redhatadauth
Table of Contents
AD LDAP Authentication for Red Hat
Summary: How to configure AD authentication on Red Hat.
Date: Around 2014
Refactor: 29 March 2025: Checked links and formatting.
This manual continues where AD Identity Management for Unix stopped. Of course you'll also need Active Directory 2008 R2 Basic Installation and a default installed Red Hat server, I'm using a 5.5 Red Hat Enterprise Linux edition.
Now the default package you need for LDAP authentication (openldap and nss_ldap) are installed by default, but ldapsearch, which makes testing the setup very handy is not. You'll need the openldap-client package for that. You can install the package using yum by issuing the command yum install openldap-clients.
If you want to install from a DVD/CDROM you can use this this tutorial to add the media as a software repository.
Also note that you need a user with UNIX attributes set, as explained here.
Another remark is on the ldap configuration files, there are two and each is used for different purposes:
/etc/ldap.conf: # Used by pam to perform authentication. /etc/openldap/ldap.conf: # Used by the openldap tools and application to connect.
Test LDAP
The most simple way to test is LDAP is to do a ldapsearch. If this succeeds and output is returned you know you have a successful LDAP installation on Active Directory and that the bind user is also working properly:
[root@shftstc01 yum.repos.d]# ldapsearch -b DC=nibshf,DC=local -h shftstc03 -x -D srv-unixauthentication@nibshf.local -w Beheer666 uid=nibtest # extended LDIF # # LDAPv3 # base <DC=nibshf,DC=local> with scope subtree # filter: uid=nibtest # requesting: ALL # # Nib Test, Users, 00 - Den Haag, nibshf.local dn: CN=Nib Test,OU=Users,OU=00 - Den Haag,DC=nibshf,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Nib Test sn: Test givenName: Nib distinguishedName: CN=Nib Test,OU=Users,OU=00 - Den Haag,DC=nibshf,DC=local instanceType: 4 whenCreated: 20121213095140.0Z whenChanged: 20121213124812.0Z displayName: Nib Test uSNCreated: 16691 uSNChanged: 16731 name: Nib Test objectGUID:: 0leQmTXcD02mCnB4ZWb59w== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 129998754606125793 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAATSYfnx4kzRyWLpMMVAQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: nibtest sAMAccountType: 805306368 userPrincipalName: nibtest@nibshf.local lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=nibshf,DC=local dSCorePropagationData: 20121213095140.0Z dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 129998764921175910 uid: nibtest msSFU30Name: nibtest msSFU30NisDomain: nibshf uidNumber: 10000 gidNumber: 10000 unixHomeDirectory: /home/nibtest loginShell: /bin/bash # search reference ref: ldap://ForestDnsZones.nibshf.local/DC=ForestDnsZones,DC=nibshf,DC=local # search reference ref: ldap://DomainDnsZones.nibshf.local/DC=DomainDnsZones,DC=nibshf,DC=local # search reference ref: ldap://nibshf.local/CN=Configuration,DC=nibshf,DC=local # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3
Another error could come from the bind user you're using. The above format works for the ldapsearch command, but it will not work for the command to configure the LDAP client you'll need later on. That command requires the bind user to be in LDAP format:
ldapsearch -b DC=nibshf,DC=local -h shftstc03 -x -D "CN=Service Account UNIX Authentication,OU=Users (Service Accounts),OU=0 - Global,DC=nibshf,DC=local" -w Beheer666 uid=nibtest
AuthConfig
Another test you can do is start authconfig with the probe option. The –probe action instructs authconfig to use DNS and other means to guess at configuration information for the current host, print its guesses if it finds them to standard output, and exit:
[root@shftstc01 yum.repos.d]# authconfig --probe ldap shftstc03.nibshf.local/DC=,DC=nibshf,DC=local
You can use authconfig to automatically configure all services, leaving a minimum of manual configuration:
authconfig --enableldap --enableldapauth \
--ldapserver=ldap://shftstc03.nibshf.local \
--ldapbasedn="DC=nibshf,DC=local" \
--disablemkhomedir \
--update
This command configures the following files, where sometimes adjustments need te be made:
OpenLDAP ldap.conf
The /etc/openldap/ldap.conf is configured like this and does not need any additional configuration:
[root@shftstc01 yum.repos.d]# cat /etc/openldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never URI ldap://shftstc03.nibshf.local BASE DC=nibshf,DC=local TLS_CACERTDIR /etc/openldap/cacerts
Ldap.conf
The /etc/ldap.conf is configured like this and needs some additional configuration:
[root@shftstc01 etc]# cat ldap.conf | grep -v '^[#]' | grep -v '^$' base DC=nibshf,DC=local timelimit 120 bind_timelimit 120 idle_timelimit 3600 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm uri ldap://shftstc03.nibshf.local ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5
This is the final version that you'll need for authentication to work. Additional configuration consists of defining the binddn en bindpw, and uncommenting the “# RFC 2307 (AD) mappings”:
[root@shftstc01 etc]# cat ldap.conf | grep -v '^[#]' | grep -v '^$' base DC=nibshf,DC=local binddn CN=Service Account UNIX Authentication,OU=Users (Service Accounts),OU=0 - Global,DC=nibshf,DC=local bindpw Beheer666 timelimit 120 bind_timelimit 120 idle_timelimit 3600 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_attribute uid sAMAccountName nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute shadowLastChange pwdLastSet nss_map_objectclass posixGroup group nss_map_attribute uniqueMember member pam_login_attribute sAMAccountName pam_filter objectclass=User pam_password ad uri ldap://shftstc03.nibshf.local ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5
System-Auth-Ac
The /etc/pam.d/system-auth-ac file is configured like this, and no additional configuration is required:
[root@shftstc01 pam.d]# cat system-auth-ac #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
Nsswitch.conf
The /etc/nsswitch.conf file is configured like this and no additional configuration is required:
[root@shftstc01 etc]# cat nsswitch.conf | grep -v '^#' | grep -v '^$' passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files ldap publickey: nisplus automount: files ldap aliases: files nisplus
Additional Configuration
Home Directory
Manually create a home directory for the user you created in Active Directory:
[root@shftstc01 etc]# cd /home [root@shftstc01 home]# mkdir nibtest [root@shftstc01 home]# ll total 4 drwxr-xr-x 2 root root 4096 Dec 14 10:16 nibtest [root@shftstc01 home]# chown nibtest nibtest/ [root@shftstc01 home]# ls -l total 4 drwxr-xr-x 2 nibtest root 4096 Dec 14 10:16 nibtest
Testing
You can now test if the Red Hat box recognizes the LDAP as a user source:
[root@shftstc01 etc]# getent passwd nibtest nibtest:*:10000:10000:Nib Test:/home/nibtest:/bin/bash
Logging In
Now you should be able to log on using your AD account:
$ ssh -l nibtest shftstc01 nibtest@shftstc01's password: Last login: Fri Dec 14 10:16:16 2012 from shftstc04.nibshf.local /usr/bin/xauth: creating new authority file /home/nibtest/.Xauthority -bash-3.2$
Resources
http://www.wmduszyk.com/?p=8944
http://linux.die.net/man/8/authconfig
Extra authconfig options:
[root@shftstc01 yum.repos.d]# authconfig --help
usage: authconfig [options] <--update|--test|--probe>
options:
-h, --help show this help message and exit
--enableshadow, --useshadow
enable shadowed passwords by default
--disableshadow disable shadowed passwords by default
--enablemd5, --usemd5
enable MD5 passwords by default
--disablemd5 disable MD5 passwords by default
--passalgo=<descrypt|bigcrypt|md5|sha256|sha512>
hash/crypt algorithm for new passwords
--enablenis enable NIS for user information by default
--disablenis disable NIS for user information by default
--nisdomain=<domain> default NIS domain
--nisserver=<server> default NIS server
--enableldap enable LDAP for user information by default
--disableldap disable LDAP for user information by default
--enableldapauth enable LDAP for authentication by default
--disableldapauth disable LDAP for authentication by default
--ldapserver=<server>
default LDAP server
--ldapbasedn=<dn> default LDAP base DN
--enableldaptls, --enableldapssl
enable use of TLS with LDAP
--disableldaptls, --disableldapssl
disable use of TLS with LDAP
--ldaploadcacert=<URL>
load CA certificate from the URL
--enablesmartcard enable authentication with smart card by default
--disablesmartcard disable authentication with smart card by default
--enablerequiresmartcard
require smart card for authentication by default
--disablerequiresmartcard
do not require smart card for authentication by
default
--smartcardmodule=<module>
default smart card module to use
--smartcardaction=<0=Lock|1=Ignore>
action to be taken on smart card removal
--enablekrb5 enable kerberos authentication by default
--disablekrb5 disable kerberos authentication by default
--krb5kdc=<server> default kerberos KDC
--krb5adminserver=<server>
default kerberos admin server
--krb5realm=<realm> default kerberos realm
--enablekrb5kdcdns enable use of DNS to find kerberos KDCs
--disablekrb5kdcdns disable use of DNS to find kerberos KDCs
--enablekrb5realmdns enable use of DNS to find kerberos realms
--disablekrb5realmdns
disable use of DNS to find kerberos realms
--enablesmbauth enable SMB authentication by default
--disablesmbauth disable SMB authentication by default
--smbservers=<servers>
names of servers to authenticate against
--smbworkgroup=<workgroup>
workgroup authentication servers are in
--enablewinbind enable winbind for user information by default
--disablewinbind disable winbind for user information by default
--enablewinbindauth enable winbind for authentication by default
--disablewinbindauth disable winbind for authentication by default
--smbsecurity=<user|server|domain|ads>
security mode to use for samba and winbind
--smbrealm=<realm> default realm for samba and winbind when security=ads
--smbidmapuid=<lowest-highest>
uid range winbind will assign to domain or ads users
--smbidmapgid=<lowest-highest>
gid range winbind will assign to domain or ads users
--winbindseparator=<\>
the character which will be used to separate the
domain and user part of winbind-created user names if
winbindusedefaultdomain is not enabled
--winbindtemplatehomedir=</home/%D/%U>
the directory which winbind-created users will have as
home directories
--winbindtemplateprimarygroup=<nobody>
the group which winbind-created users will have as
their primary group
--winbindtemplateshell=</bin/false>
the shell which winbind-created users will have as
their login shell
--enablewinbindusedefaultdomain
configures winbind to assume that users with no domain
in their user names are domain users
--disablewinbindusedefaultdomain
configures winbind to assume that users with no domain
in their user names are not domain users
--enablewinbindoffline
configures winbind to allow offline login
--disablewinbindoffline
configures winbind to prevent offline login
--winbindjoin=<Administrator>
join the winbind domain or ads realm now as this
administrator
--enablewins enable wins for hostname resolution
--disablewins disable wins for hostname resolution
--enablepreferdns prefer dns over wins or nis for hostname resolution
--disablepreferdns do not prefer dns over wins or nis for hostname
resolution
--enablehesiod enable hesiod for user information by default
--disablehesiod disable hesiod for user information by default
--hesiodlhs=<lhs> default hesiod LHS
--hesiodrhs=<rhs> default hesiod RHS
--enablecache enable caching of user information by default
--disablecache disable caching of user information by default
--enablelocauthorize local authorization is sufficient for local users
--disablelocauthorize
authorize local users also through remote service
--enablepamaccess check access.conf during account authorization
--disablepamaccess do not check access.conf during account authorization
--enablesysnetauth authenticate system accounts by network services
--disablesysnetauth authenticate system accounts by local files only
--enablemkhomedir create home directories for users on their first login
--disablemkhomedir do not create home directories for users on their
first login
--nostart do not start/stop portmap, ypbind, and nscd
--test do not update the configuration files, only print new
settings
--update, --kickstart
opposite of --test, update configuration files with
changed settings
--updateall update all configuration files
--probe probe network for defaults and print them
redhatadauth.txt · Last modified: by 127.0.0.1