In my company we (still) use an Active Directory domain controller to manage central authentication(1), which is not set up very well – no SSL and the Kreberos setup is not done properly. This makes gives much trouble to modern Linuxes (e.g. not Ubuntu. yes – I’m looking at you Shuttleworth.) such as Fedora, as Fedora have done away with NSS/PAM based LDAP authentication and instead relies on SSS – which I have yet managed to get working or even find a tutorial on how to set it up properly.
So if you still want to authentication your Fedora installation against the company’s Active Directory – and can’t/won’t rely on Winbind’s notably flaky behaviour, you can always install NSS/PAM ldap authentication manually. Unfortunately its not as easy as it sounds, and as I learned the hard way – one must pay careful attention to SELinux. So here’s the recipe:
- Install pam_ldap and nss_ldap:
yum install -y nss_ldap(this will also install the PAM support).
- Configure LDAP access. In Fedora the NSS and PAM configuration were broken into 2 different files. Fortunately the syntax and required configuration is identical so you can just create both files as a copy of each other or even use a link. My configuration looks like this:
# the Active Directory domain - this the LDAPized FQDN of your Active Directory tree
# the CN of an unpriviliged user that is allowed to log in and search in the domain.
# we created this dummy user that is not part of the normal domain user and it is needed
# for many integration scenarios
# this is the default set up for SBS directory installation
nss_base_group ou=Security Groups,ou=MyBusiness,dc=some,dc=domain,dc=com?sub
# this configuration is based on SFU 3.5 schema that must be installed on the ActiveDirectory server
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
# configuration for the LDAP server connection
nss_ldapcome with a default configuration file – just overwrite both of these with the content above (after adapting it to your needs – change the LDAP server name, the LDAP base DN, login user and search paths).
This is as good a time as any to make sure that your computer can indeed access the LDAP server. I recommend installing
openldap-clientsand running a test query using
ldapsearch. For example, the following query will list all the users eligible for log in using the configuration above:
ldapsearch -h LDAP.SERVER.NAME -D "CN=authuser,CN=Users,dc=some,dc=domain,dc=com" -w 123456 -b "ou=SBSUsers,ou=Users,ou=MyBusiness,dc=some,dc=domain,dc=com" dn
- Now you need to configure the authentication stack to use your new LDAP configuration. Unfortunately, the Fedora configuration tool will not allow you to select LDAP without SSL or TLS and without Krebros, so we’d need to edit the configuration files by hand. But lets start with a clean setup – run
authconfig-tui --enablemkhomedirand make sure only “Cache Information”, “Use Shadow Passwords” and “Local authorization is sufficient” are selected, and click “Next”.
Now lets go edit the configuration files directory. There are two configuration files that need to be edited –
/etc/pam.d/password-auth(2). The changes needed to both are identical so just go ahead and edit one of them with your favorite text editor and then copy it over the other one:
- In the
authsection, before the line for
auth sufficient pam_ldap.so use_first_pass
- In the
accountsection, before the line for
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
- In the
passwordsection, before the line for
password sufficient pam_ldap.so use_authtok
- In the
sessionsection, after the last line, add:
session optional pam_ldap.so
Alternatively, you can download this patch file, and execute it using
cd /etc/pam.d; patch < fix-auth.txt.
Additionally you need to configure NSS separately by adding the
ldapmodule to the configuration in
/etc/nsswitch.conf: edit the file and add it in the lines for
groups, like so:
passwd: files ldap
shadow: files ldap
group: files ldap
- In the
- We also need to get SELinux to allow NSS and PAM to contact the LDAP server as part of the login process (before the user gets their own security context where such things are allowed). To do that, run this command:
setsebool authlogin_nsswitch_use_ldap 1
Your system should now be ready to log in using LDAP. Have fun.