Friday, May 29, 2009

LDAP Authentication in Debian

Steps for getting LDAP authentication working on Debian

This post brought to you courtesy of SzlWzl

Sources:
http://www.adminspotting.net/articles/windows/linux-and-active-directory.html
http://moduli.net/sysadmin/sarge-ldap-auth-howto.html

Aim:
To get all linux users authenticating from our Active Directory implementation which is running on Windows 2003R2.

On the Active Directory Server:
From Add/remove programs->Add/Remove Windows Componenets->Active Directory Services. Install Identity Management for UNIX and reboot

Create an user which we're going to use to bind. I have called mine adlookup which sits in our Service Accounts OU.
CN=AD Lookup,OU=Service Accounts,DC=DOMAIN,DC=com


It is very important that the password doesn't have any special characters in, I had to change the domain policy to set it as apparently there can only be one password policy per domain.
In Active Directory Users/Computers either create a new group or choose an existing group for your users, right click and choose properties.
Add your users
Choose Unix Attributes and select the correct NIS domain.

Now select a user, right click on them and select properties
Choose Unix Attributes
Select the NIS domain, Home Directory, shell and primary group name

Linux Client:
apt-get install ldap-utils openssl libpam-ldap libnss-ldap nscd

edit the /etc/ldap/ldap.conf to look like this
run
ldapsearch -x -W -D "cn=AD Lookup,OU=Service Accounts,dc=DOMAIN,dc=com" -LLL "(sAMAccountName=adlookup)"

then enter your password and it should return the correct details, if it does then you're brilliant :)
mv /etc/libnss-ldap.conf /etc/libnss-ldap.old
nano -w /etc/libnss-ldap.conf
and make it look like this:

host IPOFADSERVER #Important - it must be the IP and not the dns entry
ldap_version 3
binddn CN=AD Lookup,OU=Service Accounts,DC=DOMAIN,DC=com
bindpw PASSWD #nospecialcharacters
scope sub
timelimit 30
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid msSFU30Name
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_objectclass posixGroup Group
pam_login_attribute msSFU30Name
pam_filter objectclass=User
pam_password ad
base OU=YOUROU,dc=DOMAIN,dc=com # make sure you limit this to only what is required as I had strange errors
rootbinddn CN=ADMINUSER,CN=Users,DC=DOMAIN,DC=com #What user should root join as to enable passwd change etc
pam_groupdn CN=WHATGROUPAREUSERSIN,CN=Users,DC=DOMAIN,DC=com #what group must users be in to enable login

The contents of libnss-ldap.conf and pam_ldap.conf are identical in my setup so just link them together to save any additional work:
mv /etc/pam_ldap.conf /etc/pam_ldap.old && ln -s /etc/libnss-ldap.conf /etc/pam_ldap.conf
nano -w /etc/libnss-ldap.secret # enter in your admin password
ln -s /etc/libnss-ldap.secret /etc/pam_ldap.secret #same passwords
chmod 600 /etc/libnss-ldap.secret # make sure this is readable by only that user

Edit your /etc/nscd.conf file and change the following parameters:
I have chosen an arbitrary size of 500MB but I found that there were some crazy assertion errors coming in if I left the defaults such as this openldap-2.4.11/libraries/liblber/sockbuf.c. I think it must be to do with the size of the cache in nscd but am not sure. I also got an error about "invalid persistent database" when this was set too large.

max-db-size passwd 524288000
max-db-size group 524288000
max-db-size services 524288000

Now you have to tell pam how to get it's users so make your /etc/nssswitch.conf look like the below, it is very important to get the order right, compat must come first and then ldap. I found that my machine wouldn't boot if it was trying to do the ldap first.

#passwd: compat
#group: compat
#shadow: compat
passwd: compat ldap
group: compat ldap
shadow: compat

You must now make nsswitch readable by all so:
chmod 644 /etc/nsswitch.conf


Now you can test this is working by doing:
getent passwd USER.NAME # this must be a username you have enabled up there ^

/etc/pam.d Common Files

Debian has a series of files in /etc/pam.d appended by common- at the beginning of their names, which are included by the other files in that directory for specific services. We can tell PAM to use LDAP for all of these services by modifying these common files.

In /etc/pam.d/common-password, comment out and replace:

password required pam_unix.so nullok obscure min=4 max=8 md5

or:

password required pam_cracklib.so retry=3 minlen=6 difok=3
password required pam_unix.so use_authtok nullok md5

with:

# try password files first, then ldap. enforce use of very strong passwords.
password required pam_passwdqc.so min=disabled,16,12,8,6 max=256
password sufficient pam_unix.so use_authtok md5
password sufficient pam_ldap.so use_first_pass use_authtok md5
password required pam_deny.so

Read the pam_passwdqc man page for more about parameters you can give to it. In /etc/pam.d/common-auth comment:
auth required pam_unix.so nullok_secure

replace with:

# try password file first, then ldap
auth sufficient pam_unix.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

In /etc/pam.d/common-account comment:
account required pam_unix.so

replace with:
# try password file first, then ldap
account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so

And this line to /etc/pam.d/common-session:

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

This should now be it, I haven't quite got automatic sudo working yet or auto mount of the home dir from an nfs source but that is the next step :)

Troubleshooting:
Password you bind with must not have special characters
In nscd.conf you must have a decent sized cache file
Your unix attributes must be correct
check that your getent passwd is working and that your ldapsearch is working

5 comments:

Anonymous said...

Great post Simon. You'll be glad to hear that Windows 2008 Server supports multiple password policies in the domain now ..

http://technet.microsoft.com/en-us/library/cc770394.aspx

@ianmoran

-jim said...

Generally, compat is only needed and should only be used if NIS is still used.

Otherwise, compat should NOT be used.
-jim

szlwzl said...

Thanks Ian :) Is good to know that has been addressed.

Jim - should that be changed to files instead then?

-jim said...

Normally yes, files ldap would be used.

So the process looks to files first and if not found we look in ldap.

daspeac said...

I have heard about another way of extract data from mdf without sql-server. Besides, you can visit my blogs at: http://daspeac.livejournal.com/ or http://daspeac.blogspot.com/ where I’m trying to share my experience with regard to data corruption issues.