In this article I’ll show you how to connect your CentOS to the Active Driectory as user backend. I assume that MSFU 3.5 (Microsoft Services For Unix) feature is activated in your AD.
There are a couple of tasks you have to do, when you’re going to bring your CentOS box with Active Directory. First of all, the nslcd daemon (nss-pam-ldapd) must be installed and configured. After that step you should be able to see UNIX specific attributes of users from AD backend. The next step is to setup authentication against AD.
Installing and configuring nss-pam-ldapd
Run the following command to install the package:
# yum install nss-pam-ldapd
After the package has been installed it must be configured. The configuration file is /etc/nslcd.conf. My working configuration is as follows:
# Remove the comment char at the beginning of two lines below for
# debugging purposes
#logdir /var/log
#debug 1
# You can supply as many servers as you want, but only the
# first one will be asked normally. If the first one doesn't
# answer, the next one will be asked and so on.
uri ldap://dc1.domain.com/
uri ldap://dc2.domain.com/
# The base DN of your AD domain
base dc=domain,dc=com
# The LDAP version to use
ldap_version 3
# If you do not allow anonymous search in your AD domain, please set the right
# user name and password of a user account you'll use to search with.
binddn domain.com\bind-user-dn
bindpw bind-user-password
# It's safe to leave them untouched
scope sub
pagesize 1000
referrals off
# The two lines below describes how it should be searched in AD for a user and for a group
filter passwd (&(objectCategory=user)(msSFU30UidNumber=*))
filter group (&(objectCategory=group)(msSFU30GidNumber=*))
# The lines below describe the mapping of Posix attributes to their analogs in AD
map passwd uid sAMAccountName
map passwd uidNumber msSFU30UidNumber
map passwd homeDirectory msSFU30HomeDirectory
map passwd gecos displayName
map passwd loginShell msSFU30LoginShell
map passwd gidNumber msSFU30GidNumber
map group uniqueMember member
map group gidNumber msSFU30GidNumber
Now configure the daemon to start while booting CentOS and start it:
# chkconfig nslcd on
# service nslcd start
To use the AD as user backend you must change the appropriate lines in /etc/nsswitch.conf:
...
passwd: files ldap
shadow: files ldap
group: files ldap
...
After you’ve modified the file, you could make a first test. If your configuration is right, you can ask your user and group backend for a UNIX user and group, which don’t exist locally:
# getent passwd user1
user1:*:50948:40000:Lastname, Firstname:/home/user1:/usr/local/bin/bash
# getent group unix-group1
unix-group1:*:40000:
Troubleshooting
If something is wrong and you don’t get any information from your AD, please stop the daemon using
# service nslcd stop
And start it with the debugging option to receive some data about the LDAP connection and search results:
# nslcd -d
Installing and configuring PAM to use LDAP
The package can be installed with the following command:
# yum install pam_ldap
After it’s been installed, you must configure PAM subsystem to use AD as user backend. This can be achieved by the command:
# authconfig --enableldapauth --update
The utility modifies among others the file /etc/pam.d/system.auth-ac:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
The file /etc/pam_ldap.conf must be modified PAM to use the right configuration. The configuration directives are mostly the same like in the file /etc/nslcd.conf above.
My file /etc/pam_ldap.conf looks like this:
uri ldap://dc1.domain.com/
uri ldap://dc2.domain.com/
base dc=domain,dc=com
ldap_version 3
binddn domain.com\bind-user-dn
bindpw bind-user-password
scope sub
pagesize 1000
referrals off
pam_filter objectclass=user
pam_password ad
#pam_member_attribute member
#pam_groupdn "CN=unix-gorup1,OU=Groups,DC=domain,DC=com"
pam_login_attribute sAMAccountName
At this point you can test the login, for example via SSH from another computer:
$ ssh -l user1 centos-box
To be sure the SSH public key authentication wouldn’t be used:
$ ssh -o "PubkeyAuthentication=no" -l user1 centos-box
Now you can login in your CentOS 6.2 box using a user account from Active Directory.
Restricting login access to members of an Active Directory group
I spent some time trying to use the parameter pam_groupdn and pam_member_attribute, but without success. To allow the login access to CentOS box to the members of the AD-group “unix-group1″ only, I changed the directive pam_filter in the configuration file /etc/pam_ldap.conf as follows:
pam_filter &(objectclass=user)(memberOf=CN=unix-group1,OU=Groups,DC=domain,DC=com)
o
Substantiv: Null
I discovered Centrify Express last year, it makes joining AD and enabling SSO incredibly simple.
Havokmon
01 August, 2012 23:47Havokmon, thank you for the tip! I'll give Centrify a try...
Unknown
03 August, 2012 11:25Unfortunately Centrify Express seems not to support Microsoft SFU (Services For UNIX). This causes UIDs and GIDs are re-calculated and are different and the shell (msSFU30LoginShell) is not known etc. May be it's a good product for a fresh environment but not for us, because we have been using MS SFU for a long time.
Unknown
03 August, 2012 12:13You might avoid having a mostly redundant pam_ldap.conf configuration, if you use pam_ldapd instead of pam_ldap.
pam_ldapd reuses nslcd.
João Rodrigues
Anonymous
21 September, 2012 16:19Hello Hermann,
We are working on to configure our Linux servers to use LDAP for Authentication using PAM_LDAP + SSSD. Our LDAP Usernames are based on staff numbers (all numeric starting at 1). This will cause a conflicts with daemon, bin, sys... system accounts. What is the best option for us given our Username pattern?
Thanks,
Saqib
Saqib Ali
03 August, 2016 07:08