LDAP authentication on Fedora 16 (and why it sucks)

In my company we (still) use an Active Directory domain controller to manage central authentication(1), which is not set up very well – no SSL and the Kreberos setup is not done properly. This makes gives much trouble to modern Linuxes (e.g. not Ubuntu. yes – I’m looking at you Shuttleworth.)  such as Fedora, as Fedora have done away with NSS/PAM based LDAP authentication and instead relies on SSS – which I have yet managed to get working or even find a tutorial on how to set it up properly.

So if you still want to authentication your Fedora installation against the company’s Active Directory – and can’t/won’t rely on Winbind’s notably flaky behaviour, you can always install NSS/PAM ldap authentication manually. Unfortunately its not as easy as it sounds, and as I learned the hard way – one must pay careful attention to SELinux. So here’s the recipe:

  1. Install pam_ldap and nss_ldap: yum install -y nss_ldap (this will also install the PAM support).
  2. Configure LDAP access. In Fedora the NSS and PAM configuration were broken into 2 different files. Fortunately the syntax and required configuration is identical so you can just create both files as a copy of each other or even use a link. My configuration looks like this:


    # the Active Directory domain - this the LDAPized FQDN of your Active Directory tree
    base dc=some,dc=domain,dc=com
    # the CN of an unpriviliged user that is allowed to log in and search in the domain.
    # we created this dummy user that is not part of the normal domain user and it is needed
    # for many integration scenarios
    binddn CN=authuser,CN=Users,dc=some,dc=domain,dc=com
    bindpw 123456
    scope sub
    timelimit 120
    bind_timelimit 120
    bind_polict soft
    idle_timelimit 3600
    # this is the default set up for SBS directory installation
    nss_base_passwd ou=SBSUsers,ou=Users,ou=MyBusiness,dc=some,dc=domain,dc=com
    nss_base_shadow ou=SBSUsers,ou=Users,ou=MyBusiness,dc=some,dc=domain,dc=com
    nss_base_group ou=Security Groups,ou=MyBusiness,dc=some,dc=domain,dc=com?sub
    nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
    # this configuration is based on SFU 3.5 schema that must be installed on the ActiveDirectory server
    nss_map_objectclass posixAccount user
    nss_map_objectclass shadowAccount user
    nss_map_attribute uid sAMAccountName
    nss_map_attribute homeDirectory unixHomeDirectory
    nss_map_attribute shadowLastChange pwdLastSet
    nss_map_objectclass posixGroup group
    nss_map_attribute uniqueMember member
    pam_login_attribute sAMAccountName
    pam_filter objectclass=User
    pam_password md5
    # configuration for the LDAP server connection
    ssl no
    uri ldap://LDAP.SERVER.NAME/
    tls_cacertdir /etc/openldap/cacerts

    The pam_ldap and nss_ldap come with a default configuration file – just overwrite both of these with the content above (after adapting it to your needs – change the LDAP server name, the LDAP base DN, login user and search paths).

    This is as good a time as any to make sure that your computer can indeed access the LDAP server. I recommend installing openldap-clients and running a test query using ldapsearch. For example, the following query will list all the users eligible for log in using the configuration above:


    ldapsearch -h LDAP.SERVER.NAME -D "CN=authuser,CN=Users,dc=some,dc=domain,dc=com" -w 123456 -b "ou=SBSUsers,ou=Users,ou=MyBusiness,dc=some,dc=domain,dc=com" dn

  3. Now you need to configure the authentication stack to use your new LDAP configuration. Unfortunately, the Fedora configuration tool will not allow you to select LDAP without SSL or TLS and without Krebros, so we’d need to edit the configuration files by hand. But lets start with a clean setup – run authconfig-tui --enablemkhomedir and make sure only “Cache Information”, “Use Shadow Passwords” and “Local authorization is sufficient” are selected, and click “Next”.

    Now lets go edit the configuration files directory. There are two configuration files that need to be edited – /etc/pam.d/system-auth and /etc/pam.d/password-auth(2). The changes needed to both are identical so just go ahead and edit one of them with your favorite text editor and then copy it over the other one:

    • In the auth section, before the line for pam_deny add:


      auth sufficient pam_ldap.so use_first_pass

    • In the account section, before the line for pam_permit add:


      account [default=bad success=ok user_unknown=ignore] pam_ldap.so

    • In the password section, before the line for pam_deny add:


      password sufficient pam_ldap.so use_authtok

    • In the session section, after the last line, add:


      session optional pam_ldap.so

    Alternatively, you can download this patch file, and execute it using cd /etc/pam.d; patch < fix-auth.txt.

    Additionally you need to configure NSS separately by adding the ldap module to the configuration in /etc/nsswitch.conf: edit the file and add it in the lines for passwd, shadow and groups, like so:


    passwd: files ldap
    shadow: files ldap
    group: files ldap

  4. We also need to get SELinux to allow NSS and PAM to contact the LDAP server as part of the login process (before the user gets their own security context where such things are allowed). To do that, run this command: setsebool authlogin_nsswitch_use_ldap 1

Your system should now be ready to log in using LDAP. Have fun.


  1. there are a lot of MS-Windows workstation, so it kinds of makes sense – but we are planning to phase it out in favour of OpenLDAP, so don’t worry about it []
  2. the first one is used for text login, SSH and other network services while the second one is used for graphical login []

2 Responses to “LDAP authentication on Fedora 16 (and why it sucks)”

  1. Definetly the weirdest LDAP management tool :: Things n' Stuff:

    […] LDAP authentication on Fedora 16 (and why it sucks) (geek.co.il) […]

  2. Dan:

    This tip was huge: setsebool authlogin_nsswitch_use_ldap 1

    Fedora now has all the sssd authentication. I changed all of the sss occurences in system-auth and password-auth and nsswitch.conf to make this work.

    the authconfig tool leaves the pam_sss referenced even if you disable it?

    Thanks for this.

Leave a Reply

 

 


Spam prevention powered by Akismet