Things n' Stuff Thoughts about the universe in general

In my company we (still) use an Active Directory domain controller to manage central authentication¹, which is not set up very well – no SSL and the Kreberos setup is not done properly. This makes gives much trouble to modern Linuxes (e.g. not Ubuntu. yes – I’m looking at you Shuttleworth.)  such as Fedora, as Fedora have done away with NSS/PAM based LDAP authentication and instead relies on SSS – which I have yet managed to get working or even find a tutorial on how to set it up properly.

So if you still want to authentication your Fedora installation against the company’s Active Directory – and can’t/won’t rely on Winbind’s notably flaky behaviour, you can always install NSS/PAM ldap authentication manually. Unfortunately its not as easy as it sounds, and as I learned the hard way – one must pay careful attention to SELinux. So here’s the recipe:

1. Install pam_ldap and nss_ldap: yum install -y nss_ldap (this will also install the PAM support).
2. Configure LDAP access. In Fedora the NSS and PAM configuration were broken into 2 different files. Fortunately the syntax and required configuration is identical so you can just create both files as a copy of each other or even use a link. My configuration looks like this:

   
# the Active Directory domain - this the LDAPized FQDN of your Active Directory tree
base dc=some,dc=domain,dc=com
# the CN of an unpriviliged user that is allowed to log in and search in the domain.
# we created this dummy user that is not part of the normal domain user and it is needed
# for many integration scenarios
binddn CN=authuser,CN=Users,dc=some,dc=domain,dc=com
bindpw 123456
scope sub
timelimit 120
bind_timelimit 120
bind_polict soft
idle_timelimit 3600
# this is the default set up for SBS directory installation
nss_base_passwd ou=SBSUsers,ou=Users,ou=MyBusiness,dc=some,dc=domain,dc=com
nss_base_shadow ou=SBSUsers,ou=Users,ou=MyBusiness,dc=some,dc=domain,dc=com
nss_base_group ou=Security Groups,ou=MyBusiness,dc=some,dc=domain,dc=com?sub
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
# this configuration is based on SFU 3.5 schema that must be installed on the ActiveDirectory server
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password md5
# configuration for the LDAP server connection
ssl no
uri ldap://LDAP.SERVER.NAME/
tls_cacertdir /etc/openldap/cacerts


   The pam_ldap and nss_ldap come with a default configuration file – just overwrite both of these with the content above (after adapting it to your needs – change the LDAP server name, the LDAP base DN, login user and search paths).

   This is as good a time as any to make sure that your computer can indeed access the LDAP server. I recommend installing openldap-clients and running a test query using ldapsearch. For example, the following query will list all the users eligible for log in using the configuration above:

   
ldapsearch -h LDAP.SERVER.NAME -D "CN=authuser,CN=Users,dc=some,dc=domain,dc=com" -w 123456 -b "ou=SBSUsers,ou=Users,ou=MyBusiness,dc=some,dc=domain,dc=com" dn


3. Now you need to configure the authentication stack to use your new LDAP configuration. Unfortunately, the Fedora configuration tool will not allow you to select LDAP without SSL or TLS and without Krebros, so we’d need to edit the configuration files by hand. But lets start with a clean setup – run authconfig-tui --enablemkhomedir and make sure only “Cache Information”, “Use Shadow Passwords” and “Local authorization is sufficient” are selected, and click “Next”.

   Now lets go edit the configuration files directory. There are two configuration files that need to be edited – /etc/pam.d/system-auth and /etc/pam.d/password-auth². The changes needed to both are identical so just go ahead and edit one of them with your favorite text editor and then copy it over the other one:

   • In the auth section, before the line for pam_deny add:

     
auth sufficient pam_ldap.so use_first_pass


   • In the account section, before the line for pam_permit add:

     
account [default=bad success=ok user_unknown=ignore] pam_ldap.so


   • In the password section, before the line for pam_deny add:

     
password sufficient pam_ldap.so use_authtok


   • In the session section, after the last line, add:

     
session optional pam_ldap.so


   Alternatively, you can download this patch file, and execute it using cd /etc/pam.d; patch < fix-auth.txt.

   Additionally you need to configure NSS separately by adding the ldap module to the configuration in /etc/nsswitch.conf: edit the file and add it in the lines for passwd, shadow and groups, like so:

   
passwd: files ldap
shadow: files ldap
group: files ldap


4. We also need to get SELinux to allow NSS and PAM to contact the LDAP server as part of the login process (before the user gets their own security context where such things are allowed). To do that, run this command: setsebool authlogin_nsswitch_use_ldap 1

Your system should now be ready to log in using LDAP. Have fun.

1. there are a lot of MS-Windows workstation, so it kinds of makes sense – but we are planning to phase it out in favour of OpenLDAP, so don’t worry about it [↩]
2. the first one is used for text login, SSH and other network services while the second one is used for graphical login [↩]

This entry was posted on Thursday, February 16th, 2012 at 13:52 and is filed under Articles, Software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.