Thursday, November 29, 2012

Authenticate RHEL 6 Linux users by Windows 2008 R2 AD

The nss_ldap in RHEL 5 for LDAP authentication has been obsolete in RHEL 6, the replacement is nss-pam-ldapd. But the preferred method for LDAP authentication in RHEL 6 is System Security Services Daemon (SSSD) (in fact, RHEL 5.6 or later supports SSSD ).
SSSD unique  features:
- Credentials caching, user can still login when LDAP server is offline.
- Persistent connection, reducing the overhead of opening a new socket for each request
- support for multiple LDAP/NIS domains

Install SSSD packages

$yum install sssd sssd-client

Run the following command, which will make necessary changes in /etc/krb5.conf, /etc/sssd/sssd.conf, /etc/nsswitch.conf, /etc/pam.d/

$authconfig --enablesssd --ldapserver=ldap:// --ldapbasedn="OU=_USERS,DC=ad,DC=example,DC=com" --enablerfc2307bis --enablesssdauth --krb5realm=AD.EXAMPLE.COM --disableforcelegacy --enablelocauthorize --enablemkhomedir   --updateall

All files should be updated automatically, only /etc/sssd/sssd.conf need to be customized. The following is an example file with minimum parameters needed.

#cat /etc/sssd/sssd.conf
config_file_version = 2
services = nss, pam
domains = default
ldap_id_use_start_tls = False
cache_credentials = True
#Without enumerate = True,  users won’t be show from ‘getent passwd’ output.
enumerate = True
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_schema = rfc2307bis
ldap_force_upper_case_realm = True
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_gecos = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_uri = ldap://
ldap_search_base = OU=_USERS,DC=ad,DC=example,DC=com
ldap_user_search_base = OU=_USERS,DC=ad,DC=example,DC=com
ldap_group_search_base = OU=_GROUPS,DC=ad,DC=example,DC=com
ldap_default_bind_dn = CN=svc_ldap_client,OU=MGT,OU=_USERS,DC=ad,DC=example,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = P@ss123
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_server =
krb5_kpasswd =
krb5_realm = AD.EXAMPLE.COM

Authenticate RHEL 5 Linux users by Windows 2008 R2 AD

My previous post was tested on Windows 2003 AD, which use non-RFC compliant scheme, Windows 2003 R2 or later is RFC2307bis compliant, the following is tested on Windows 2008 R2, but it should be working for Windows 2003 R2 and Windows 2008 as well.
The following use nss_ldap to do AD authentication by Kerberos, if you use RHEl 5.6 or later, you may consider  System Security Services Daemon (SSSD), which offer many great features.
 Setup Windows AD
Windows 2008 R2 AD has built-in component to perform the same function of “Windows services for Unix” in Windows 2003, it is named “identity management for Unix”
Install “identity management for Unix” by clicking “Add Role Services” under role of “Active Directory Domain services”. Choose all three sub-components in identity management for Unix.(note: QLOGIC SANsurfer software conflicts with RPC services, remove it before install identity management for Unix)
Setup ldapbind user, create test user, test group and set Unix attributes as the previous post
Setup configuration files
1.    Configure /etc/ldap.conf
nss_map_attribute in Windows 2008 R2 is different to Windows 2003, the following is a sample file
#cat /etc/ldap.conf
base OU=_USERS,DC=AD,DC=example,DC=com
BINDDN CN=svc_ldap_client,OU=MGT,OU=_USERS,DC=AD,DC=example,DC=com
BINDPW Pass123

timelimit 60
bind_timelimit 10
#by default, if ldap server is not reachable, it will retry long time before giving up,
# nss_reconnect_tries 1 limit it to be less than a minute. 
nss_reconnect_tries 1
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup  group
nss_map_attribute uid sAMAccountName
#nss_map_attribute uidNumber uidNumber
#nss_map_attribute gidNumber gidNumber
nss_map_attribute gecos         name
nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute loginShell loginShell
nss_map_attribute shadowLastChange pwdLastSet
nss_base_password OU=_USERS,DC=AD,DC=example,DC=com
nss_base_shadow OU=_USERS,DC=AD,DC=example,DC=com
nss_base_group OU=_GROUPS, DC=AD,DC=example,DC=com
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm is alias DNS name load balanced to DCs
uri ldap://
ssl no
tls_cacertdir /etc/openldap/cacerts

2.Configure /etc/krb5.conf, no difference to Windows 2003 AD

#cat /etc/krb5.conf 
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 default_realm =   AD.EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
  kdc =
[domain_realm] = AD.EXAMPLE.COM = AD.EXAMPLE.COM
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

3.You also need to modify files in /etc/pam.d/ /etc/nsswitch.conf, once you have copied the ldap.conf and krb5.conf files, run the following command to automate the tasks.

$authconfig --enablecache  --enableldap --usemd5 --useshadow  --enablelocauthorize --enablekrb5  --enablemkhomedir  --update

Wednesday, November 21, 2012

Enable Windows Active Directory Authentication in vSphere 5.1.

vSphere Single Sign On is a new feature in vSphere 5.1, vSphere SSO controls authentication service, so you  can no longer  add new authentication provider in vCenter by standard vSphere client. It has to be done in vSphere webclient, which can talk to vSphere SSO service.

Steps to add Windows Active Directory provider.
1.Create a generic user in AD for LDAP search, define user and group base DN.
2.Install Webclient from vCenter installation media, just like vSphere Client, it doen’t need to be installed on vCenter server.
3.Launch Webclient https://client-ip:9443/vsphere-client and login
The account used for login is important, if you installed SSO service when login with local account, local account can  login Webclient, But it doesn’t  have permission to configure SSO, you have to login with the default SSO account “admin@System-Domain” created during installation.
4.Navigate to Administration/Sign-on and Discovery/configuraiton( the configurion node won’t be shown, if login with local Windows account), and add “+” sign to add identity sources.
The login credentials will be sent in clear text with ldap, if it is a concern, enable ldaps by creating certificate
The username should be in LDAP syntax, find the exact string in ADSI edit tool in AD.