The main reasons why you would like to use LDAP instead of Samba/Winbind:
- You do not need Microsoft Client Access Licences (CALs). At least it is not checked :)
- No need to use Samba (if you do not like for a reason or another).
Active Directory server preparation
AD server needs some preparation before it can be used in this setup. You need to have Windows 2008 R2 CD/DVD around for some steps.- Run adprep /forestprep from the Windows 2008 R2 disc.
- Run adprep /domainprep from the Windows 2008 R2 disc.
- Install Remote Server Administration Tools for Windows 7 with Service Pack 1 aka RSAT. You need to install ADUC (Active Directory Users And Computers) ie. AD DS + AD LDS Tools and GPMC (Group Policy Management Console) parts of it. RSAT can be found here.
- Edit with the tools you just installed each AD user that you need available in unix and make sure they have following parameters set:
- uidNumber (some id number which is free in unix, e.g. 1000)
- uid (userid: e.g. hkroger)
- gidNumber (the id of the user's main group, e.g. 1000)
- loginShell (e.g. /bin/bash)
- unixHomeDirectory (e.g. /home/hkroger)
- sAMAccountName (userid: e.g. hkroger)
- Every group should have:
- gidNumber (the numeric id of the group, e.g. 1000)
- Create a new user called unixauth with some password. This will be used for LDAP connection itself.
Setup LDAP
Let's install necessary packages and setup basic auth config setup:
# yum install nss_ldap openldap-clients pam_ccreds -y
# authconfig --enableldap --enableldapauth --ldapserver=192.168.1.1
--ldapbasedn="DC=mycompany,DC=local" --disablesmbauth --disablewinbind --disablewinbindauth
--disablewins --enablepreferdns --enablecache --enablemkhomedir --kickstart --update
# authconfig --enableldap --enableldapauth --ldapserver=192.168.1.1
--ldapbasedn="DC=mycompany,DC=local" --disablesmbauth --disablewinbind --disablewinbindauth
--disablewins --enablepreferdns --enablecache --enablemkhomedir --kickstart --update
Then let's create a new /etc/ldap.conf file
cat <<EOF > /etc/ldap.conf
uri ldap://192.168.1.1:389/
ldap_version 3
binddn unixauth@MYCOMPANY.LOCAL
bindpw myunixauthuserpassword
ssl off
scope sub
nss_base_passwd DC=MYCOMPANY,DC=LOCAL?sub?&(objectClass=user)(uidNumber=*)
nss_base_shadow DC=MYCOMPANY,DC=LOCAL?sub?&(objectClass=user)(uidNumber=*)
nss_base_group DC=MYCOMPANY,DC=LOCAL?sub?&(objectClass=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowExpire accountExpires
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute uniqueMember member
timelimit 5
bind_timelimit 5
idle_timelimit 5
bind_policy hard
nss_reconnect_tries 1
nss_reconnect_sleeptime 1
nss_reconnect_maxsleeptime 8
nss_reconnect_maxconntries 2
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
tls_cacertdir /etc/openldap/cacerts
pam_password ad
debug 0
EOF
uri ldap://192.168.1.1:389/
ldap_version 3
binddn unixauth@MYCOMPANY.LOCAL
bindpw myunixauthuserpassword
ssl off
scope sub
nss_base_passwd DC=MYCOMPANY,DC=LOCAL?sub?&(objectClass=user)(uidNumber=*)
nss_base_shadow DC=MYCOMPANY,DC=LOCAL?sub?&(objectClass=user)(uidNumber=*)
nss_base_group DC=MYCOMPANY,DC=LOCAL?sub?&(objectClass=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowExpire accountExpires
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute uniqueMember member
timelimit 5
bind_timelimit 5
idle_timelimit 5
bind_policy hard
nss_reconnect_tries 1
nss_reconnect_sleeptime 1
nss_reconnect_maxsleeptime 8
nss_reconnect_maxconntries 2
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
tls_cacertdir /etc/openldap/cacerts
pam_password ad
debug 0
EOF
If you want to make a special group of users also sudoes you can enable a group in sudoers file like this. In our example the group is called unix_admin:
grep -q unix_admin /etc/sudoers || echo %unix_admin ALL=\(ALL\) ALL >> /etc/sudoers
Next we need to tweak system authentication files so that LDAP is actually used:
cat <<EOF > /etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so use_first_pass
auth [default=done default=die] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store
auth [default=bad] pam_ccreds.so action=update
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
#account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account [authinfo_unavail=ignore default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
EOF
sed -i -e 's/^passwd:.*/passwd: files ldap [NOTFOUND=return]/g' /etc/nsswitch.conf
sed -i -e 's/^shadow:.*/shadow: files ldap/g' /etc/nsswitch.conf
sed -i -e 's/^group:.*/group: files ldap [NOTFOUND=return]/g' /etc/nsswitch.conf
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so use_first_pass
auth [default=done default=die] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store
auth [default=bad] pam_ccreds.so action=update
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
#account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account [authinfo_unavail=ignore default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
EOF
sed -i -e 's/^passwd:.*/passwd: files ldap [NOTFOUND=return]/g' /etc/nsswitch.conf
sed -i -e 's/^shadow:.*/shadow: files ldap/g' /etc/nsswitch.conf
sed -i -e 's/^group:.*/group: files ldap [NOTFOUND=return]/g' /etc/nsswitch.conf
And finally we configure the caching daemon to keep data for 7 days and then restart it. The great idea here is that if there is no connection between your server and the AD server, you can still login onto your server:
sed -i /etc/nscd.conf -e 's/^.*positive-time-to-live.*passwd.*/ positive-time-to-live passwd 604800/g'
sed -i /etc/nscd.conf -e 's/^.*positive-time-to-live.*group.*/ positive-time-to-live group 604800/g'
sed -i /etc/nscd.conf -e 's/.*reload-count.*/ reload-count unlimited/g'
/etc/init.d/nscd restart
sed -i /etc/nscd.conf -e 's/^.*positive-time-to-live.*group.*/ positive-time-to-live group 604800/g'
sed -i /etc/nscd.conf -e 's/.*reload-count.*/ reload-count unlimited/g'
/etc/init.d/nscd restart
And that's it! You should be now able to login onto your CentOS server with your Windows AD account.
Check for more info:
http://www.theillien.com/Sys_Admin_v12/html/v13/i05/a2.htm
http://www.flyn.org/laptopldap/
http://wuhai.wordpress.com/2009/01/23/rhel4u6-and-pam_ccreds/
