Active Directory from Microsoft is a directory service that uses some open protocols, like Kerberos, LDAP and SSL.

There are several ways to use AD for authentication, and with LDAP tools you can extend a local authentication scheme to "cache" your Active Directory credentials.

LDAP Caching:

Configuration and Installation

To install a LDAP caching system you need to compile libpam-script from source and install ldap-utils. Note: you don't have to configure anything in Active Directory for LDAP caching. I have a premade deb for installing libpam-script (libpam-script_0.1.11-1_i386.deb) on a Feisty system for anyone not interested in compiling their own. It was compiled with default options and a deb file automatically generated with checkinstall.

Then you need to set up /etc/pam.d/common-auth as follows:

   auth    required        pam_script.so runas=root expose=1
   auth    required        pam_unix.so nullok_secure use_first_pass

set up /etc/security/onauth:

userid=$1
service=$2
# $3 is supposed to contain $PAM_AUTHTOK, but this guarantees the correct token is used
authtok=$PAM_AUTHTOK
ldapsearch -h <serverip> -p <port> -D"$1@your.domain.here" -x -w$authtok -b "dc=your,dc=domain,dc=here" "(samaccountname=$1)" samaccountname | grep -v filter | grep -i $1 | cut -f2 -d' ' > /tmp/ldap
if [ "`cat /tmp/ldap`" == "$1" ]; then
        usermod -p `mkpasswd $authtok` $1;
fi
exit 0

This script sets the local password for any domain account to whatever the domain password is. Make sure this is what you want, because any local accounts will have their password changed after a successful login to the domain.

Password changing must be done through other means; the Active Directory is the final authority on passwords with this mechanism, and it is one way.

Local Accounts

Configure Accounts

Local accounts are necessary before any users can login to the system. This can be done either through a local passwd file or by setting up LDAP for the Linux users. Either way, extraction of the account names from Active Directory has to be done to synchronize the accounts before use. The following script illustrates one way to make the users:

# usage:  makeuser <domain> <username> [details]
useradd $2 -c"$3 $4 $5 $6" -d/home/$1/$2 -m

This script can be called recursively with a list of usernames from a file by using:

cat userlist | while read line; do sudo ./makeuser mydomain ${line}; done

The userlist file should be formatted similar to the following:

firstuser User, First
seconduser User, Second 2nd
thirduser User, 3rd Third details

By calling the makeuser script with a domain component, it is easier to search which domain the user was created from at authentication time; thus this method supports multiple domains (for example using a simple getent passwd <user>, and grepping/cutting the results), as long as each domain contains a unique set of users.

To create the userlist file, I used a bit of LDAP querying and manipulating the results. You can use any means you wish to get the list. Once accounts are created, you should have an automated way to recreate this list and reimport the usernames on a regular basis to ensure any new accounts created on the Active Directory are also reflected in your local cache.

Inquiries: <clay DOT berlo AT gmail DOT com>


CategorySecurity

AlternativeActiveDirectory (last edited 2008-07-21 15:41:05 by yttrium)