Tutorial: PAM LDAP Authentication against Active Directory on Debian/Ubuntu

Using the LDAP plugin available for PAM, it’s possible to do LDAP authentication without joining the domain. Note however that this requires installing Identity Management for Unix on your domain controllers. See this tutorial for more information.

Before we proceed, it’s a good idea to take a snapshot. I’ll wait for you to do that.

Okay, let’s install the required packages:

apt-get install libnss-ldapd libpam-ldapd

Now edit /etc/nslcd.conf. This assumes the user you created for binding to AD is named “ldap”.

# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://teamN.isucdc.com

# The search base that will be used for all queries.
base dc=teamN,dc=isucdc,dc=com

# The LDAP protocol version to use.
ldap_version 3

# The DN to bind with for normal lookups.
binddn ldap@teamN.isucdc.com
bindpw <password>

# The DN used for password modifications by root.
# Leave this blank unless you want to allow password changes from your debian systems
# If so, you will need to place the password in /etc/ldap.secret - be sure it is only readable by root
#rootpwmoddn cn=admin,dc=example,dc=com

# The search scope.
scope sub

# Mappings for Active Directory
# This is the important bit; these fields match up with the fields added by Directory Services for UNIX
pagesize 1000
#referrals no
filter passwd (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
# If you wish to override the shell given by LDAP, uncomment the next line
#map    passwd loginShell       "/bin/bash"
filter shadow (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (&(objectClass=group)(gidNumber=*))
#map    group  gid              member

# SSL options
tls_reqcert never
#ssl start_tls
#ssl on
#tls_cacertfile /etc/ssl/ca.pem

After you edit this file, restart nslcd and nscd:

service nslcd restart
service nscd restart

Now edit /etc/nsswitch.conf:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files dns ldap
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Make sure LDAP authentication is enabled by running

pam-auth-update

In /etc/pam.d/common-session, add the following at the bottom of the file. This will make home directories for users that have never logged in before. Be careful – mis-editing PAM configuration could permanently lock you out of your system! Take a snapshot before proceeding.

# make home directories
session required   pam_mkhomedir.so skel=/etc/skel/ umask=0077

This umask will prevent users from reading each others’ home directories. If you’d prefer to be more open, use umask=0022 instead.

You can test this out by restarting sshd (service ssh restart) or by rebooting. If you managed to accidentally completely lock yourself out, revert to that snapshot you took earlier.

Leave a Reply

Your email address will not be published. Required fields are marked *