Scribd
Upload
516 views12 pages

Linux-AD Integration with SSSD & LDAPS

This document provides instructions for integrating Linux systems with Active Directory using SSSD and LDAPS. It describes setting up an Active Directory server with LDAPS enabled using a certificate authority. It also provides steps for configuring SSSD on Linux distributions like Ubuntu, CentOS, and SLED to authenticate with and obtain user information from the Active Directory server using LDAPS. Common configuration steps are outlined along with distribution-specific steps.

Uploaded by

raghavendraguggula
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
516 views12 pages

Linux-AD Integration with SSSD & LDAPS

This document provides instructions for integrating Linux systems with Active Directory using SSSD and LDAPS. It describes setting up an Active Directory server with LDAPS enabled using a certificate authority. It also provides steps for configuring SSSD on Linux distributions like Ubuntu, CentOS, and SLED to authenticate with and obtain user information from the Active Directory server using LDAPS. Common configuration steps are outlined along with distribution-specific steps.

Uploaded by

raghavendraguggula
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Integrate Linux and Active Directory with SSSD + LDAPS

1 Contents
1 Lab Environment ..................................................................................................................... 2
1.1 Active Directory ............................................................................................................... 2
1.2 Linux OS .......................................................................................................................... 2
2 Configurations on Active Directory ........................................................................................ 3
2.1 Install Active Directory Certificate Service on AD host to enable LDAPS .................... 3
2.2 Download CA certificate from AD host .......................................................................... 5
2.3 Create LDAP bind user and test user on AD host ............................................................ 6
3 Configurations on Linux .......................................................................................................... 7
3.1 Common Steps ................................................................................................................. 7
3.2 Setup on Ubuntu 1604.2 x64 Desktop ............................................................................. 9
3.3 Setup on CentOS 6.9/7.3 x64 ......................................................................................... 10
3.4 Setup on SLED 12 SP2 x64 ........................................................................................... 11
4 References ............................................................................................................................. 12
1 Lab Environment
1.1 Active Directory
 OS: Windows 2012 R2
 IP: [Link]
 FQDN: [Link]
 Domain Name: [Link]
 Hostname: test-ad-host
1.2 Linux OS
 CentOS 6.9 x64
 CentOS 7.3 x64
 Ubuntu 1604.2 x64 Desktop
 SLED 12 SP2 x64
2 Configurations on Active Directory
2.1 Install Active Directory Certificate Service on AD host to enable LDAPS
 Install Active Directory Certificate Service role

 Configure Certification Authority role with default setting, and set Common Name to
TestAD-CA
2.2 Download CA certificate from AD host
 Run mmc and add Snap-ins Certificates with Computer account selected

 Navigate to “Certificates (Local Computer -> Trusted Root Certification Authorities


-> Certificates”, and right-click on CA certificate TestAD-CA to export it

 Select Base-64 encoded X.509 (.CER) for file format and ca_cert.cer for file name

You will get a file named ca_cert.cer, and rename it to [Link]


2.3 Create LDAP bind user and test user on AD host
 Create an OU named TestOU
 Create LDAP bind user ldapsearch under TestOU:
Set Full name to ldapsearch
Set User logon name to ldapsearch@[Link]
Set User logon name (pre-Windows 2000) to TestAD\ldapsearch
Set Password to Password1

 Create test user Test User under TestOU:


Set First name to Test, Last name to User, Full name to Test User
Set User logon name to tuser@[Link]
Set User logon name (pre-Windows 2000) to TestAD\tuser
Set Password to Password2

You will get two users created under TestOU:


3 Configurations on Linux
3.1 Common Steps
 Map AD’s FQDN
Add below line in /etc/hosts
[Link] [Link]

 Install CA cert
Copy [Link] to Linux machine to /etc/ldap-ca/[Link]
sudo mkdir /etc/ldap-ca
sudo cp [Link] /etc/ldap-ca/[Link]

 Test FQDN mapping and CA cert


Run below command, and you should get “Verify return code: 0 (ok)”
openssl s_client -connect [Link] -CAfile /etc/ldap-ca/ca-
[Link]

 Test ldap to AD
Install ldap tool
Ubuntu: sudo apt install ldap-utils
CentOS: yum install openldap-clients

Run below ldapsearch command, which is using ldap protocol to do the search:
ldapsearch -v -x -H ldap://[Link]/ -b dc=testad,dc=org -D
'CN=ldapsearch,OU=TestOU,dc=testad,dc=org' -W -s sub 'cn=Test User' cn
distinguishedName
When asked, type Password1 for password, and should get the search result

 Test ldaps to AD
Before test ldaps to AD, need set [Link] to specify the CA cert file for ldap. Edit
configuration file [Link] (Ubuntu: /etc/ldap/[Link], SUSE/CentOS:
/etc/openldap/[Link]) to set below line:
TLS_CACERT /etc/ldap-ca/[Link]

Run below ldapsearch command, which is using ldaps protocol to do the search:
ldapsearch -v -ZZ -H ldap://[Link]/ -b dc=testad,dc=org -D
'CN=ldapsearch,OU=TestOU,dc=testad,dc=org' -W -s sub 'cn=Test User' cn
distinguishedName
When asked, type Password1 for password, and should get the search result

 Prepare sssd configuration file


New a configuration file named [Link], and enter below configuration lines.
[sssd]
config_file_version = 2
domains = [Link]
services = nss, pam
[pam]

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 3
entry_cache_nowait_percentage = 75
debug_level = 8
account_cache_expiration = 1

[domain/[Link]]
debug_level = 8
id_provider = ldap
auth_provider = ldap
access_provider = simple
cache_credentials = false
min_id = 1000
ldap_uri = ldaps://[Link]
ldap_schema = ad
# for SID-UID mapping
ldap_id_mapping = true
# caching credentials
cache_credentials = false
entry_cache_timeout = 3
# performance
ldap_referrals = false
ldap_default_bind_dn = CN=ldapsearch,OU=TestOU,DC=testad,DC=org
ldap_default_authtok_type = password
ldap_default_authtok = Password1
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ldap-ca/[Link]
fallback_homedir = /home/%u
ldap_user_home_directory = sAMAccountName
override_homedir = /home/%u
default_shell = /bin/bash
3.2 Setup on Ubuntu 1604.2 x64 Desktop
 Install sssd packages
sudo apt-get install sssd libpam-sss libnss-sss

 Install sssd configuration file


sudo cp [Link] /etc/sssd
sudo chmod 600 /etc/sssd/[Link]

 Restart sssd service


sudo service sssd restart

 Edit /etc/pam.d/common-session
Edit /etc/pam.d/common-session to insert below line after line of pam_sss.so
session optional pam_mkhomedir.so skel=/etc/skel/ mask=0077

 Test Configuration
Run blow command:
getent passwd tuser
You should get result like below:
tuser:*:567801106:567800513:Test User:/home/tuser:/bin/bash
Run below command:
id tuser
You should get result like below:
uid=567801106(tuser) gid=567800513(Domain Users)
groups=567800513(Domain Users)

 Edit greeter Configuration File


By default, Ubuntu does not allow user to enter user name. Need edit greeter
configuration file /etc/lightdm/[Link] (new it if does not exist) to add:
[SeatDefaults]
greeter-show-manual-login=true
greeter-hide-users=true
 Login with AD Test User
Reboot and login with AD Test User:
Username: tuser
Password: Password2
3.3 Setup on CentOS 6.9/7.3 x64
 Install sssd packages
sudo yum install sssd

 Install sssd configuration file


sudo cp [Link] /etc/sssd
sudo chmod 600 /etc/sssd/[Link]

 Install oddjob-mkhomedir
yum install oddjob-mkhomedir

 Enable SSSD in PAM for user authentication


Run below command to update /etc/pam.d
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --
update

 Start Services
sudo service sssd start
sudo service oddjobd start

 Test Configuration
Run below command:
getent passwd tuser
You should get result like below:
tuser:*:567801106:567800513:Test User:/home/tuser:/bin/bash

Run below command:


id tuser
You should get result like below:
uid=567801106(tuser) gid=567800513(Domain Users)
groups=567800513(Domain Users)

 Login with AD Test User


Reboot and login with AD Test User:
Username: tuser
Password: Password2
3.4 Setup on SLED 12 SP2 x64
 Install sssd packages
sudo zypper install sssd

 Install sssd configuration file


sudo cp [Link] /etc/sssd
sudo chmod 600 /etc/sssd/[Link]

 Disable NSCD Service


sudo service nscd stop
sudo chkconfig nscd off

 Update PAM
sudo pam-config --add --sss
sudo pam-config --add --mkhomedir --mkhomedir-umask=0077

 Update /etc/[Link]
Update /etc/[Link] to set:
passwd: files sss
shadow: files sss
group: files sss

 Start SSSD Service


chkconfig sssd on
service sssd start

 Test Configuration
Run below command:
getent passwd tuser
You should get result like below:
tuser:*:567801106:567800513:Test User:/home/tuser:/bin/bash

Run below command:


id tuser
You should get result like below:
uid=567801106(tuser) gid=567800513(Domain Users)
groups=567800513(Domain Users)

 Login with AD Test User


Reboot and login with AD Test User:
Username: tuser
Password: Password2
4 References
 [Link]
 [Link]
 [Link]
 [Link]
line

You might also like