Linux and LDAP

The goal of this document is to explain how delegating the authentication mecanism for my Linux servers on a LDAP directory.
Like many of you, our architecture also includes an Windows Active Directory server for the Windows workstation. To avoid having passwords both in AD and LDAP, they are only owned by AD; LDAP only have extra-info (groups user belongs to, and so on). This curious architecture is due to the fact our AD server belongs to a forest we don't manage. In turn, we have full control on the LDAP server.
The main drawback of this specific architecture is to split identification and authentication; one is done on LDAP, the other on AD.
Ok, now let's open the hood ...

  1. Every user must have a posixAccount object class. This object class contains the Unix specific information. You could use several tools to create this object class; personaly, I do it with simple openldap commands, wrapped in a small script:

    # ldapmodify -W -x -v -h $LDAP -D $CRED -a -f /tmp/posixAccount.ldif

    where $LDAP contains
    and $CRED contains "uid=fbasquin,ou=Admins,"

    posixAccount.ldif contains the following:

    dn: uid=%CN%,ou=people,o=internes,
    changetype: modify
    add: objectClass
    objectClass: posixAccount
    gidNumber: %GID%
    homeDirectory: /home/%CN%
    uidNumber: %UIDNUMBER%
    description: %GECOS%
    gecos: %GECOS%
    loginShell: /bin/bash

    The script replaces the %VAR% variables by what the user has provided and creates a valid /tmp/posixAccount.ldif.

  2. Configure /etc/ldap.conf (comments expunged):

    base ou=People,o=internes,

    nss_base_passwd ou=People,o=internes,
    nss_base_shadow ou=People,o=internes,
    nss_base_group ou=Groups,o=internes,

    ssl no

  3. I access AD thru Kerberos. /etc/krb5.conf is:

    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    ticket_lifetime = 24000
    default_realm = MYDOMAIN.COM
    dns_lookup_realm = true
    dns_lookup_kdc = true

    kdc =
    admin_server =
    default_domain =

    [domain_realm] = MYDOMAIN.COM = MYDOMAIN.COM

    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false

  4. Now, PAM (PLuggable Authentication Module) must be configured. So far, I only configured /etc/pam.d/sshd:

    auth sufficient service=system-auth
    auth required use_first_pass
    auth sufficient use_first_pass
    auth required
    account sufficient service=system-auth
    account required use_first_pass
    password required service=system-auth
    session required
    session sufficient service=system-auth
    session required use_first_pass
    session optional

  5. /etc/nsswitch.conf must also be configured:

    [. . .]
    passwd: files ldap
    shadow: files ldap
    group: files ldap
    [. . .]

  6. The last thing to do is to ensure there is not time lag between your Linux and the AD servers. NTP is one tools that can be use for this.

Once all this set, no reboot or service to start: the defined users must be able to log on thru ssh and provide their Windows username & password.


Popular Posts