Scribd Logo
Upload

Welcome to Scribd!

  • Integrate Linux and Active Directory With SSSD+LDAP

    Uploaded by

    raghavendraguggula
    116 views12 pages

    Original Title

    Integrate Linux and Active Directory with SSSD+LDAP

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    116 views12 pages

    Integrate Linux and Active Directory With SSSD+LDAP

    Uploaded by

    raghavendraguggula

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 12

    Integrate Linux and Active Directory with SSSD + LDAPS

    1 Contents
    1 Lab Environment ..................................................................................................................... 2
    1.1 Active Directory ............................................................................................................... 2
    1.2 Linux OS .......................................................................................................................... 2
    2 Configurations on Active Directory ........................................................................................ 3
    2.1 Install Active Directory Certificate Service on AD host to enable LDAPS .................... 3
    2.2 Download CA certificate from AD host .......................................................................... 5
    2.3 Create LDAP bind user and test user on AD host ............................................................ 6
    3 Configurations on Linux .......................................................................................................... 7
    3.1 Common Steps ................................................................................................................. 7
    3.2 Setup on Ubuntu 1604.2 x64 Desktop ............................................................................. 9
    3.3 Setup on CentOS 6.9/7.3 x64 ......................................................................................... 10
    3.4 Setup on SLED 12 SP2 x64 ........................................................................................... 11
    4 References ............................................................................................................................. 12
    1 Lab Environment
    1.1 Active Directory
     OS: Windows 2012 R2
     IP: 10.117.45.99
     FQDN: test-ad-host.testad.org
     Domain Name: testad.org
     Hostname: test-ad-host
    1.2 Linux OS
     CentOS 6.9 x64
     CentOS 7.3 x64
     Ubuntu 1604.2 x64 Desktop
     SLED 12 SP2 x64
    2 Configurations on Active Directory
    2.1 Install Active Directory Certificate Service on AD host to enable LDAPS
     Install Active Directory Certificate Service role

     Configure Certification Authority role with default setting, and set Common Name to
    TestAD-CA
    2.2 Download CA certificate from AD host
     Run mmc and add Snap-ins Certificates with Computer account selected

     Navigate to “Certificates (Local Computer -> Trusted Root Certification Authorities


    -> Certificates”, and right-click on CA certificate TestAD-CA to export it

     Select Base-64 encoded X.509 (.CER) for file format and ca_cert.cer for file name

    You will get a file named ca_cert.cer, and rename it to ca-cert.pem


    2.3 Create LDAP bind user and test user on AD host
     Create an OU named TestOU
     Create LDAP bind user ldapsearch under TestOU:
    Set Full name to ldapsearch
    Set User logon name to ldapsearch@testad.org
    Set User logon name (pre-Windows 2000) to TestAD\ldapsearch
    Set Password to Password1

     Create test user Test User under TestOU:


    Set First name to Test, Last name to User, Full name to Test User
    Set User logon name to tuser@testad.org
    Set User logon name (pre-Windows 2000) to TestAD\tuser
    Set Password to Password2

    You will get two users created under TestOU:


    3 Configurations on Linux
    3.1 Common Steps
     Map AD’s FQDN
    Add below line in /etc/hosts
    10.117.45.99 test-ad-host.testad.org

     Install CA cert
    Copy ca-cert.pem to Linux machine to /etc/ldap-ca/ca-cert.pem
    sudo mkdir /etc/ldap-ca
    sudo cp ca-cert.pem /etc/ldap-ca/ca-cert.pem

     Test FQDN mapping and CA cert


    Run below command, and you should get “Verify return code: 0 (ok)”
    openssl s_client -connect test-ad-host.testad.org:636 -CAfile /etc/ldap-ca/ca-
    cert.pem

     Test ldap to AD
    Install ldap tool
    Ubuntu: sudo apt install ldap-utils
    CentOS: yum install openldap-clients

    Run below ldapsearch command, which is using ldap protocol to do the search:
    ldapsearch -v -x -H ldap://test-ad-host.testad.org/ -b dc=testad,dc=org -D
    'CN=ldapsearch,OU=TestOU,dc=testad,dc=org' -W -s sub 'cn=Test User' cn
    distinguishedName
    When asked, type Password1 for password, and should get the search result

     Test ldaps to AD
    Before test ldaps to AD, need set ldap.conf to specify the CA cert file for ldap. Edit
    configuration file ldap.conf (Ubuntu: /etc/ldap/ldap.conf, SUSE/CentOS:
    /etc/openldap/ldap.conf) to set below line:
    TLS_CACERT /etc/ldap-ca/ca-cert.pem

    Run below ldapsearch command, which is using ldaps protocol to do the search:
    ldapsearch -v -ZZ -H ldap://test-ad-host.testad.org/ -b dc=testad,dc=org -D
    'CN=ldapsearch,OU=TestOU,dc=testad,dc=org' -W -s sub 'cn=Test User' cn
    distinguishedName
    When asked, type Password1 for password, and should get the search result

     Prepare sssd configuration file


    New a configuration file named sssd.conf, and enter below configuration lines.
    [sssd]
    config_file_version = 2
    domains = testad.org
    services = nss, pam
    [pam]

    [nss]
    filter_groups = root
    filter_users = root
    reconnection_retries = 3
    entry_cache_timeout = 3
    entry_cache_nowait_percentage = 75
    debug_level = 8
    account_cache_expiration = 1

    [domain/testad.org]
    debug_level = 8
    id_provider = ldap
    auth_provider = ldap
    access_provider = simple
    cache_credentials = false
    min_id = 1000
    ldap_uri = ldaps://test-ad-host.testad.org
    ldap_schema = ad
    # for SID-UID mapping
    ldap_id_mapping = true
    # caching credentials
    cache_credentials = false
    entry_cache_timeout = 3
    # performance
    ldap_referrals = false
    ldap_default_bind_dn = CN=ldapsearch,OU=TestOU,DC=testad,DC=org
    ldap_default_authtok_type = password
    ldap_default_authtok = Password1
    ldap_tls_reqcert = demand
    ldap_tls_cacert = /etc/ldap-ca/ca-cert.pem
    fallback_homedir = /home/%u
    ldap_user_home_directory = sAMAccountName
    override_homedir = /home/%u
    default_shell = /bin/bash
    3.2 Setup on Ubuntu 1604.2 x64 Desktop
     Install sssd packages
    sudo apt-get install sssd libpam-sss libnss-sss

     Install sssd configuration file


    sudo cp sssd.conf /etc/sssd
    sudo chmod 600 /etc/sssd/sssd.conf

     Restart sssd service


    sudo service sssd restart

     Edit /etc/pam.d/common-session
    Edit /etc/pam.d/common-session to insert below line after line of pam_sss.so
    session optional pam_mkhomedir.so skel=/etc/skel/ mask=0077

     Test Configuration
    Run blow command:
    getent passwd tuser
    You should get result like below:
    tuser:*:567801106:567800513:Test User:/home/tuser:/bin/bash
    Run below command:
    id tuser
    You should get result like below:
    uid=567801106(tuser) gid=567800513(Domain Users)
    groups=567800513(Domain Users)

     Edit greeter Configuration File


    By default, Ubuntu does not allow user to enter user name. Need edit greeter
    configuration file /etc/lightdm/lightdm.conf (new it if does not exist) to add:
    [SeatDefaults]
    greeter-show-manual-login=true
    greeter-hide-users=true
     Login with AD Test User
    Reboot and login with AD Test User:
    Username: tuser
    Password: Password2
    3.3 Setup on CentOS 6.9/7.3 x64
     Install sssd packages
    sudo yum install sssd

     Install sssd configuration file


    sudo cp sssd.conf /etc/sssd
    sudo chmod 600 /etc/sssd/sssd.conf

     Install oddjob-mkhomedir
    yum install oddjob-mkhomedir

     Enable SSSD in PAM for user authentication


    Run below command to update /etc/pam.d
    authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --
    update

     Start Services
    sudo service sssd start
    sudo service oddjobd start

     Test Configuration
    Run below command:
    getent passwd tuser
    You should get result like below:
    tuser:*:567801106:567800513:Test User:/home/tuser:/bin/bash

    Run below command:


    id tuser
    You should get result like below:
    uid=567801106(tuser) gid=567800513(Domain Users)
    groups=567800513(Domain Users)

     Login with AD Test User


    Reboot and login with AD Test User:
    Username: tuser
    Password: Password2
    3.4 Setup on SLED 12 SP2 x64
     Install sssd packages
    sudo zypper install sssd

     Install sssd configuration file


    sudo cp sssd.conf /etc/sssd
    sudo chmod 600 /etc/sssd/sssd.conf

     Disable NSCD Service


    sudo service nscd stop
    sudo chkconfig nscd off

     Update PAM
    sudo pam-config --add --sss
    sudo pam-config --add --mkhomedir --mkhomedir-umask=0077

     Update /etc/nsswitch.conf
    Update /etc/nsswitch.conf to set:
    passwd: files sss
    shadow: files sss
    group: files sss

     Start SSSD Service


    chkconfig sssd on
    service sssd start

     Test Configuration
    Run below command:
    getent passwd tuser
    You should get result like below:
    tuser:*:567801106:567800513:Test User:/home/tuser:/bin/bash

    Run below command:


    id tuser
    You should get result like below:
    uid=567801106(tuser) gid=567800513(Domain Users)
    groups=567800513(Domain Users)

     Login with AD Test User


    Reboot and login with AD Test User:
    Username: tuser
    Password: Password2
    4 References
     https://www.ossramblings.com/Ubuntu-14.04-SSSD-and-OpenLDAP-Authentication
     https://wiki.ubuntu.com/Enterprise/Authentication/sssd
     http://techuniqe.blogspot.co.uk/2015/04/using-sssd-for-active-directory.html
     https://serverfault.com/questions/734422/enable-ldap-client-in-sles-12-from-command-
    line

    You might also like