Labels

Linux and LDAP

The goal of this document is to explain how delegating the authentication mecanism for my Linux servers on a LDAP directory.
Like many of you, our architecture also includes an Windows Active Directory server for the Windows workstation. To avoid having passwords both in AD and LDAP, they are only owned by AD; LDAP only have extra-info (groups user belongs to, and so on). This curious architecture is due to the fact our AD server belongs to a forest we don't manage. In turn, we have full control on the LDAP server.
The main drawback of this specific architecture is to split identification and authentication; one is done on LDAP, the other on AD.
Ok, now let's open the hood ...

  1. Every user must have a posixAccount object class. This object class contains the Unix specific information. You could use several tools to create this object class; personaly, I do it with simple openldap commands, wrapped in a small script:


    # ldapmodify -W -x -v -h $LDAP -D $CRED -a -f /tmp/posixAccount.ldif

    where $LDAP contains ldapserver.mydomain.com:389
    and $CRED contains "uid=fbasquin,ou=Admins,o=mydomain.com"


    posixAccount.ldif contains the following:

    dn: uid=%CN%,ou=people,o=internes,o=axa.ca
    changetype: modify
    add: objectClass
    objectClass: posixAccount
    gidNumber: %GID%
    homeDirectory: /home/%CN%
    uidNumber: %UIDNUMBER%
    description: %GECOS%
    gecos: %GECOS%
    loginShell: /bin/bash

    The script replaces the %VAR% variables by what the user has provided and creates a valid /tmp/posixAccount.ldif.

  2. Configure /etc/ldap.conf (comments expunged):

    host ldapserver.mydomain.com:389
    base ou=People,o=internes,o=mydomain.com

    nss_base_passwd         ou=People,o=internes,o=mydomain.com?sub
    nss_base_shadow         ou=People,o=internes,o=mydomain.com?sub
    nss_base_group          ou=Groups,o=internes,o=mydomain.com?sub

    ssl no

  3. I access AD thru Kerberos. /etc/krb5.conf is:

    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
     ticket_lifetime = 24000
     default_realm = MYDOMAIN.COM
     dns_lookup_realm = true
     dns_lookup_kdc = true

    [realms]
     MYDOMAIN.COM = {
      kdc = adserver.mydomain.com:88
      admin_server = adserver.mydomain.com:749
      default_domain = mydomain.com
     }

    [domain_realm]
     .mydomain.com = MYDOMAIN.COM
     mydomain.com = MYDOMAIN.COM

    [appdefaults]
     pam = {
       debug = false
       ticket_lifetime = 36000
       renew_lifetime = 36000
       forwardable = true
       krb4_convert = false
     }

  4. Now, PAM (PLuggable Authentication Module) must be configured. So far, I only configured /etc/pam.d/sshd:

    #%PAM-1.0
    auth            sufficient      pam_stack.so service=system-auth
    auth            required        pam_krb5.so use_first_pass
    auth            sufficient      pam_ldap.so use_first_pass
    auth            required        pam_nologin.so
    account         sufficient      pam_stack.so service=system-auth
    account         required        pam_ldap.so use_first_pass
    password        required        pam_stack.so service=system-auth
    session         required        pam_limits.so
    session         sufficient      pam_stack.so service=system-auth
    session         required        pam_ldap.so use_first_pass
    session         optional        pam_console.so

  5. /etc/nsswitch.conf must also be configured:

    [. . .]
    passwd:     files ldap
    shadow:     files ldap
    group:      files ldap
    [. . .]

  6. The last thing to do is to ensure there is not time lag between your Linux and the AD servers. NTP is one tools that can be use for this.

Once all this set, no reboot or service to start: the defined users must be able to log on thru ssh and provide their Windows username & password.
Labels:

Comments

Post a Comment

Popular Posts