Authenticate Windows AD users on linux using LDAP

This guide explain how set a Linux server to permit authentication of LDAP user of a Windows Active Directory domain.

If you want join in domain you can use this guide.

Install all necessary packages

First of all install this two package and all dependecies

yum install sssd sssd-ldap

Create config file

Create (or modify) /etc/sssd.conf file as the follow

[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = domain.example.com

[nss]
#debug_level = 5
#If want override the shell for all users uncomment follow line
#override_shell = /bin/bash

[pam]
#debug_level = 5

[sudo]
#debug_level = 5

[domain/domain.example.com]

#debug = 5

# Unless you know you need referrals, turn them off
ldap_referrals = false
# Uncomment if you need offline logins
cache_credentials = true
enumerate = true

id_provider = ldap
auth_provider = ldap
auth_provider = krb5
#chpass_provider = ldap
#access_provider = ldap

# Uncomment if service discovery is not working
ldap_uri = ldap://ldapServer.domain.example.com:389
#ldap_chpass_uri = ldap://ldapServer.domain.example.com:389

# Comment out if not using SASL/GSSAPI to bind
#ldap_sasl_mech = GSSAPI
# Uncomment and adjust if the default principal host/fqdn@REALM is not available
#ldap_sasl_authid = nfs/client.ad.example.com@AD.EXAMPLE.COM

#This is required to work without tls protocol
ldap_tls_reqcert = never

# Define these only if anonymous binds are not allowed and no keytab is available
# Enabling use_start_tls is very important, otherwise the bind password is transmitted
# over the network in the clear
ldap_id_use_start_tls = False
ldap_default_bind_dn = CN=name,OU=nameOU,DC=domain,DC=example,DC=com
ldap_default_authtok = passwordUserBind
ldap_default_authtok_type = password

# This is for Windows Active directory schema
ldap_schema = ad

# This is for searching user
ldap_user_search_base = OU=nameOU,DC=domain,DC=example,DC=com
ldap_user_object_class = user
ldap_user_gecos = cn

# Attributes of user
#ldap_user_home_directory = homeDirectory
ldap_user_principal = sAMAccountName

# This is for searching group
ldap_group_search_base = OU=nameOU,DC=domain,DC=example,DC=com
ldap_group_object_class = group

# Uncomment this and comment the previous if you want be more generic
#ldap_search_base = DC=domain,DC=example,DC=com

# This parameter for not use the FQDN (user@domain)
use_fully_qualified_names = False

# Other parameters
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

ldap_id_mapping = True

#ldap_pwd_policy = shadow
entry_cache_timeout = 600
ldap_network_timeout = 2

# Perhaps you need to redirect to certain attributes?
#ldap_user_object_class = user
#ldap_user_name = sAMAccountName
#ldap_user_uid_number = msSFU30UidNumber
#ldap_user_gid_number = msSFU30GidNumber
#ldap_user_gecos = displayName
#ldap_user_home_directory = msSFU30HomeDirectory
#ldap_user_shell = msSFU30LoginShell
#ldap_user_principal = userPrincipalName
#ldap_group_object_class = group
#ldap_group_name = cn
#ldap_group_gid_number = msSFU30GidNumber

Then restart the sssd service after the modification

service sssd stop
rm -f /var/lib/sss/db/*
service sssd start

At the end provide this command to enable authentication through LDAP

authconfig --enablesssd --enablesssdauth --enablelocauthorize --update

Fine tuning

If you want that some group or user became sudoers create a file /etc/sudoers.d/domainPolicy with this content

%Groupname ALL=(ALL) ALL
Username ALL=(ALL) ALL

If you want restrict ssh access to only some groups, modify the file /etc/ssh/sshd_config at this part

AllowGroups sudo groupname sshallowed
Aggiungi ai preferiti : Permalink.

I commenti sono chiusi