Authenticating against Active Directory

From WTFwiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

This page is the knowledge gleaned from trying to authenticate unix boxes against windows 2000 server AD. It may not work right against later versions of windows server, but I don't have a newer machine to test with. I assume you've already installed and configured Services for UNIX (server 2003 and later include it, I believe).

The first thing you'll want to do is add a user that can query LDAP, that's all this user should be able to do, don't allow them to login or anything. You'll also want to install pam_ldap on the client machine you're trying to authenticate with.

Also, remember to actually configure the SFU properties for the users whom you want to be able to use LDAP authentication. [domain] and [TLD] below are things like dc=hijacked,dc=us, it's some standard ldap way of being obtuse.


uri ldap:// ldap://
base dc=hijacked,dc=us
binddn cn=[ldapqueryuser],cn=Users,dc=[domain],dc=[TLD]
bindpw [ldapqueryuserpassword]
scope sub
timelimit 5
referrals no
# Services for UNIX 3.5 mappings pam_login_attribute msSFU30Name nss_base_passwd dc=hijacked,dc=us?sub nss_base_group dc=hijacked,dc=us?sub nss_map_objectclass posixAccount User nss_map_attribute uid msSFU30Name nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute loginShell msSFU30LoginShell nss_map_attribute userPassword msSFU30Password nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_objectclass posixGroup Group nss_map_objectclass shadowAccount user

ldap provides a mechanism to store the bindpw in a restricted file, but I could never get it to work right. This ldap.conf should be world readable so that random shell utilities can work right.

PAM config

PAM config should be pretty simple, but it can be OS dependant. On FreeBSD I added this to the /etc/pam.d/sshd file

auth        sufficient  /usr/local/lib/ no_warn try_first_pass

You probably want to add this before pam_unix. You could add a similar line for the "login" service if you wanted users to be able to login from the terminal too.

If you want to auto-create the user's home directory you can use pam_mkhomedir in any of the pam service files:

session   required  /usr/local/lib/


You'll probably want to make your group and passwd entries look like this:

group: files ldap
passwd: files ldap

Testing if stuff works

Probably the best way to test at this point is to run 'getent passwd' and see if all your AD users show up along side the local users. If they don't you've probably done something wrong.

Setting up sudo access for certain groups

I forget how I made this work, but I pretty much just added a line like:

%Administrators ALL=(ALL)   ALL

You also need to setup PAM to make sudo work:


# auth
auth            sufficient      /usr/local/lib/ no_warn try_first_pass
auth            sufficient             no_warn
auth            include         system
# account account requisite account required account include system
# session session include system
# password password include system

Restricting sshd access via LDAP group

You can configure sshd to restrict access via group:


AllowGroups Administrators

Authenticating with apache 2.2 and mod_authz_ldap

If you have apache2.2 with mod_authz_ldap, all you need to do is something like this:

<Location /somepath>
  AuthType basic
  AuthName "Authenticate, sucker"
  AuthBasicProvider ldap
  AuthLDAPURL ldap://[ldapserver]/DC=[domain],DC=<TLD>?sAMAccountName?sub?(objectClass=*)
  AuthLDAPBindDN cn=[ldapqueryuser],cn=Users,dc=hijacked,dc=us
  AuthLDAPBindPassword [ldapqueryuserpassword]
Require valid-user Require ldap-attribute memberOf=CN=[somegroup],OU=[someOU],DC=hijacked,DC=us </Location>

You can omit the ldap-attribute, or substitute your own custom query. You can probably put this in a .htaccess file or anywhere you'd use apache authentication. I currently use a setup like this to authenticate SVN commit access using svn/webdav/ldap/ssl.