you're reading...
Linux Tips and Tricks

How to Authenticate Linux Client with Active Directory

This tutorial is inspired by this Wiki

The idea behind is that authentication is passed through AD using SASL. I will not go into details as the above link presents the scenario well enough with technical description.

What I will be providing the is the real configuration that was done on our setup.

Environment: CentOS release 5.8 (Final)/ 64bit

1. yum install cyrus-sasl –exclude=*.i386

2. yum install openldap-servers openldap-clients

3. Edit /etc/sysconfig/saslauthd and change the MECH value to ldap and FLAGS to “-O /etc/saslauthd.conf”

4. Create file /etc/saslauthd.conf with the following entries below:
ldap_servers: ldap://ad.example.local
ldap_search_base: CN=DomainUsers,DC=example,DC=local
ldap_timeout: 10
ldap_filter: sAMAccountName=%U
ldap_bind_dn: CN=Administrator,CN=Users,DC=example,DC=local
ldap_password: ADpassword
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
ldap_auth_method: bind

5. Enable communication between ldap and saslauthd by creating the file /usr/lib64/sasl2/slapd.conf with the ff contents:
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux

6. Modify /etc/openldap/ldap.conf and add below entries:
sasl-host localhost
sasl-secprops none

7. Restart ldap and saslauthd services and test authentication to AD
/etc/init.d/saslauthd restart
/etc/init.d/ldap restart

Test: /usr/sbin/testsaslauthd -u testad.user-p password
Successful authentication should return something like this: 0: OK "Success."

8. LDAP and saslauthd are now ready. Prepare the local LDAP database to be populated with AD accounts (This will be selected users only that would be allowed to access our linux servers)
8.1 Edit /etc/openldap/slapd.conf and modify the ff: arguments below as follows:
suffix "dc=mydomain,dc=local"
rootdn "cn=admin,dc=mydomain,dc=local"

8.2 Edit /etc/openldap/ldap.conf and modify BASE and URI arguments as follows:
BASE dc=mydomain,dc=local
URI ldap://localhost

8.3 Create an ldap entry like below and saved it as base.ldif. This will be added as the base entry for ldap database
dn: dc=mydomain,dc=local
objectClass: domain
dc: mydomain
structuralObjectClass: domain

dn: ou=People,dc=mydomain,dc=local
objectClass: organizationalUnit
ou: People
structuralObjectClass: organizationalUnit

dn: cn=queryuser,dc=mydomain,dc=local
cn: queryuser
sn: queryuser
objectClass: top
objectClass: person
userPassword:: e01ENX04MVdkaTZ5TTVSL1Rlb1RiWUNwenNBPT0=
structuralObjectClass: person
8.4 Stop ldap and add the base.ldif above via slapadd command: slapadd -v -l base.ldif
Start ldap and check the if entries are indeed loaded via ldapsearch: ldapsearch -x -H ldap://localhost

9. Base LDAP is ready. This can now be populated with AD accounts: (accounts are based on the group created @ AD). Create an the LDIF entries for the user and add to ldap via ldapadd command. To automate the addition process, I have created a simple shell script that can be ran daily to add new users. The script will check for members of the defined group at AD and will then create the ldif file for each user with the ff entries added on ldap database:
dn: uid=user01,ou=people,dc=mydomain,dc=local
uid: user01
cn: user01
loginShell: /bin/bash
uidNumber: 2055
gidNumber: 100
sn: user01
homeDirectory: /home/o/user01
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: top
userPassword: {SASL}user01@example.local

Once complete. Ldap authentication(/etc/ldap.conf) can now be configured with the ff entries:
host iP-address-of-the-ldap-server
base dc=mydomain,dc=local
ldap_version 3
binddn cn=queryuser,dc=mydomain,dc=local
bindpw queryuserpassword
port 389
scope sub
timelimit 30
bind_timelimit 30
bind_policy soft
nss_reconnect_tries 2
idle_timelimit 3600
pam_login_attribute uid
pam_min_uid 2005
pam_max_uid 64999
nss_base_passwd ou=People,dc=mydomain,dc=local?one
nss_base_shadow ou=People,dc=mydomain,dc=local?one
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

That’s it!



2 thoughts on “How to Authenticate Linux Client with Active Directory

  1. Great blog written by YONGITZ. It helped me a lot. I have implemented ldap pass-through in Centos7 by refering this blog. http://adminmirror.blogspot.in/2015/05/openldap-pass-through-authentication.html
    Once again thank you so much.

    Posted by Shankar Patel | May 18, 2015, 9:21 pm
  2. glad to know i was of help. Btw – you’ve got nice post. I might be needing that as a reference soon.

    Posted by yongitz | July 11, 2015, 11:57 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s