Difference between revisions of "Authenticating against Active Directory"

From WTFwiki
Jump to navigation Jump to search
(Added nsswitch and sudoers stuff)
m (6 revisions)
 
(4 intermediate revisions by one other user not shown)
Line 7: Line 7:
 
== ldap.conf ==
 
== ldap.conf ==
  
  uri ldap://[ldapserver1] ldap://[ldapserver2]
+
  uri ldap://ldapserver1.hijacked.us ldap://ldapserver2.hijacked.us
  base dc=fusedsolutions,dc=com
+
  base dc=hijacked,dc=us
 
  binddn cn=[ldapqueryuser],cn=Users,dc=[domain],dc=[TLD]
 
  binddn cn=[ldapqueryuser],cn=Users,dc=[domain],dc=[TLD]
 
  bindpw [ldapqueryuserpassword]
 
  bindpw [ldapqueryuserpassword]
Line 16: Line 16:
 
  # Services for UNIX 3.5 mappings
 
  # Services for UNIX 3.5 mappings
 
  pam_login_attribute msSFU30Name
 
  pam_login_attribute msSFU30Name
  nss_base_passwd dc=fusedsolutions,dc=com?sub
+
  nss_base_passwd dc=hijacked,dc=us?sub
  nss_base_group dc=fusedsolutions,dc=com?sub
+
  nss_base_group dc=hijacked,dc=us?sub
 
  nss_map_objectclass posixAccount User
 
  nss_map_objectclass posixAccount User
 
  nss_map_attribute uid msSFU30Name
 
  nss_map_attribute uid msSFU30Name
Line 37: Line 37:
  
 
You probably want to add this before pam_unix. You could add a similar line for the "login" service if you wanted users to be able to login from the terminal too.
 
You probably want to add this before pam_unix. You could add a similar line for the "login" service if you wanted users to be able to login from the terminal too.
 +
 +
If you want to auto-create the user's home directory you can use pam_mkhomedir in any of the pam service files:
 +
 +
session  required  /usr/local/lib/pam_mkhomedir.so
  
 
== /etc/nsswitch.conf ==
 
== /etc/nsswitch.conf ==
Line 55: Line 59:
 
  %Administrators ALL=(ALL)  ALL
 
  %Administrators ALL=(ALL)  ALL
  
to the sudoers file. Currently I can't get sudo to accept the password though, not sure why...
+
You also need to setup PAM to make sudo work:
 +
 
 +
''/etc/pam.d/sudo''
 +
# auth
 +
auth            sufficient      /usr/local/lib/pam_ldap.so no_warn try_first_pass
 +
auth            sufficient      pam_self.so            no_warn
 +
auth            include        system<br/>
 +
# account
 +
account        requisite      pam_securetty.so
 +
account        required        pam_nologin.so
 +
account        include        system<br/>
 +
# session
 +
session        include        system <br/>
 +
# password
 +
password        include        system
 +
 
 +
== Restricting sshd access via LDAP group ==
 +
 
 +
You can configure sshd to restrict access via group:
 +
 
 +
''/etc/ssh/sshd_config''
 +
AllowGroups Administrators
  
 
== Authenticating with apache 2.2 and mod_authz_ldap ==
 
== Authenticating with apache 2.2 and mod_authz_ldap ==
Line 66: Line 91:
 
   AuthBasicProvider ldap
 
   AuthBasicProvider ldap
 
   AuthLDAPURL ldap://[ldapserver]/DC=[domain],DC=<TLD>?sAMAccountName?sub?(objectClass=*)
 
   AuthLDAPURL ldap://[ldapserver]/DC=[domain],DC=<TLD>?sAMAccountName?sub?(objectClass=*)
   AuthLDAPBindDN cn=[ldapqueryuser],cn=Users,dc=fusedsolutions,dc=com
+
   AuthLDAPBindDN cn=[ldapqueryuser],cn=Users,dc=hijacked,dc=us
 
   AuthLDAPBindPassword [ldapqueryuserpassword]<br/>
 
   AuthLDAPBindPassword [ldapqueryuserpassword]<br/>
 
   Require valid-user
 
   Require valid-user
   Require ldap-attribute memberOf=CN=[somegroup],OU=[someOU],DC=fusedsolutions,DC=com
+
   Require ldap-attribute memberOf=CN=[somegroup],OU=[someOU],DC=hijacked,DC=us
 
  </Location>
 
  </Location>
  
 
You can omit the ldap-attribute, or substitute your own custom query. You can probably put this in a .htaccess file or anywhere you'd use apache authentication. I currently use a setup like this to authenticate SVN commit access using svn/webdav/ldap/ssl.
 
You can omit the ldap-attribute, or substitute your own custom query. You can probably put this in a .htaccess file or anywhere you'd use apache authentication. I currently use a setup like this to authenticate SVN commit access using svn/webdav/ldap/ssl.

Latest revision as of 21:48, 4 January 2013

This page is the knowledge gleaned from trying to authenticate unix boxes against windows 2000 server AD. It may not work right against later versions of windows server, but I don't have a newer machine to test with. I assume you've already installed and configured Services for UNIX (server 2003 and later include it, I believe).

The first thing you'll want to do is add a user that can query LDAP, that's all this user should be able to do, don't allow them to login or anything. You'll also want to install pam_ldap on the client machine you're trying to authenticate with.

Also, remember to actually configure the SFU properties for the users whom you want to be able to use LDAP authentication. [domain] and [TLD] below are things like dc=hijacked,dc=us, it's some standard ldap way of being obtuse.

ldap.conf

uri ldap://ldapserver1.hijacked.us ldap://ldapserver2.hijacked.us
base dc=hijacked,dc=us
binddn cn=[ldapqueryuser],cn=Users,dc=[domain],dc=[TLD]
bindpw [ldapqueryuserpassword]
scope sub
timelimit 5
referrals no
# Services for UNIX 3.5 mappings pam_login_attribute msSFU30Name nss_base_passwd dc=hijacked,dc=us?sub nss_base_group dc=hijacked,dc=us?sub nss_map_objectclass posixAccount User nss_map_attribute uid msSFU30Name nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute loginShell msSFU30LoginShell nss_map_attribute userPassword msSFU30Password nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_objectclass posixGroup Group nss_map_objectclass shadowAccount user

ldap provides a mechanism to store the bindpw in a restricted file, but I could never get it to work right. This ldap.conf should be world readable so that random shell utilities can work right.

PAM config

PAM config should be pretty simple, but it can be OS dependant. On FreeBSD I added this to the /etc/pam.d/sshd file

auth        sufficient  /usr/local/lib/pam_ldap.so no_warn try_first_pass

You probably want to add this before pam_unix. You could add a similar line for the "login" service if you wanted users to be able to login from the terminal too.

If you want to auto-create the user's home directory you can use pam_mkhomedir in any of the pam service files:

session   required  /usr/local/lib/pam_mkhomedir.so

/etc/nsswitch.conf

You'll probably want to make your group and passwd entries look like this:

group: files ldap
passwd: files ldap

Testing if stuff works

Probably the best way to test at this point is to run 'getent passwd' and see if all your AD users show up along side the local users. If they don't you've probably done something wrong.

Setting up sudo access for certain groups

I forget how I made this work, but I pretty much just added a line like:

%Administrators ALL=(ALL)   ALL

You also need to setup PAM to make sudo work:

/etc/pam.d/sudo

# auth
auth            sufficient      /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth            sufficient      pam_self.so             no_warn
auth            include         system
# account account requisite pam_securetty.so account required pam_nologin.so account include system
# session session include system
# password password include system

Restricting sshd access via LDAP group

You can configure sshd to restrict access via group:

/etc/ssh/sshd_config

AllowGroups Administrators

Authenticating with apache 2.2 and mod_authz_ldap

If you have apache2.2 with mod_authz_ldap, all you need to do is something like this:

<Location /somepath>
  AuthType basic
  AuthName "Authenticate, sucker"
  AuthBasicProvider ldap
  AuthLDAPURL ldap://[ldapserver]/DC=[domain],DC=<TLD>?sAMAccountName?sub?(objectClass=*)
  AuthLDAPBindDN cn=[ldapqueryuser],cn=Users,dc=hijacked,dc=us
  AuthLDAPBindPassword [ldapqueryuserpassword]
Require valid-user Require ldap-attribute memberOf=CN=[somegroup],OU=[someOU],DC=hijacked,DC=us </Location>

You can omit the ldap-attribute, or substitute your own custom query. You can probably put this in a .htaccess file or anywhere you'd use apache authentication. I currently use a setup like this to authenticate SVN commit access using svn/webdav/ldap/ssl.