[colug-432] secure ldap connection to Active Directory

Scott Merrill skippy at skippy.net
Mon Jan 19 14:43:49 EST 2015 

> On Jan 19, 2015, at 2:06 PM, Keith Larson <klarson at k12group.net> wrote:
> 
> I'm trying to establish a secure ldap connection to AD using ldapsearch from an OpenSuSE box.  I'm having a hard time getting the certificate portion worked out.  I had someone walk me through the setup on the AD side and we could make a connection with ADSIedit, but not from the linux client.
>  

Does OpenSuSE use sssd? 

This is the relevant section that we have in our sssd.conf file for RHEL:

[domain/LDAP]
cache_credentials = true
auth_provider = ldap
id_provider = ldap
enumerate = false
ldap_uri = ldaps://ad1.domain.local
ldap_cacert = /etc/openldap/cacerts/ActiveDirectory-CA.pem
ldap_referrals = false
ldap_id_use_start_tls = false
ldap_search_base = dc=domain,dc=local
ldap_default_bind_dn = ldap_auth at domain.local
ldap_default_authtok_type = password
ldap_default_authtok = SecurePassW0rdHere!
ldap_schema = AD
ldap_user_principal = userPrincipalName
ldap_user_fullename = displayName
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell

We created an AD user named ldap_auth and gave it a strong non-expiring password. The only permissions on this account are to be able to perform LDAP binds.  We then had our Windows admins export the public key from the AD Certificate Authority and use that to ensure that our Linux systems can trust the AD server certificates.

Then configure PAM correctly.

/etc/pam.d/system-auth-ac:
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

/etc/pam.d/password-auth-ac:
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke


Then symlink those to the ones that are actually used by the system:
# ln -s /etc/pam.d/system-auth-ac /etc/pam.d/system-auth
# ln -s /etc/pam.d/password-auth-ac /etc/pam.d/password-auth

We use Puppet to manage all of the above.

Cheers,
Scott

More information about the colug-432 mailing list