Skip to main content

Linux and LDAP

The goal of this document is to explain how delegating the authentication mecanism for my Linux servers on a LDAP directory.
Like many of you, our architecture also includes an Windows Active Directory server for the Windows workstation. To avoid having passwords both in AD and LDAP, they are only owned by AD; LDAP only have extra-info (groups user belongs to, and so on). This curious architecture is due to the fact our AD server belongs to a forest we don't manage. In turn, we have full control on the LDAP server.
The main drawback of this specific architecture is to split identification and authentication; one is done on LDAP, the other on AD.
Ok, now let's open the hood ...

  1. Every user must have a posixAccount object class. This object class contains the Unix specific information. You could use several tools to create this object class; personaly, I do it with simple openldap commands, wrapped in a small script:


    # ldapmodify -W -x -v -h $LDAP -D $CRED -a -f /tmp/posixAccount.ldif

    where $LDAP contains ldapserver.mydomain.com:389
    and $CRED contains "uid=fbasquin,ou=Admins,o=mydomain.com"


    posixAccount.ldif contains the following:

    dn: uid=%CN%,ou=people,o=internes,o=axa.ca
    changetype: modify
    add: objectClass
    objectClass: posixAccount
    gidNumber: %GID%
    homeDirectory: /home/%CN%
    uidNumber: %UIDNUMBER%
    description: %GECOS%
    gecos: %GECOS%
    loginShell: /bin/bash

    The script replaces the %VAR% variables by what the user has provided and creates a valid /tmp/posixAccount.ldif.

  2. Configure /etc/ldap.conf (comments expunged):

    host ldapserver.mydomain.com:389
    base ou=People,o=internes,o=mydomain.com

    nss_base_passwd         ou=People,o=internes,o=mydomain.com?sub
    nss_base_shadow         ou=People,o=internes,o=mydomain.com?sub
    nss_base_group          ou=Groups,o=internes,o=mydomain.com?sub

    ssl no

  3. I access AD thru Kerberos. /etc/krb5.conf is:

    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
     ticket_lifetime = 24000
     default_realm = MYDOMAIN.COM
     dns_lookup_realm = true
     dns_lookup_kdc = true

    [realms]
     MYDOMAIN.COM = {
      kdc = adserver.mydomain.com:88
      admin_server = adserver.mydomain.com:749
      default_domain = mydomain.com
     }

    [domain_realm]
     .mydomain.com = MYDOMAIN.COM
     mydomain.com = MYDOMAIN.COM

    [appdefaults]
     pam = {
       debug = false
       ticket_lifetime = 36000
       renew_lifetime = 36000
       forwardable = true
       krb4_convert = false
     }

  4. Now, PAM (PLuggable Authentication Module) must be configured. So far, I only configured /etc/pam.d/sshd:

    #%PAM-1.0
    auth            sufficient      pam_stack.so service=system-auth
    auth            required        pam_krb5.so use_first_pass
    auth            sufficient      pam_ldap.so use_first_pass
    auth            required        pam_nologin.so
    account         sufficient      pam_stack.so service=system-auth
    account         required        pam_ldap.so use_first_pass
    password        required        pam_stack.so service=system-auth
    session         required        pam_limits.so
    session         sufficient      pam_stack.so service=system-auth
    session         required        pam_ldap.so use_first_pass
    session         optional        pam_console.so

  5. /etc/nsswitch.conf must also be configured:

    [. . .]
    passwd:     files ldap
    shadow:     files ldap
    group:      files ldap
    [. . .]

  6. The last thing to do is to ensure there is not time lag between your Linux and the AD servers. NTP is one tools that can be use for this.

Once all this set, no reboot or service to start: the defined users must be able to log on thru ssh and provide their Windows username & password.
Labels:

Comments

Post a Comment

Popular posts from this blog

Drive replacement for Fostex DMT8-vl

The IDE hard drive on my Fostex DMT8-vl multitrack recorder shows signs of its imminent death; when getting hot, I could not record anymore. Must be said this drive comes from an old Sun Station, and has been replaced because I/O failures were detected by Solaris. It worked at least 5 years in my recorder: not so bad. However, time is now to replace it. The DMT8-vl is not able to handle drives bigger than 8.4 GB. Well, it is able to (the current drive is 15 GB), but only 8.4 GB will be usable. My tought was to use a 8 GB CompactFlash; having no moving parts means no noise, which is quite temptating for a music recording device. I purchased a CompactFlash-IDE adapter on the internet (8$) and I had to build a male-male IDE cable adapter (4$). Unfortunately, this doesn't work. The drive is correctly discovered by the operating system, which proposes to format it ("format IDE?"). After answering "yes", the formating runs pretty fast (faster than on a real drive), ...
6 comments
Read more

Samba: Clients get "system error 1223" (or 123) after a server reboot

Facts: a Linux+Samba server shares anonymously a folder. After a reboot, Win clients could not attach the share drive anymore. C:\>net use \\mylinux\folder Enter the user name for 'mylinux': System error 1223 has occurred. The operation was canceled by the user. C:\>net view \\mylinux\ System error 123 has occurred. The filename, directory name, or volume label syntax is incorrect. The process are present, and tcpdump doesn't provide much information. What's going on? After hours of headscratching, the light came: the firewall was on and no rules for the Samba protocol! Grrr!
2 comments
Read more

Emulation of Fujitsu MB8877 Floppy Disk Controler with Arduino

Update This project was never finished. My initial motivation was that I only had one 5"1/4 floppy disk. Since then, I have been given about thirty floppy disks whose halves are new. The other reason is that my prototype was never recognized by the QX1; the sequencer was simply not booting up. Since I had other sequencers to play with (PC with 2 x MOTU MTPAV USB + MidiSport 4X4 = 20 inputs, 20 outputs, 320 channels), I gave up for now and put back the controler and floppy drive. However, I'm still studying the possibility of completely replacing the motherboard with a Raspberry Pi: check this llink . Context I have a Yamaha QX1 MIDI sequencer from 1984. The backup medium is 5"1/4 floppy disks. This project is an attempt to replace the floppy drive (Canon MF-221) and the Floppy Disk Controler (Fujitsu MB8877a) with an Arduino. Documentation Yamaha QX1 Operating Guide.pdf Yamaha QX1 Reference Manual.pdf Yamaha QX1 Overall Circuit Diagram Part 1...
3 comments
Read more