Linux and Active Directory
Active Directory is Microsoft's answer to central authentication and management. It provides organization of users, computers, printers, and application data while also providing authentication to these objects (when available).
Active Directory is based on LDAP -- the Lightweight Directory Access Protocol. LDAP stores objects in a tree-light hierarchy; similar to today's filesystems. Each end node in LDAP is an object while the container nodes are known as Organizational Units.
By using PAM (the Pluggable Authentication Module), Linux can authenticate users from LDAP. Since Active Directory is based on LDAP, it works just as well. By integrating Active Directory into a Linux environment, you can get one step closer to a true, homogenous network even though different Operating Systems exist.
Assuming you already have Active Directory installed on a Windows Domain, we'll skip right to configuring Linux to authenticate against it. For this demonstration, I'll be using Windows 2003 R2 and Debian Linux.
First we'll prep Windows for the Unix support. You'll need to install the Identity Management for UNIX component. This can be found under Add / Remove Windows Components and by double clicking on Active Directory Services:
Once this is installed, you can start giving UNIX Attributes to your existing users. If you look in the properties of a user, you'll see a new UNIX Attributes tab. Don't worry about the UID -- Windows will automatically increment this for you.
The next step is to create a user in Active Directory whose sole purpose is to do lookups on behalf of Linux. I called this user scout and placed him in the Users container.
Now it's time to prep the Linux server for LDAP. Install the following tools:
$ apt-get install ldap-utils openssl libpam-ldap
ldap-utils provides some basic LDAP tools on the command line (such as ldap-search). openssl provides SSL/TLS support so we can connect to Active Directory securely. Finally, libpam-ldap provides the PAM modules we need to authenticate users.
Next, configure some basic settings in /etc/ldap/ldap.conf:
BASE dc=hemingway, dc=com
URI ldap://mike.hemingway.com
HOST mike.hemingway.com
To test the connectivity to Active Directory, we can run a simple search:
# ldapsearch -x -W -D "cn=scout,cn=Users,dc=hemingway,dc=com" \
-LLL "(sAMAccountName=scout)"
The output should be the LDAP details of the scout user.
Once this part is working, we can move on to the libnss portion. The file to add the information is called /etc/libnss-ldap.conf on Debian. Contrary to other examples, you do not need to add a lot of information to this file. In fact, it will work fine with just 10 lines:
host mike.hemingway.com
base dc=hemingway,dc=com
ldap_version 3
binddn cn=scout,cn=Users,dc=hemingway,dc=com
bindpw password
scope sub
timelimit 30
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute homeDirectory unixHomeDirectory
After that, edit the /etc/nsswitch.conf file. This file tells the Linux server where to look up users and resolve UID's to names. Mine is set like so:
passwd: ldap files
group: ldap files
shadow: ldap files
This will allow the Linux server to check LDAP first, and if the user or group does not exist, move on to the standard files (such as /etc/passwd). You can verify this works by issuing the following command:
# getent passwd
The first results should be users you have configured with UNIX Attributes in Active Directory.
A quick note, Debian installs /etc/nsswitch.conf to be readable only by root. To allow all users to resolve UID's to usernames, make it mode 644.
The final step is to configure PAM to authenticate the users. I added this line to /etc/pam.d/common-auth and /etc/pam.d/common-password:
auth sufficient pam_ldap.so use_first_pass
And this line to /etc/pam.d/common-session:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
The pam_mkhomedir.so automatically creates a home directory for a user if one does not exist.
And that's it! You can test this out by trying to ssh into the Linux server and use credentials found in Active Directory:
$ ssh jtopjian@bill.hemingway.com
Password:
Last login: Thu Jan 5 22:07:33 2006 from 192.168.1.250
jtopjian@bill:~$ id
uid=10000(jtopjian) gid=100(users) groups=100(users)
jtopjian@bill:~$
Tags: activedirectory, debian, howto, linux, network, unix, windows