Linux system intergrate into the windows network.
The world is changing tricks like the article are no longer required.
Re your link to SADMS: Are we really going to trust our networks to a project with typos in the first sentence of its home page?
His french is great just I did not think many people could read that so I posted the english link.
uh, the program you linked to is the "trick." Authenticating against AD is no different from authentication against any other directory that supports LDAP. Using samba to merge windows accounts into a unix environment is much messier and hackier, and more of a pain to maintain.
No extra proticals on the network to be exploted since LDAP is run as part of Active Directory. Encryption is mantained.
People have one account on all systems.
Note I did not say this was the be all and end all.
The trick can be used many different ways not just in the form I said. Basicly everything that sfu gives can be replicated without providing weekness of extra software. Ie samba will be required to access windows file shares and provide windows file shares.
I find this software handy for having linux termals on my desk.
People have one account on all systems.
Note I did not say this was the be all and end all.
The trick can be used many different ways not just in the form I said. Basicly everything that sfu gives can be replicated without providing weekness of extra software. Ie samba will be required to access windows file shares and provide windows file shares.
I find this software handy for having linux termals on my desk.
You are correct, in that Services for Unix is not required. However, it IS likely too be the referred mechanism for a corporate environment, because they are not going to want to dramatically customize their Microsoft/AD environment.
Additionally, it's likely that management in a corporate environment is more likely to trust Micro$crap than they are sourceforge. Whereas I don't necessarily agree, stuff like SADMS is not likely to gain acceptance into the corporate world, though. If you perform an authentication similar to the article (or with Kerberos,as I did with AD/Samba integration), then you are much more likely to be supported in your endeavor.
I'd like to start pushing out some Linux desktop clients to receptive users here at the university, but the network drives are being migrated to DFS on Active Directory (after being heavily Novell for years). I can do forced mounts of shares directly on various servers, but when last I tried (admittedly some months ago) there was no way to log into a DFS domain. Something about signing, as I recall. Has the situation changed; is it possible for a Linux system to play nicely with MS's DFS?
WARNING!!
THIS IS TOTALLY INSECURE!
Without using TLS or LDAPS://(ldap over ssl) everything is in free text.
If your login password is "secret"... it goes on the network as s e c r e t in FREE OPEN TEXT for anyone to sniff.
Very, Very bad idea...its more insecure than NIS.
Do not deploy LDAP without using TLS or LDAPS://
Jezz....
THIS IS TOTALLY INSECURE!
Without using TLS or LDAPS://(ldap over ssl) everything is in free text.
If your login password is "secret"... it goes on the network as s e c r e t in FREE OPEN TEXT for anyone to sniff.
Very, Very bad idea...its more insecure than NIS.
Do not deploy LDAP without using TLS or LDAPS://
Jezz....
You're absolutely correct, in that yes, the clear text version IS the inferior way to go about your auth. However, many corporations that are looking to leverage this kind of a solution are still sending their passwords over clear text via telnet anyway.
It is certainly possible (and the way that I implemented it at my client) to use this with TLS. However, it adds a lot of complication which was not possible to address in the article.
It is certainly possible (and the way that I implemented it at my client) to use this with TLS. However, it adds a lot of complication which was not possible to address in the article.
I don't know why all the concern. Wouldn't it be realtively easy to encrypt this with stunnel?
Make the ldap.conf point to localhost, and tell stunnel to send that data to your AD server. Make sure stunnel gets started on every reboot, and now it should be encrypted whenever you log in.
Make the ldap.conf point to localhost, and tell stunnel to send that data to your AD server. Make sure stunnel gets started on every reboot, and now it should be encrypted whenever you log in.
A better solution would be to use both kerberos and LDAP clients to gain the information from the AD. A native AD domain is already running a KDC and both the Heimdal and MIT clients ignore the proprietary bits in the tickets from the Domain Controllers. I also believe that to be able to access shares that are shared out via DFS require the client to prove itself with a kerberos ticket but I may be mistaken about that part.
This is extremely convenient, but be aware that your passwords are now traversing the network in plain text. Anyone who can sniff the traffic between the linux box and the AD system can capture any passwords used for authentication. If this is not acceptible in your situation, you can set up TLS-encryption, which involves creating a certificate for the AD system and telling the linux box that it can trust the cert or using an alternative authentication method like kerberos against the same AD system. This would allow you to get important info like uids and other naming information via LDAP, but securely encrypt critical information like passwords. Both of these scenarios are beyond the scope of this article, but it's important to be aware of the issues involved.
...and cannot be changed. This is outlaw in many countries.
The only password that I remember that doesn't expire, is the one used for Kerberos.
Did you find another place?
Did you find another place?
You're absolutely correct that authentication is not the same as directory services. One is an action, and one is the source that the action is performed against.
That said...keep in mind all of the applications that are installed out there that want to use their own schema additions, etc. They are frequent. Microsoft is not going to support them, but if you upgrade, your schema information should be pulled from your previous device anyway.
And no, AD would not be fully LDAPv3 compliant. They are Microsoft, after all...
By doing the synchronization, you run into other problems, such as management of updates back and forth. The quality of your identity management tools come into play, then. Personally, I think that you are better off to use a single source. But, that's just me. You don't have to worry about the synchronization of your data if you've only got one source.
That said...keep in mind all of the applications that are installed out there that want to use their own schema additions, etc. They are frequent. Microsoft is not going to support them, but if you upgrade, your schema information should be pulled from your previous device anyway.
And no, AD would not be fully LDAPv3 compliant. They are Microsoft, after all...
By doing the synchronization, you run into other problems, such as management of updates back and forth. The quality of your identity management tools come into play, then. Personally, I think that you are better off to use a single source. But, that's just me. You don't have to worry about the synchronization of your data if you've only got one source.
why on earth is it being done this way, all the other howtos are using kerberos and winbind?
Hello Guys,
I've been working for few days on this and is still not working. I have a Windows 2003 Server and a Fedora core 6. I Installed install services for Unix so when I tried to install SFU again It showed me the message that It has been already installed with version 4.0. So I continued working on it and configured a good part as you guys said in the document. The problem is that every time I try to authenticate with any user I have a wrong Username or password error. I'm sure I'm missing or misconfigurationg something so I copy you guys part of the error that I find in<nobr> <wbr></nobr>/var/logs/secure and the<nobr> <wbr></nobr>/etc/ldap.conf file. Some or all the help is good.
Thanks in advance
Raul Luzardo<nobr> <wbr></nobr>/var/log/secure
Apr 27 16:04:21 localhost gdm[2649]: pam_unix(gdm:auth): check pass; user unknown
Apr 27 16:04:21 localhost gdm[2649]: pam_unix(gdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Apr 27 16:04:21 localhost gdm[2649]: pam_succeed_if(gdm:auth): error retrieving information about user ldap_test
Apr 27 16:19:31 localhost gdm[2649]: pam_unix(gdm:auth): check pass; user unknown
Apr 27 16:19:31 localhost gdm[2649]: pam_unix(gdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Apr 27 16:19:31 localhost gdm[2649]: pam_succeed_if(gdm:auth): error retrieving information about user raul<nobr> <wbr></nobr>/etc/ldap.conf
host 192.168.2.70
base cn=Users,cn=epochldaptest,dc=com
binddn cn=ldap_test,cn=Users,dc=epochldaptest,dc=com
bindpw Secret*1234
scope sub
ssl no
nss_base_passwd cn=Users,dc=epochldaptest,dc=com?sub
nss_base_shadow cn=Users,dc=epochldaptest,dc=com?sub
nss_base_group cn=Users,dc=epochldaptest,dc=com?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn
pam_login_attribute sAMAccountName
pam_filter objectclass=user
pam_member_attribute msSFU30PosixMember
pam_groupdn cn=Users,dc=epochldaptest,dc=com
pam_password ad
I've been working for few days on this and is still not working. I have a Windows 2003 Server and a Fedora core 6. I Installed install services for Unix so when I tried to install SFU again It showed me the message that It has been already installed with version 4.0. So I continued working on it and configured a good part as you guys said in the document. The problem is that every time I try to authenticate with any user I have a wrong Username or password error. I'm sure I'm missing or misconfigurationg something so I copy you guys part of the error that I find in<nobr> <wbr></nobr>/var/logs/secure and the<nobr> <wbr></nobr>/etc/ldap.conf file. Some or all the help is good.
Thanks in advance
Raul Luzardo<nobr> <wbr></nobr>/var/log/secure
Apr 27 16:04:21 localhost gdm[2649]: pam_unix(gdm:auth): check pass; user unknown
Apr 27 16:04:21 localhost gdm[2649]: pam_unix(gdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Apr 27 16:04:21 localhost gdm[2649]: pam_succeed_if(gdm:auth): error retrieving information about user ldap_test
Apr 27 16:19:31 localhost gdm[2649]: pam_unix(gdm:auth): check pass; user unknown
Apr 27 16:19:31 localhost gdm[2649]: pam_unix(gdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Apr 27 16:19:31 localhost gdm[2649]: pam_succeed_if(gdm:auth): error retrieving information about user raul<nobr> <wbr></nobr>/etc/ldap.conf
host 192.168.2.70
base cn=Users,cn=epochldaptest,dc=com
binddn cn=ldap_test,cn=Users,dc=epochldaptest,dc=com
bindpw Secret*1234
scope sub
ssl no
nss_base_passwd cn=Users,dc=epochldaptest,dc=com?sub
nss_base_shadow cn=Users,dc=epochldaptest,dc=com?sub
nss_base_group cn=Users,dc=epochldaptest,dc=com?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn
pam_login_attribute sAMAccountName
pam_filter objectclass=user
pam_member_attribute msSFU30PosixMember
pam_groupdn cn=Users,dc=epochldaptest,dc=com
pam_password ad
Is extending the AD schema absolutely required? Or can I do more on the Linux end to not have to need that, i.e., just use it for credential checking and then use local Linux stuff for everything else?
My reason is that I cannot change the AD schema, but want to LDAP authenticate from Linux.
My reason is that I cannot change the AD schema, but want to LDAP authenticate from Linux.
Is there any way to do the opposite? Have a windows client authenticate/create an association to an LDAP server?
Yes, you can. But it does not require nss_LDAP.
All that is really required is KRB5 for authentication using the KRB5 PAM modules and samba 3's winbind daemon. KRB5 handles authentication against the Kerberos 5 services provided by your Microsoft Domain controller (win 2000 or 2003 domain controller w/active directory). Winbind can then be used to map windows SID's to Unix uID's/gID's respectively. This would eliminate the need to support accounts on both systems without having to modify the AD schema.
All that is really required is KRB5 for authentication using the KRB5 PAM modules and samba 3's winbind daemon. KRB5 handles authentication against the Kerberos 5 services provided by your Microsoft Domain controller (win 2000 or 2003 domain controller w/active directory). Winbind can then be used to map windows SID's to Unix uID's/gID's respectively. This would eliminate the need to support accounts on both systems without having to modify the AD schema.
A couple of other things to point out:
1. Authentication is not the same as directory services. If you want to use the automounter, or fold the NIS information into directory services, it's generally beyond AD.
2. Applications that use LDAP natively *all* want to add their own attributes. MS says that if you modify the AD schema, they will not support the results, and that you will be on your own should they change the default schema (as in an OS upgrade with longhorn). As such, you're introducing a lot of danger into your AD forest by modifying the schema.
3. AD is not fully ldap 3 compatible. There are some things that don't work right.
As such, the corporation I work for decided to deploy LDAP and AD and synchronize the two. This allows applications that need AD to use AD, and those that need LDAP to use LDAP without any translations or introduced problems.
1. Authentication is not the same as directory services. If you want to use the automounter, or fold the NIS information into directory services, it's generally beyond AD.
2. Applications that use LDAP natively *all* want to add their own attributes. MS says that if you modify the AD schema, they will not support the results, and that you will be on your own should they change the default schema (as in an OS upgrade with longhorn). As such, you're introducing a lot of danger into your AD forest by modifying the schema.
3. AD is not fully ldap 3 compatible. There are some things that don't work right.
As such, the corporation I work for decided to deploy LDAP and AD and synchronize the two. This allows applications that need AD to use AD, and those that need LDAP to use LDAP without any translations or introduced problems.
I've had some trouble gettign this to work.
Our setup:
Windows Server AD is npcs.local
Downloaded SFU ok.
User LDAP created in staff OU.
ldifde gives 'sensible' output that includes the msSFU30 attributes.
Linux box:
running asterisk@home (Centos), name asterisk-coota.
I've edited<nobr> <wbr></nobr>/etc/ldap.conf and<nobr> <wbr></nobr>/etc/nsswitch.conf and<nobr> <wbr></nobr>/etc/pam.d/system-auth, I can post them if necessary.
When I try to log on to asterisk-coota as a user in the staff.npcs.local OU, it fails and all I can see is
'user unknown' and 'check password' in<nobr> <wbr></nobr>/var/log/messages.
Where do I turn on more debugging?
Dave
Our setup:
Windows Server AD is npcs.local
Downloaded SFU ok.
User LDAP created in staff OU.
ldifde gives 'sensible' output that includes the msSFU30 attributes.
Linux box:
running asterisk@home (Centos), name asterisk-coota.
I've edited<nobr> <wbr></nobr>/etc/ldap.conf and<nobr> <wbr></nobr>/etc/nsswitch.conf and<nobr> <wbr></nobr>/etc/pam.d/system-auth, I can post them if necessary.
When I try to log on to asterisk-coota as a user in the staff.npcs.local OU, it fails and all I can see is
'user unknown' and 'check password' in<nobr> <wbr></nobr>/var/log/messages.
Where do I turn on more debugging?
Dave
Death by Backhoe!
Posted by: Anonymous Coward on December 16, 2004 05:43 PMSomething like Hesiod<nobr> <wbr></nobr>.. but more secure. Any idea? Will LDAP replication do this without eventually locking out stuff? URLs greatly appreciated!
#