Difference between revisions of "Authenticating against Active Directory"
(Add how to restrict sshd by group) |
m (6 revisions) |
||
(2 intermediate revisions by one other user not shown) | |||
Line 7: | Line 7: | ||
== ldap.conf == | == ldap.conf == | ||
− | uri ldap:// | + | uri ldap://ldapserver1.hijacked.us ldap://ldapserver2.hijacked.us |
− | base dc= | + | base dc=hijacked,dc=us |
binddn cn=[ldapqueryuser],cn=Users,dc=[domain],dc=[TLD] | binddn cn=[ldapqueryuser],cn=Users,dc=[domain],dc=[TLD] | ||
bindpw [ldapqueryuserpassword] | bindpw [ldapqueryuserpassword] | ||
Line 16: | Line 16: | ||
# Services for UNIX 3.5 mappings | # Services for UNIX 3.5 mappings | ||
pam_login_attribute msSFU30Name | pam_login_attribute msSFU30Name | ||
− | nss_base_passwd dc= | + | nss_base_passwd dc=hijacked,dc=us?sub |
− | nss_base_group dc= | + | nss_base_group dc=hijacked,dc=us?sub |
nss_map_objectclass posixAccount User | nss_map_objectclass posixAccount User | ||
nss_map_attribute uid msSFU30Name | nss_map_attribute uid msSFU30Name | ||
Line 37: | Line 37: | ||
You probably want to add this before pam_unix. You could add a similar line for the "login" service if you wanted users to be able to login from the terminal too. | You probably want to add this before pam_unix. You could add a similar line for the "login" service if you wanted users to be able to login from the terminal too. | ||
+ | |||
+ | If you want to auto-create the user's home directory you can use pam_mkhomedir in any of the pam service files: | ||
+ | |||
+ | session required /usr/local/lib/pam_mkhomedir.so | ||
== /etc/nsswitch.conf == | == /etc/nsswitch.conf == | ||
Line 87: | Line 91: | ||
AuthBasicProvider ldap | AuthBasicProvider ldap | ||
AuthLDAPURL ldap://[ldapserver]/DC=[domain],DC=<TLD>?sAMAccountName?sub?(objectClass=*) | AuthLDAPURL ldap://[ldapserver]/DC=[domain],DC=<TLD>?sAMAccountName?sub?(objectClass=*) | ||
− | AuthLDAPBindDN cn=[ldapqueryuser],cn=Users,dc= | + | AuthLDAPBindDN cn=[ldapqueryuser],cn=Users,dc=hijacked,dc=us |
AuthLDAPBindPassword [ldapqueryuserpassword]<br/> | AuthLDAPBindPassword [ldapqueryuserpassword]<br/> | ||
Require valid-user | Require valid-user | ||
− | Require ldap-attribute memberOf=CN=[somegroup],OU=[someOU],DC= | + | Require ldap-attribute memberOf=CN=[somegroup],OU=[someOU],DC=hijacked,DC=us |
</Location> | </Location> | ||
You can omit the ldap-attribute, or substitute your own custom query. You can probably put this in a .htaccess file or anywhere you'd use apache authentication. I currently use a setup like this to authenticate SVN commit access using svn/webdav/ldap/ssl. | You can omit the ldap-attribute, or substitute your own custom query. You can probably put this in a .htaccess file or anywhere you'd use apache authentication. I currently use a setup like this to authenticate SVN commit access using svn/webdav/ldap/ssl. |
Latest revision as of 21:48, 4 January 2013
This page is the knowledge gleaned from trying to authenticate unix boxes against windows 2000 server AD. It may not work right against later versions of windows server, but I don't have a newer machine to test with. I assume you've already installed and configured Services for UNIX (server 2003 and later include it, I believe).
The first thing you'll want to do is add a user that can query LDAP, that's all this user should be able to do, don't allow them to login or anything. You'll also want to install pam_ldap on the client machine you're trying to authenticate with.
Also, remember to actually configure the SFU properties for the users whom you want to be able to use LDAP authentication. [domain] and [TLD] below are things like dc=hijacked,dc=us, it's some standard ldap way of being obtuse.
ldap.conf
uri ldap://ldapserver1.hijacked.us ldap://ldapserver2.hijacked.us base dc=hijacked,dc=us binddn cn=[ldapqueryuser],cn=Users,dc=[domain],dc=[TLD] bindpw [ldapqueryuserpassword] scope sub timelimit 5 referrals no
# Services for UNIX 3.5 mappings pam_login_attribute msSFU30Name nss_base_passwd dc=hijacked,dc=us?sub nss_base_group dc=hijacked,dc=us?sub nss_map_objectclass posixAccount User nss_map_attribute uid msSFU30Name nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute loginShell msSFU30LoginShell nss_map_attribute userPassword msSFU30Password nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_objectclass posixGroup Group nss_map_objectclass shadowAccount user
ldap provides a mechanism to store the bindpw in a restricted file, but I could never get it to work right. This ldap.conf should be world readable so that random shell utilities can work right.
PAM config
PAM config should be pretty simple, but it can be OS dependant. On FreeBSD I added this to the /etc/pam.d/sshd file
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
You probably want to add this before pam_unix. You could add a similar line for the "login" service if you wanted users to be able to login from the terminal too.
If you want to auto-create the user's home directory you can use pam_mkhomedir in any of the pam service files:
session required /usr/local/lib/pam_mkhomedir.so
/etc/nsswitch.conf
You'll probably want to make your group and passwd entries look like this:
group: files ldap passwd: files ldap
Testing if stuff works
Probably the best way to test at this point is to run 'getent passwd' and see if all your AD users show up along side the local users. If they don't you've probably done something wrong.
Setting up sudo access for certain groups
I forget how I made this work, but I pretty much just added a line like:
%Administrators ALL=(ALL) ALL
You also need to setup PAM to make sudo work:
/etc/pam.d/sudo
# auth auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth sufficient pam_self.so no_warn auth include system
# account account requisite pam_securetty.so account required pam_nologin.so account include system
# session session include system
# password password include system
Restricting sshd access via LDAP group
You can configure sshd to restrict access via group:
/etc/ssh/sshd_config
AllowGroups Administrators
Authenticating with apache 2.2 and mod_authz_ldap
If you have apache2.2 with mod_authz_ldap, all you need to do is something like this:
<Location /somepath> AuthType basic AuthName "Authenticate, sucker" AuthBasicProvider ldap AuthLDAPURL ldap://[ldapserver]/DC=[domain],DC=<TLD>?sAMAccountName?sub?(objectClass=*) AuthLDAPBindDN cn=[ldapqueryuser],cn=Users,dc=hijacked,dc=us AuthLDAPBindPassword [ldapqueryuserpassword]
Require valid-user Require ldap-attribute memberOf=CN=[somegroup],OU=[someOU],DC=hijacked,DC=us </Location>
You can omit the ldap-attribute, or substitute your own custom query. You can probably put this in a .htaccess file or anywhere you'd use apache authentication. I currently use a setup like this to authenticate SVN commit access using svn/webdav/ldap/ssl.