From: http://shell.cdc.net/~lds0062/fansites/pam_ldap/documents/ad_authentication_using_pam_ldap.htm
Unix Authentication to Active Directory using Pam_LDAP
Researched by Charles Leeds (mailto:lds0062@cdc.net) and written by Claude Hager
Last modified: 2002 March 20
Microsoft's Active Directory is an LDAP Server that is accessible to most LDAP clients. Unix host systems are able to authenticate users against the AD LDAP server by using the pam_ldap (LDAP Pluggable Authentication Module) module to validate user passwords at login. The following files were taken from a default install of Redhat Linux v7.2 authenticating against a Windows 2000 Server domain controller.
Windows 2000 Setup
No changes were required on the Windows 2000 system, other than the normal setup of user accounts and passwords in the Active Directory Users and Computers tool. Note that AD will allow an anonymous connection to LDAP, but it will NOT provide access to the sAMAccountName attribute. An LDAP user account with no access to other resources should be setup in AD for the purpose of binding to the server. The user accounts to be validated by Unix should be setup, with the sAMAccountName property populated with the login ID of the user. All AD accounts will be setup this way by default.
Unix Setup
Several setup options are needed on the Unix system, and 2 configuration files must be modified by hand. Copies of the 2 configuration files are included at the end of this document.
First, make sure that network connectivity exists to the LDAP server. If the LDAP server is specified using an IP address, this is all that is required. If the LDAP server is specified by its host name, then the LDAP server name must be correctly resolved via Unix hosts DNS server.
Also, since the nss_ldap (Nameservice Switch Library) is not being used in our implementation, all user accounts to be authenticated by the LDAP server must exist locally on the Unix host. Remember to secure these accounts with a password, although normally it will not be used. This password can be used to authenticate on the Unix host in the event that none of the LDAP servers specified are reachable via the network.
The remainder of the unix setup tasks take place in the configuration files /etc/ldap.conf, which configures the pam_ldap module, and the /etc/pam.d/login file, which controls how logins take place.
The first thing configured is the name (or IP address) of the LDAP server(s) to be configured.
# Your LDAP server. Must be resolvable without using LDAP. # Failover LDAP servers may be added by adding their addresses # after the first one host 10.15.100.82
Multiple LDAP servers can be specified by including more than one IP address or host name in the ldap.conf file.
Next, the search base of the domain controller must be specified.
# The distinguished name of the search base. base dc=ourcompany,dc=com
Then, note the LDAP version to use.
# The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3
Next, the User ID to bind to the domain controller must be specified. Active Directory will allow anonymous binding, but prevents any user information from being accessed this way. An actual Domain User account must be used to login. Note that this account has its password transmitted in clear text over the network and should NOT be an administrator or have access to any other resources.
# The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn cn=LDAPAuthenticate,cn=Users,dc=ourcompany,dc=com
Then the password for the binding account are specified.
# The credentials to bind with. # Optional: default is no credential. bindpw test1234
Next, the port number to bind to is set.
# The port. # Optional: default is 389. port 389
Then the search scope is set. Sub is the correct setting, since the base of the search is at the top of the tree.
# The search scope. scope sub
Next, the pam_login_attribute must be set to sAMAccountName. Otherwise, Unix will try to authenticate with the UID, which will not be found in Active Directory.
# The user ID attribute (defaults to uid) pam_login_attribute sAMAccountName
Finally, the password is hashed with MD5. Clear text, unix cipher, and MD5 all appear to work with Active Directory, and MD5 has been judged to be the most secure of these choices.
# Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. pam_password md5
The following parameters are optional at this time, but may be needed to implement ssl encryption on the LDAP authentication process. The safest thing to do to start with is to comment them all out and set "ssl" to "no".
# OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is "no" #tls_checkpeer yes # CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is "yes" #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key ssl no
The following changes must be manually made to the Unix /etc/pam.d/login file.
# Check the password against Unix first auth sufficient /lib/security/pam_unix_auth.so # Take that same password and try against LDAP, if it doesn't work, prompt for an LDAP Password: auth required /lib/security/pam_ldap.so try_first_pass debug account required /lib/security/pam_unix_acct.so password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_console.so
The first auth line instructs the Unix login process that a valid local password match is sufficient to allow access to the system. The second auth line requires a valid authentication against LDAP if the entered password does not match the local Unix password.
The complete contents of both files are listed below.
# /etc/ldap.conf file # This is the configuration file for the LDAP PAM module, # based on original work from # # PADL Software # http://www.padl.com # # Note: nss_ldap is NOT required. # # Your LDAP server. Must be resolvable without using LDAP. # Failover LDAP servers may be added by adding their addresses # after the first one host 10.15.100.82 # The distinguished name of the search base. base dc=ourcompany,dc=com # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3 # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn cn=LDAPAuthenticate,cn=Users,dc=ourcompany,dc=com # The credentials to bind with. # Optional: default is no credential. bindpw test1234 # The port. # Optional: default is 389. port 389 # The search scope. scope sub # The user ID attribute (defaults to uid) pam_login_attribute sAMAccountName # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. pam_password md5 # OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is "no" #tls_checkpeer yes # CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is "yes" #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key ssl no
# /etc/pam.d/login file: # Check the password against Unix first auth sufficient /lib/security/pam_unix_auth.so # Take that same password and try against LDAP, if it doesn't work, prompt for an LDAP Password: auth required /lib/security/pam_ldap.so try_first_pass debug account required /lib/security/pam_unix_acct.so password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_console.so
Troubleshooting
At the end of each line in the ldap.conf file where you have a setting, be sure there are no trailing spaces. Trailing spaces will cause all kinds of problems, such as searching for (sAMAccountName =john) instead of (sAMAccountName=john), where the (sAMAccountName =john) will return no results.
A good sniffer, such as Ethereal, can go a long way towards finding the root problem.
Appendix A - Using Pam_LDAP + SSL to Authenticate
You will need to install on your Windows 2000 Active Directory domain controller:
- Windows 2000 High Encryption Pack
- Certificate Server - I use an Enterprise Root CA for simplicity
When setting up your Certificate Server, be sure to name your certificate server the same as your hostname. For instance, if your full hostname is "foxydc1.ourcompany.com", your Certificate Server "CA Name" should be "foxydc1".
After installing the Windows 2000 High Encryption Pack (not to be confused with the Internet Explorer High Encryption Pack), and the Certificate Server, reboot your machine and check the "Directory Service" event logs and make sure there is not an Event of Category "LDAP Interface" that says "LDAP over SSL will be unavailable at this time because the server was unable to obtain a certificate." This is so the LDAP service will enable port 636 upon startup, since it now realizes you have a valid certificate to use.
In the ldap.conf file, your host= line should be the full hostname of the domain controller, comment out port=389 and replace it with port=636, and set ssl=on.
host=foxydc1.ourcompany.com port=636 ssl=on
Your Unix host's DNS should point to the DNS of your Active Directory, which you can change in the /etc/resolv.conf file in many Linux distributions.
Now you are ready to test. A good starting point would be to use ldapsearch if it was compiled with SSL support.
#ldapsearch -x -l 1 -LLL -d 1 -H ldaps://foxydc1.ourcompany.com
Of course you will substitute your own hostname for foxydc1.ourcompany.com.
Okay, you are ready to test.