Software
 » 
LDAP
 » 
PADL Lists
 » 
PAM LDAP

Linux and Active Directory integration (Win2k3 R2) -- Linux tools

View: New views
2 Messages — Rating Filter:   Alert me  

Linux and Active Directory integration (Win2k3 R2) -- Linux tools

by sruckh :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

I have the following /etc/ldap.conf file:

#logdir /var/log
#debug 256

host            winAD.example.com
#uri             ldap://x.x.x.x
scope           sub
timelimit       5

#this is the user root will bind to LDAP database.
rootbinddn cn=lnxadm,cn=Users,dc=example,dc=com

# This is the user that is used to look up user's data in
# active directory.  This user should have very limited access
# and should only be able to read active directory information.
binddn ADLookup@...
bindpw secretpw

# if bind_policy is set to soft it will make  nss_ldap
# return a negative result if it cannot connect.  If
# bind_policy is set to hard nss_ldap will try to
# connect to ldap server indefinitely.
bind_policy soft

# turn on TLS so clear text username and password
# are not send across the wire.
tls_checkpeer yes
ssl start_tls

# the following are undocumented settings.  These
# values are typically set in the DEFINE statements
# in the source code.  These were put in an attempt
# to not bring system to a crawl when LDAP server
# is unavailable.  These settings do not appear
# to be helpful.

# prevents nss from indefinitely trying to make a connection
nss_reconnect_tries 2
#nss_reconnect_sleeptime
nss_reconnect_maxsleeptime 2
nss_reconnect_maxconntries 2

# set beginning point for where LDAP searches will begin.
nss_base_passwd         ou=LNXUSERS,dc=example,dc=com?sub
nss_base_shadow         ou=LNXUSERS,dc=example,dc=com?sub
nss_base_group        
ou=LNXUSERS,dc=example,dc=com?sub?&(objectCategory=group)(gidnumber=*)


# These nss mappings are used when connecting to an Active
# Directory on Windows 2003 R2 (rfc2307).  This will not
# work for an Active Directory schema based on Microsoft's
# Services for Unix (SFU) 3.x .

nss_map_objectclass posixAccount        user
nss_map_objectclass shadowAccount       user
nss_map_objectclass posixGroup          group
nss_map_attribute gecos                 name
nss_map_attribute homeDirectory         unixHomeDirectory

# These nss mappings are used when connecting to an Active
# Directory with Microsoft's Services for Unix 3.x installed.
# This is not needed for Windows 2003 R2.

#nss_map_objectclass posixAccount User
#nss_map_objectclass posixGroup Group
#nss_map_attribute uid sAMAccountName
#nss_map_attribute uidNumber msSFU30UidNumber
#nss_map_attribute gidNumber msSFU30GidNumber
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute loginShell msSFU30LoginShell
#nss_map_attribute gecos name

# pam_ldap setting that ensures passwords are set correctly when
# using Active Directory
pam_password ad
_______________________

the following /etc/openldap/ldap.conf file:

BASE            ou=LNXUSERS,dc=example,dc=com
HOST            winAD.example.com
TLS_REQCERT demand
TLS_CACERT /etc/openldap/cacerts/exampleCA.pem
_______________________

the following /etc/pam.d/system-auth file (mail may be improperly
formatted but all commands are on a single line):

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     [ignore=ignore success=done default=die]
/lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account     sufficient    /lib/security/$ISA/pam_localuser.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore authinfo_unavail=ignore] /lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so
session     optional      /lib/security/$ISA/pam_ldap.so
_______________________

The following changes have been implemented in my /etc/nsswitch.conf file:

passwd:     files [NOTFOUND=continue] ldap
shadow:     files
group:      files [NOTFOUND=continue] ldap
_______________________

As far as being able to authenticate to Active Directory and sign-on from
a Linux server the above configuration appears to work (although I assume
the validity of the settings could be debated).

Two problems exist in this configuration.

First, if the LDAP/AD server is unavailable the Linux system comes to a
complete crawl.  I have read articles from others who are experiencing the
same problems, but none of the suggestions have given positive results
(including some of the configuration from above).

Second, I can not use native Linux tools (kpass, ldappasswd, passwd) to
change normal user's password. I receive the following when trying to
change the password as a normal user:

[lnxuser@vmlnx01 ~]$ passwd
Changing password for user lnxuser.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Can't contact LDAP server
0000052D: AtrErr: DSID-03190F00, #1:
        0: 0000052D: DSID-03190F00, problem 1005 (CONSTRAINT_ATT_TYPE),
data 0, Att 9005a (unicodePwd)

passwd: Permission denied

As root, I can change any users password with no problem using the
`passwd' command.  I assume due to the DN set in the variable rootbinddn.

Again, I have read others who have similiar problems.  Unfortunately I
have not been able to locate a definitive resolution to this problem.

I am running CentOS 4.3 with, nss_ldap-226-10, openssh-3.9p1-8.RHEL4.12,
and openldap-2.2.13-4.

If anyone has got a working solution for addressing the above mentioned
problems, your input would be greatly appreciated.

--
Thank You.
Scott


Re: Linux and Active Directory integration (Win2k3 R2) -- Linux tools

by Michael Gasch :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

hi,

i'm not sure weather you want to try samba or not.
i think your goals are more easy to achieve with samba/winbindd.
if you don't have plans to use samba please disregard this message.

> First, if the LDAP/AD server is unavailable the Linux system comes to a
> complete crawl.  I have read articles from others who are experiencing the
> same problems, but none of the suggestions have given positive results
> (including some of the configuration from above).
use winbindd offline mode
>
> Second, I can not use native Linux tools (kpass, ldappasswd, passwd) to
> change normal user's password. I receive the following when trying to
> change the password as a normal user:
IIRC there's the parameter binddn, which is used by regular users. if
you create an AD-account, that is allowed to change passwords, you could
use this account as "binddn" for users.

micha
LightInTheBox - Buy quality products at wholesale price
Free Forum Powered by Nabble Forum Help