Thursday, November 29, 2012

Authenticate RHEL 6 Linux users by Windows 2008 R2 AD

The nss_ldap in RHEL 5 for LDAP authentication has been obsolete in RHEL 6, the replacement is nss-pam-ldapd. But the preferred method for LDAP authentication in RHEL 6 is System Security Services Daemon (SSSD) (in fact, RHEL 5.6 or later supports SSSD ).
SSSD unique  features:
- Credentials caching, user can still login when LDAP server is offline.
- Persistent connection, reducing the overhead of opening a new socket for each request
- support for multiple LDAP/NIS domains

Install SSSD packages

$yum install sssd sssd-client

Run the following command, which will make necessary changes in /etc/krb5.conf, /etc/sssd/sssd.conf, /etc/nsswitch.conf, /etc/pam.d/

$authconfig --enablesssd --ldapserver=ldap:// --ldapbasedn="OU=_USERS,DC=ad,DC=example,DC=com" --enablerfc2307bis --enablesssdauth --krb5realm=AD.EXAMPLE.COM --disableforcelegacy --enablelocauthorize --enablemkhomedir   --updateall

All files should be updated automatically, only /etc/sssd/sssd.conf need to be customized. The following is an example file with minimum parameters needed.

#cat /etc/sssd/sssd.conf
config_file_version = 2
services = nss, pam
domains = default
ldap_id_use_start_tls = False
cache_credentials = True
#Without enumerate = True,  users won’t be show from ‘getent passwd’ output.
enumerate = True
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_schema = rfc2307bis
ldap_force_upper_case_realm = True
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_gecos = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_uri = ldap://
ldap_search_base = OU=_USERS,DC=ad,DC=example,DC=com
ldap_user_search_base = OU=_USERS,DC=ad,DC=example,DC=com
ldap_group_search_base = OU=_GROUPS,DC=ad,DC=example,DC=com
ldap_default_bind_dn = CN=svc_ldap_client,OU=MGT,OU=_USERS,DC=ad,DC=example,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = P@ss123
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_server =
krb5_kpasswd =
krb5_realm = AD.EXAMPLE.COM

1 comment:

  1. Hi,

    We are working on to configure our Linux servers to use LDAP for Authentication using PAM_LDAP + SSSD. Our LDAP Usernames are based on staff numbers (all numeric starting at 1). This will cause a conflicts with daemon, bin, sys... system accounts. What is the best option for us given our Username pattern?