[NBLUG/talk] Authentication against Active Directory

Eric Eisenhart eric at nblug.org
Thu Jun 19 07:58:00 PDT 2003 

On Wed, Jun 18, 2003 at 09:39:28PM -0500, Warren Raquel wrote:
> I have a few questions concerning RedHat and authentication. Now, first, 
> is it possible to authenticate a login against a mixed-mode Active 
> Directory, or even a native-mode AD? If so, I suppose I would also have 
> to create an account on the local linux machine to correspond to their 
> username, right? How would I go about doing this (not the creating the 
> account but getting authentication set up). I've googled but the mass of 
> information is mind-boggling, can someone point me in the right direction?

Taking into account that MS has intentionally made certain portions of
things slightly incompatible...

I recommend the LDAP approach.

Step 0) Make notes about the directory set up.  Pay particular attention to
        the DN (distinguishedName) that your users have.  I've only done
        this in a setup where all users appeared in the same place (no 
        delegated sub-trees).  I'll pretend that you've got
        "ad.example.com".
Step 1) Create an account in AD that has access to bind to LDAP and as
        little else as you can give it.  I'll pretend you called it
        "ldapuser".
2) Install appropriate packages.  Uhm... "nss_ldap" perhaps.
3) Edit /etc/ldap.conf -- set the "host" parameter to a space separated list
   of all the AD servers.  Set base to, uhm,
   "cn=Users,dc=ad,dc=example,dc=com".  Set binddn to
   "cn=ldapuser,cn=Users,dc=ad,dc=example,dc=com" and bindpw to the password
   you picked for the account.  I think you want "scope sub", but that may
   be the default.  Further down, set "pam_login_attribute sAMAccountName".
4) Fiddle with some ldapsearch queries to be sure you have things right.
5) run "authconfig" -- it'll put some lines like 
   "auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok" and 
   "auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass" into
   /etc/pam.d/system-auth
6) Make some users whose usernames match what's in LDAP, unless you already
   have some.
7) Cross your fingers. and don't close that root terminal until you're sure
   you've got it all working well enough that you can get in as root.

It should also be possible to do with some kind of kerberos type setup, but
I'm not sure how that goes.  With MS's AD addon for Unix, you can adjust
things enough to not need anything in the passwd file, but I've never tried.

> Also, I want to create a mail server that does virtual mail accounts 
> corresponding to specified AD accounts. The accounts just need IMAP or 
> POP access (either will do). Anyone have any tips on this? TIA.

This should be possible with the LDAP access to AD (steps 1-4 the same), but
I don't know the exact details.
-- 
Eric Eisenhart
NBLUG Co-Founder & Vice-President Pro Tempore
The North Bay Linux Users Group
http://nblug.org/
eric at nblug.org, IRC: Freiheit at freenode, AIM: falschfreiheit, ICQ: 48217244

More information about the talk mailing list