Red Hat Authentication to Active Directory

I have a Red Hat 5.x system that I need to authenticate to a Windows 2003 Active Directory domain. Here are the steps I went through to get it to happen.

Files that need to be edited:

    /etc/ldap.conf
    /etc/openldap/ldap.conf
    /etc/openldap/cacerts/*
    /etc/pam.d/system-auth-ac
    /etc/sysconfig/authconfig
    /etc/krb5.conf
    /etc/nsswitch.conf

The authconfig-tui command will edit these files and restart services if needed, but I have found that it will also mess some of the files up. The command is a good starting point, and then you should go in and edit the files after to get the proper configuration for your site.
So, start with the authconfig-tui command. Under User Information select Use LDAP. Under Authentication select MD5 Passwords, Shadow Passwords, Kerberos (you can also add LDAP Authentication, but Kerberos works great for authentication).

Edit /etc/ldap.conf

Edit the file with the setting you need to connect to your Domain Controller. I use LDAPS, so that is what I have configured.

uri [YOUR LDAP SERVER, like ldaps://dc.example.com]
ldap_version 3

tls_cacertdir /etc/openldap/cacerts

base [YOUR BASE CONTAINER IN AD]

binddn [YOUR BIND ACCOUNT DN]
bindpw [YOUR BIND ACCOUNT PASSWORD]

scope sub

timelimit 10
bind_timelimit 10
idle_timelimit 3600

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
referrals no

NSS_BASE_PASSWD [YOUR BASE CONTAINER]?sub
NSS_BASE_SHADOW [YOUR BASE CONTAINER]?sub
NSS_BASE_GROUP [YOUR BASE CONTAINER]?sub&(objectCategory=group) (gidnumber=*)

# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute uniqueMember member
#nss_map_attribute gecos cn
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password md5

Edit the file /etc/openldap/ldap.conf
These two files are different, you have to understand that. The system commands like pam, sudo, etc… look at /etc/ldap.conf, while commands like ldapsearch look at /etc/openldap/ldap.conf. The openldap file should be very short.

URI [YOUR LDAP SERVER, like ldaps://dc.example.com]
BASE [YOUR BASE DN, like DC=ad,DC=example,DC=com]
TLS_CACERTDIR /etc/openldap/cacerts

/etc/pam.d/system-auth-ac
The authconfig-tui command should have edited this file correctly and you shouldn’t have to change it. The example below had the LDAP Authentication selected under Authentication.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nis nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
session optional pam_ldap.so

Edit /etc/krb5.conf
The autoconfig-tui command can get this file right also, but you may need to add additional information.

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = AD.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
AD.EXAMPLE.COM = {
kdc = DC1.EXAMPLE.COM
kdc = DC2.EXAMPLE.COM
}

[domain_realm]
.example.com = AD.EXAMPLE.COM
example.com = AD.EXAMPLE.COM
.something.example.com = AD.EXAMPLE.COM
something.example.com = AD.EXAMPLE.COM

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Edit /etc/nsswitch.conf
The nsswitch.conf file is where the system determines how to look up user information. The authconfig-tui command will normally edit this file correctly. I’ve taken only the applicable lines for the example below.

passwd: files ldap
shadow: files ldap
group: files ldap

You can test the setup using getent passwd username. If you need to test connectivity to LDAP use ldapsearch and mess around with /etc/openldap/ldap.conf.

About these ads

4 Responses to “Red Hat Authentication to Active Directory”

  1. This post is actually a pleasant one it assists new web
    users, who are wishing in favor of blogging.

  2. This particular blog post, β€œRed Hat Authentication to Active Directory «
    … Data Dyne …” illustrates the fact that you really comprehend exactly what you are talking about!
    I really thoroughly approve. With thanks -Annett

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: