0% found this document useful (0 votes)
263 views12 pages

Integrate Linux and Active Directory With SSSD+LDAP

This document provides instructions for integrating Linux systems with Active Directory using SSSD and LDAPS. It describes setting up an Active Directory server with LDAPS enabled using a certificate authority. It also provides steps for configuring SSSD on Linux distributions like Ubuntu, CentOS, and SLED to authenticate with and obtain user information from the Active Directory server using LDAPS. Common configuration steps are outlined along with distribution-specific steps.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
263 views12 pages

Integrate Linux and Active Directory With SSSD+LDAP

This document provides instructions for integrating Linux systems with Active Directory using SSSD and LDAPS. It describes setting up an Active Directory server with LDAPS enabled using a certificate authority. It also provides steps for configuring SSSD on Linux distributions like Ubuntu, CentOS, and SLED to authenticate with and obtain user information from the Active Directory server using LDAPS. Common configuration steps are outlined along with distribution-specific steps.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Integrate Linux and Active Directory with SSSD + LDAPS

1 Contents
1 Lab Environment ..................................................................................................................... 2
1.1 Active Directory ............................................................................................................... 2
1.2 Linux OS .......................................................................................................................... 2
2 Configurations on Active Directory ........................................................................................ 3
2.1 Install Active Directory Certificate Service on AD host to enable LDAPS .................... 3
2.2 Download CA certificate from AD host .......................................................................... 5
2.3 Create LDAP bind user and test user on AD host ............................................................ 6
3 Configurations on Linux .......................................................................................................... 7
3.1 Common Steps ................................................................................................................. 7
3.2 Setup on Ubuntu 1604.2 x64 Desktop ............................................................................. 9
3.3 Setup on CentOS 6.9/7.3 x64 ......................................................................................... 10
3.4 Setup on SLED 12 SP2 x64 ........................................................................................... 11
4 References ............................................................................................................................. 12
1 Lab Environment
1.1 Active Directory
 OS: Windows 2012 R2
 IP: 10.117.45.99
 FQDN: test-ad-host.testad.org
 Domain Name: testad.org
 Hostname: test-ad-host
1.2 Linux OS
 CentOS 6.9 x64
 CentOS 7.3 x64
 Ubuntu 1604.2 x64 Desktop
 SLED 12 SP2 x64
2 Configurations on Active Directory
2.1 Install Active Directory Certificate Service on AD host to enable LDAPS
 Install Active Directory Certificate Service role

 Configure Certification Authority role with default setting, and set Common Name to
TestAD-CA
2.2 Download CA certificate from AD host
 Run mmc and add Snap-ins Certificates with Computer account selected

 Navigate to “Certificates (Local Computer -> Trusted Root Certification Authorities


-> Certificates”, and right-click on CA certificate TestAD-CA to export it

 Select Base-64 encoded X.509 (.CER) for file format and ca_cert.cer for file name

You will get a file named ca_cert.cer, and rename it to ca-cert.pem


2.3 Create LDAP bind user and test user on AD host
 Create an OU named TestOU
 Create LDAP bind user ldapsearch under TestOU:
Set Full name to ldapsearch
Set User logon name to [email protected]
Set User logon name (pre-Windows 2000) to TestAD\ldapsearch
Set Password to Password1

 Create test user Test User under TestOU:


Set First name to Test, Last name to User, Full name to Test User
Set User logon name to [email protected]
Set User logon name (pre-Windows 2000) to TestAD\tuser
Set Password to Password2

You will get two users created under TestOU:


3 Configurations on Linux
3.1 Common Steps
 Map AD’s FQDN
Add below line in /etc/hosts
10.117.45.99 test-ad-host.testad.org

 Install CA cert
Copy ca-cert.pem to Linux machine to /etc/ldap-ca/ca-cert.pem
sudo mkdir /etc/ldap-ca
sudo cp ca-cert.pem /etc/ldap-ca/ca-cert.pem

 Test FQDN mapping and CA cert


Run below command, and you should get “Verify return code: 0 (ok)”
openssl s_client -connect test-ad-host.testad.org:636 -CAfile /etc/ldap-ca/ca-
cert.pem

 Test ldap to AD
Install ldap tool
Ubuntu: sudo apt install ldap-utils
CentOS: yum install openldap-clients

Run below ldapsearch command, which is using ldap protocol to do the search:
ldapsearch -v -x -H ldap://test-ad-host.testad.org/ -b dc=testad,dc=org -D
'CN=ldapsearch,OU=TestOU,dc=testad,dc=org' -W -s sub 'cn=Test User' cn
distinguishedName
When asked, type Password1 for password, and should get the search result

 Test ldaps to AD
Before test ldaps to AD, need set ldap.conf to specify the CA cert file for ldap. Edit
configuration file ldap.conf (Ubuntu: /etc/ldap/ldap.conf, SUSE/CentOS:
/etc/openldap/ldap.conf) to set below line:
TLS_CACERT /etc/ldap-ca/ca-cert.pem

Run below ldapsearch command, which is using ldaps protocol to do the search:
ldapsearch -v -ZZ -H ldap://test-ad-host.testad.org/ -b dc=testad,dc=org -D
'CN=ldapsearch,OU=TestOU,dc=testad,dc=org' -W -s sub 'cn=Test User' cn
distinguishedName
When asked, type Password1 for password, and should get the search result

 Prepare sssd configuration file


New a configuration file named sssd.conf, and enter below configuration lines.
[sssd]
config_file_version = 2
domains = testad.org
services = nss, pam
[pam]

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 3
entry_cache_nowait_percentage = 75
debug_level = 8
account_cache_expiration = 1

[domain/testad.org]
debug_level = 8
id_provider = ldap
auth_provider = ldap
access_provider = simple
cache_credentials = false
min_id = 1000
ldap_uri = ldaps://test-ad-host.testad.org
ldap_schema = ad
# for SID-UID mapping
ldap_id_mapping = true
# caching credentials
cache_credentials = false
entry_cache_timeout = 3
# performance
ldap_referrals = false
ldap_default_bind_dn = CN=ldapsearch,OU=TestOU,DC=testad,DC=org
ldap_default_authtok_type = password
ldap_default_authtok = Password1
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ldap-ca/ca-cert.pem
fallback_homedir = /home/%u
ldap_user_home_directory = sAMAccountName
override_homedir = /home/%u
default_shell = /bin/bash
3.2 Setup on Ubuntu 1604.2 x64 Desktop
 Install sssd packages
sudo apt-get install sssd libpam-sss libnss-sss

 Install sssd configuration file


sudo cp sssd.conf /etc/sssd
sudo chmod 600 /etc/sssd/sssd.conf

 Restart sssd service


sudo service sssd restart

 Edit /etc/pam.d/common-session
Edit /etc/pam.d/common-session to insert below line after line of pam_sss.so
session optional pam_mkhomedir.so skel=/etc/skel/ mask=0077

 Test Configuration
Run blow command:
getent passwd tuser
You should get result like below:
tuser:*:567801106:567800513:Test User:/home/tuser:/bin/bash
Run below command:
id tuser
You should get result like below:
uid=567801106(tuser) gid=567800513(Domain Users)
groups=567800513(Domain Users)

 Edit greeter Configuration File


By default, Ubuntu does not allow user to enter user name. Need edit greeter
configuration file /etc/lightdm/lightdm.conf (new it if does not exist) to add:
[SeatDefaults]
greeter-show-manual-login=true
greeter-hide-users=true
 Login with AD Test User
Reboot and login with AD Test User:
Username: tuser
Password: Password2
3.3 Setup on CentOS 6.9/7.3 x64
 Install sssd packages
sudo yum install sssd

 Install sssd configuration file


sudo cp sssd.conf /etc/sssd
sudo chmod 600 /etc/sssd/sssd.conf

 Install oddjob-mkhomedir
yum install oddjob-mkhomedir

 Enable SSSD in PAM for user authentication


Run below command to update /etc/pam.d
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --
update

 Start Services
sudo service sssd start
sudo service oddjobd start

 Test Configuration
Run below command:
getent passwd tuser
You should get result like below:
tuser:*:567801106:567800513:Test User:/home/tuser:/bin/bash

Run below command:


id tuser
You should get result like below:
uid=567801106(tuser) gid=567800513(Domain Users)
groups=567800513(Domain Users)

 Login with AD Test User


Reboot and login with AD Test User:
Username: tuser
Password: Password2
3.4 Setup on SLED 12 SP2 x64
 Install sssd packages
sudo zypper install sssd

 Install sssd configuration file


sudo cp sssd.conf /etc/sssd
sudo chmod 600 /etc/sssd/sssd.conf

 Disable NSCD Service


sudo service nscd stop
sudo chkconfig nscd off

 Update PAM
sudo pam-config --add --sss
sudo pam-config --add --mkhomedir --mkhomedir-umask=0077

 Update /etc/nsswitch.conf
Update /etc/nsswitch.conf to set:
passwd: files sss
shadow: files sss
group: files sss

 Start SSSD Service


chkconfig sssd on
service sssd start

 Test Configuration
Run below command:
getent passwd tuser
You should get result like below:
tuser:*:567801106:567800513:Test User:/home/tuser:/bin/bash

Run below command:


id tuser
You should get result like below:
uid=567801106(tuser) gid=567800513(Domain Users)
groups=567800513(Domain Users)

 Login with AD Test User


Reboot and login with AD Test User:
Username: tuser
Password: Password2
4 References
 https://www.ossramblings.com/Ubuntu-14.04-SSSD-and-OpenLDAP-Authentication
 https://wiki.ubuntu.com/Enterprise/Authentication/sssd
 http://techuniqe.blogspot.co.uk/2015/04/using-sssd-for-active-directory.html
 https://serverfault.com/questions/734422/enable-ldap-client-in-sles-12-from-command-
line

You might also like