= AD LDAP Authentication for Red Hat =
**Summary**: How to configure AD authentication on Red Hat. \\
**Date**: Around 2014 \\
**Refactor**: 29 March 2025: Checked links and formatting. \\
{{tag>redhat linux ad}}
This manual continues where [[adinstallidmforunix]] stopped. Of course you'll also need [[adinstall2008r2]] and a default installed Red Hat server, I'm using a 5.5 Red Hat Enterprise Linux edition.
Now the default package you need for LDAP authentication (openldap and nss_ldap) are installed by default, but ldapsearch, which makes testing the setup very handy is not. You'll need the openldap-client package for that. You can install the package using yum by issuing the command {{{yum install openldap-clients}}}.
If you want to install from a DVD/CDROM you can use this [[redhatrepo|this tutorial]] to add the media as a software repository.
Also note that you need a user with UNIX attributes set, as explained [[solarisadauth#enable_a_user_for_unix_authentication|here]].
Another remark is on the ldap configuration files, there are two and each is used for different purposes:
/etc/ldap.conf: # Used by pam to perform authentication.
/etc/openldap/ldap.conf: # Used by the openldap tools and application to connect.
= Test LDAP =
The most simple way to test is LDAP is to do a ldapsearch. If this succeeds and output is returned you know you have a successful LDAP installation on Active Directory and that the bind user is also working properly:
[root@shftstc01 yum.repos.d]# ldapsearch -b DC=nibshf,DC=local -h shftstc03 -x -D srv-unixauthentication@nibshf.local -w Beheer666 uid=nibtest
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: uid=nibtest
# requesting: ALL
#
# Nib Test, Users, 00 - Den Haag, nibshf.local
dn: CN=Nib Test,OU=Users,OU=00 - Den Haag,DC=nibshf,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Nib Test
sn: Test
givenName: Nib
distinguishedName: CN=Nib Test,OU=Users,OU=00 - Den Haag,DC=nibshf,DC=local
instanceType: 4
whenCreated: 20121213095140.0Z
whenChanged: 20121213124812.0Z
displayName: Nib Test
uSNCreated: 16691
uSNChanged: 16731
name: Nib Test
objectGUID:: 0leQmTXcD02mCnB4ZWb59w==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 129998754606125793
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAATSYfnx4kzRyWLpMMVAQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: nibtest
sAMAccountType: 805306368
userPrincipalName: nibtest@nibshf.local
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=nibshf,DC=local
dSCorePropagationData: 20121213095140.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 129998764921175910
uid: nibtest
msSFU30Name: nibtest
msSFU30NisDomain: nibshf
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/nibtest
loginShell: /bin/bash
# search reference
ref: ldap://ForestDnsZones.nibshf.local/DC=ForestDnsZones,DC=nibshf,DC=local
# search reference
ref: ldap://DomainDnsZones.nibshf.local/DC=DomainDnsZones,DC=nibshf,DC=local
# search reference
ref: ldap://nibshf.local/CN=Configuration,DC=nibshf,DC=local
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
Another error could come from the bind user you're using. The above format works for the ldapsearch command, but it will not work for the command to configure the LDAP client you'll need later on. That command requires the bind user to be in LDAP format:
ldapsearch -b DC=nibshf,DC=local -h shftstc03 -x -D "CN=Service Account UNIX Authentication,OU=Users (Service Accounts),OU=0 - Global,DC=nibshf,DC=local" -w Beheer666 uid=nibtest
= AuthConfig =
Another test you can do is start authconfig with the probe option. The --probe action instructs authconfig to use DNS and other means to guess at configuration information for the current host, print its guesses if it finds them to standard output, and exit:
[root@shftstc01 yum.repos.d]# authconfig --probe
ldap shftstc03.nibshf.local/DC=,DC=nibshf,DC=local
You can use authconfig to automatically configure all services, leaving a minimum of manual configuration:
authconfig --enableldap --enableldapauth \
--ldapserver=ldap://shftstc03.nibshf.local \
--ldapbasedn="DC=nibshf,DC=local" \
--disablemkhomedir \
--update
This command configures the following files, where sometimes adjustments need te be made:
== OpenLDAP ldap.conf ==
The /etc/openldap/ldap.conf is configured like this and does not need any additional configuration:
[root@shftstc01 yum.repos.d]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
URI ldap://shftstc03.nibshf.local
BASE DC=nibshf,DC=local
TLS_CACERTDIR /etc/openldap/cacerts
== Ldap.conf ==
The /etc/ldap.conf is configured like this and needs some additional configuration:
[root@shftstc01 etc]# cat ldap.conf | grep -v '^[#]' | grep -v '^$'
base DC=nibshf,DC=local
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
uri ldap://shftstc03.nibshf.local
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
This is the final version that you'll need for authentication to work. Additional configuration consists of defining the binddn en bindpw, and uncommenting the "# RFC 2307 (AD) mappings":
[root@shftstc01 etc]# cat ldap.conf | grep -v '^[#]' | grep -v '^$'
base DC=nibshf,DC=local
binddn CN=Service Account UNIX Authentication,OU=Users (Service Accounts),OU=0 - Global,DC=nibshf,DC=local
bindpw Beheer666
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
uri ldap://shftstc03.nibshf.local
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
== System-Auth-Ac ==
The /etc/pam.d/system-auth-ac file is configured like this, and no additional configuration is required:
[root@shftstc01 pam.d]# cat system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
== Nsswitch.conf ==
The /etc/nsswitch.conf file is configured like this and no additional configuration is required:
[root@shftstc01 etc]# cat nsswitch.conf | grep -v '^#' | grep -v '^$'
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
= Additional Configuration =
== Home Directory ==
Manually create a home directory for the user you created in Active Directory:
[root@shftstc01 etc]# cd /home
[root@shftstc01 home]# mkdir nibtest
[root@shftstc01 home]# ll
total 4
drwxr-xr-x 2 root root 4096 Dec 14 10:16 nibtest
[root@shftstc01 home]# chown nibtest nibtest/
[root@shftstc01 home]# ls -l
total 4
drwxr-xr-x 2 nibtest root 4096 Dec 14 10:16 nibtest
= Testing =
You can now test if the Red Hat box recognizes the LDAP as a user source:
[root@shftstc01 etc]# getent passwd nibtest
nibtest:*:10000:10000:Nib Test:/home/nibtest:/bin/bash
= Logging In =
Now you should be able to log on using your AD account:
$ ssh -l nibtest shftstc01
nibtest@shftstc01's password:
Last login: Fri Dec 14 10:16:16 2012 from shftstc04.nibshf.local
/usr/bin/xauth: creating new authority file /home/nibtest/.Xauthority
-bash-3.2$
= Resources =
http://www.wmduszyk.com/?p=8944 \\
http://linux.die.net/man/8/authconfig \\
Extra authconfig options:
[root@shftstc01 yum.repos.d]# authconfig --help
usage: authconfig [options] <--update|--test|--probe>
options:
-h, --help show this help message and exit
--enableshadow, --useshadow
enable shadowed passwords by default
--disableshadow disable shadowed passwords by default
--enablemd5, --usemd5
enable MD5 passwords by default
--disablemd5 disable MD5 passwords by default
--passalgo=
hash/crypt algorithm for new passwords
--enablenis enable NIS for user information by default
--disablenis disable NIS for user information by default
--nisdomain= default NIS domain
--nisserver= default NIS server
--enableldap enable LDAP for user information by default
--disableldap disable LDAP for user information by default
--enableldapauth enable LDAP for authentication by default
--disableldapauth disable LDAP for authentication by default
--ldapserver=
default LDAP server
--ldapbasedn= default LDAP base DN
--enableldaptls, --enableldapssl
enable use of TLS with LDAP
--disableldaptls, --disableldapssl
disable use of TLS with LDAP
--ldaploadcacert=
load CA certificate from the URL
--enablesmartcard enable authentication with smart card by default
--disablesmartcard disable authentication with smart card by default
--enablerequiresmartcard
require smart card for authentication by default
--disablerequiresmartcard
do not require smart card for authentication by
default
--smartcardmodule=
default smart card module to use
--smartcardaction=<0=Lock|1=Ignore>
action to be taken on smart card removal
--enablekrb5 enable kerberos authentication by default
--disablekrb5 disable kerberos authentication by default
--krb5kdc= default kerberos KDC
--krb5adminserver=
default kerberos admin server
--krb5realm= default kerberos realm
--enablekrb5kdcdns enable use of DNS to find kerberos KDCs
--disablekrb5kdcdns disable use of DNS to find kerberos KDCs
--enablekrb5realmdns enable use of DNS to find kerberos realms
--disablekrb5realmdns
disable use of DNS to find kerberos realms
--enablesmbauth enable SMB authentication by default
--disablesmbauth disable SMB authentication by default
--smbservers=
names of servers to authenticate against
--smbworkgroup=
workgroup authentication servers are in
--enablewinbind enable winbind for user information by default
--disablewinbind disable winbind for user information by default
--enablewinbindauth enable winbind for authentication by default
--disablewinbindauth disable winbind for authentication by default
--smbsecurity=
security mode to use for samba and winbind
--smbrealm= default realm for samba and winbind when security=ads
--smbidmapuid=
uid range winbind will assign to domain or ads users
--smbidmapgid=
gid range winbind will assign to domain or ads users
--winbindseparator=<\>
the character which will be used to separate the
domain and user part of winbind-created user names if
winbindusedefaultdomain is not enabled
--winbindtemplatehomedir=
the directory which winbind-created users will have as
home directories
--winbindtemplateprimarygroup=
the group which winbind-created users will have as
their primary group
--winbindtemplateshell=
the shell which winbind-created users will have as
their login shell
--enablewinbindusedefaultdomain
configures winbind to assume that users with no domain
in their user names are domain users
--disablewinbindusedefaultdomain
configures winbind to assume that users with no domain
in their user names are not domain users
--enablewinbindoffline
configures winbind to allow offline login
--disablewinbindoffline
configures winbind to prevent offline login
--winbindjoin=
join the winbind domain or ads realm now as this
administrator
--enablewins enable wins for hostname resolution
--disablewins disable wins for hostname resolution
--enablepreferdns prefer dns over wins or nis for hostname resolution
--disablepreferdns do not prefer dns over wins or nis for hostname
resolution
--enablehesiod enable hesiod for user information by default
--disablehesiod disable hesiod for user information by default
--hesiodlhs= default hesiod LHS
--hesiodrhs= default hesiod RHS
--enablecache enable caching of user information by default
--disablecache disable caching of user information by default
--enablelocauthorize local authorization is sufficient for local users
--disablelocauthorize
authorize local users also through remote service
--enablepamaccess check access.conf during account authorization
--disablepamaccess do not check access.conf during account authorization
--enablesysnetauth authenticate system accounts by network services
--disablesysnetauth authenticate system accounts by local files only
--enablemkhomedir create home directories for users on their first login
--disablemkhomedir do not create home directories for users on their
first login
--nostart do not start/stop portmap, ypbind, and nscd
--test do not update the configuration files, only print new
settings
--update, --kickstart
opposite of --test, update configuration files with
changed settings
--updateall update all configuration files
--probe probe network for defaults and print them