Active Directory LDAP integration with RedHat / CentOS / Scientific Linux

It is a common theme to attach Linux hosts to an already existing Directory Service infrastructure, likely running on Windows.
There are a lot of ways to do this, from Samba clients and Winbind, to OpenLDAP PAM modules and Kerberos, but RedHat introduced a new tool to simplify this.

SSSD (System Security Services Daemon) is that tool, it also works on other distributions (Debian/Ubuntu, CentOS, etc).
A five minute process to tie all your Linux machines to good directory services, which makes everyone’s job easier.

This may be a surprise to some people, but I personally believe that Microsoft’s Active Directory is one of the best directory services out there.
It offers LDAP, RADIUS, Kerberos, internal Certificate Authority servers, and more.
Tying all of that together yourself with OpenLDAP, Samba, open source RADIUS servers, and other services would be more of an undertaking, but it can be done.
I won’t get into everything I hate about other Microsoft products, the purpose for this entry is to assist others in finding their way into integrating their Linux logins, NFS home directories, authentication, password policies, etc into an existing Active Directory infrastructure.

The focus of this particular entry will be around a set of components that RedHat released as part of their new 6.x branch, called SSSD (System Security Services Daemon). SSSD aims to simplify the process of integrating different authentication backends into PAM. This way, you won’t necesarily need a PAM module for LDAP, a PAM module for KRB, module for NIS, etc.
PAM will simply call SSSD, which then handles doing lookups against whatever backend of your choice, in this case we will use LDAP to integrate into Active Directory.

For the initial setup, we need to extend the schema for Active Directory to support additional user attributes, like the Unix UserID, GroupID, Shell, Home Directory, and Primary Group.
Go to one of your Domain Controllers, open Server Manager, under Roles, click “Add Role Services”, then select “Identity Management for UNIX”. You will need to install the NIS Server and Administration Tools, you can skip the Password Sync component. Unfortunately, to get the “Unix Attributes” tab in AD, you need to install the NIS Server, it will not give you the Unix attributes tab without it. You will need to reboot the server for the features to be installed, so take that into consideration.

 

 

With the feature installed, you can start populating user and group properties with new Unix attributes. I suggest coming up with a UID and GID numbering convention, you will still have local system accounts and groups on each server, plus accounts in your directory service. This will come bite you in the ass if you don’t have a plan, like when you create a local account, it will select the next available UID, which will include any on the computer, and in the directory. You will need a plan, and to edit your “login.default” to set a high maximum for local UIDs and GIDs.

 

 

 

You now need to install SSSD on your RedHat/CentOS/Scientific Linux server. You will need to have the ‘sssd’ and ‘sssd-client’ packages installed.
Once installed, edit the ‘/etc/sssd/sssd.conf’ file, use the below as an example of entries you need to authenticate to a domain. I also suggest exporting the Certificate Authority from your Domain Controller to ensure trusted/encrypted traffic for LDAP.


[sssd]
config_file_version = 2

# Number of times services should attempt to reconnect in the
# event of a crash or restart before they give up
reconnection_retries = 3

# If a back end is particularly slow you can raise this timeout here
sbus_timeout = 30
services = nss, pam

# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the “domains” attribute below and uncomment it.
domains = domain

[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root
reconnection_retries = 3

# The entry_cache_timeout indicates the number of seconds to retain an
# entry in cache before it is considered stale and must block to refresh.
# The entry_cache_nowait_timeout indicates the number of seconds to
# wait before updating the cache out-of-band. (NSS requests will still
# be returned from cache until the full entry_cache_timeout). Setting this
# value to 0 turns this feature off (default).
; entry_cache_timeout = 600
; entry_cache_nowait_timeout = 300

[pam]
reconnection_retries = 3

[domain/yourdomain]
debug_level = 0
description = LDAP domain with AD server
enumerate = true

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://dc01.domain.com
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/domain.crt
ldap_schema = rfc2307bis
ldap_user_search_base = DC=domain,DC=com
ldap_group_search_base = OU=Security Groups,DC=domain,DC=com
ldap_default_bind_dn = CN=LDAPBIND,DC=domain,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = somepassword

ldap_user_object_class = user
ldap_user_name = uid
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName

ldap_group_object_class = group
ldap_group_name = name
ldap_group_member = member
ldap_group_gid_number = gidNumber
ldap_force_upper_case_realm = True

28 thoughts on “Active Directory LDAP integration with RedHat / CentOS / Scientific Linux

  1. A lot of us are tasked with working in mixed environments so thanks for the clear write up on this subject. A lot of us agree that AD is an excellent product.

  2. I just like the helpful info you supply on your articles.
    I’ll bookmark your blog and check once more right here frequently.

    I am reasonably certain I will be informed many new stuff proper here!
    Good luck for the next!

  3. Hi, i believe that i noticed you visited my weblog thus i got
    here to go back the desire?.I’m trying to to find
    things to enhance my website!I suppose its good enough to use a
    few of your ideas!!

  4. When I originally commented I clicked the “Notify me when new comments are added” checkbox and
    now each time a comment is added I get three e-mails with the same
    comment. Is there any way you can remove people from that service?
    Many thanks!

  5. The right way to use Google Adwords is revealed in an easy manner.
    Penguin algorithm that got rolled ouut in April, 2012 almost shook SEO industry.
    If there is already lots of Google Adsense put into that certain site, put yours on top of all of
    them.

  6. After looking at a few of the blog posts on your web site, I honestly like your technique of
    blogging. I book marked it to my bookmark website list and will
    be checking back in the near future. Please visit my website too and let me know
    how you feel.

  7. The Vi – Salus is not in the run ofpublicity like the other health products that excites the people and ready togo, but that die away in few weeks because they are physically very difficult tokeep up.

    Peter Ragnar’s ‘How To Build Muscle On A Raw Food Diet’. Ryan Blair is the CEO and is the embodiment of the Vi – Salus vision.

  8. Hi webmaster do you need unlimited content for your blog ?

    What if you could copy article from other sources, make it unique and publish on your website – i know the right tool for you, just type in google:

    loimqua’s article tool

  9. First of all I wznt to say wonderdful blog! I had a quick question that I’d like to askk if you do
    not mind. I wwas interested to find out how you center yourself and clear your head before writing.
    I have had ttouble clearing my mind in getting my thoughts out.
    I ddo take pleasure in writing however it just seems like the first 10 to 15
    minutes tend to be lost simply jusat trying to figure outt
    how to begin. Any ideas oor hints? Thanks!

    Here iis my page … Pro Muscle-X

  10. When you compare these statistics with previous years’ data – 237
    reported piracy attacks next year and 75 in 2012 – there’s little question left that this menace of
    piracy at least off the coast of Somalia is apparently on a sharp
    decline. Since then, your Puzzle Pirates Examiner has earned her Seal for at least
    seven pirates across the five production oceans (her subscription is lapsed and awaiting renewal, thus putting the test
    ocean Ice out of reach). Dongles is available on SD, Micro SD, and compact flash (CF) cards.

  11. Unquestionably imagine that which you stated.
    Your favorite justification appeared to bee at the net the simmplest
    thing to consider of. I saay to you, I certainly
    get irked while folks cnsider concerns that they plainly do not realize about.
    You managed to hit the nakl upon the highest as well as outlined outt
    thhe entire thing without having side-effects
    , folks cold take a signal. Will likely be
    again to get more.Thanks

  12. Thanks for finally talking about > Active Directory LDAP integration with RedHat / CentOS
    / Scientific Linux | Brent Jones – Technical Blog < Loved it!

    My webpage prednisone

  13. Thank you for every other great post. The place else may anybody
    get that type of info in such a perfect means of writing?
    I have a presentation next week, and I’m at the search for such info.

    Feel free to visit my website remodel companies
    (blog.wbpluto.com)

  14. What’s more, the cost enhance in rubber sheet has stimulated the tapping manufacturing.
    Other border activists are telling reporters thst while this event is tragic, until border security is seriously addressed the mayhem will continue.
    Market Planning: Current marketing situation (Market situation, Competitive Situation, distribution situation, macro environment) opportunity and issues
    analysis (SWOT Analysis), Objectives (achieve break even, attain n no of sales, achieve top of mind recognition, reac n no of outlets etc) Market Strategy (Target segment, positioning,
    product line, price, distribution, sales force,
    sales promotion, advertising).

  15. If you are going for best contents like me, just pay a
    visit this website daily as it gives feature contents, thanks

  16. I’ve recently started a web site, the information you provide on this web site has helped me tremendously. Thank you for all of your time & work. “There is a time for many words, and there is also a time for sleep.” by Homer.

  17. Apple by now contains Rhapsody as an app, which is a great start out, nonetheless it is at present hampered via the incapacity to retail outlet locally upon your iPod, and is made up of a dismal 64kbps bit selling price. If this modifications, then it will rather negate this comfort for the Zune, nevertheless the Ten songs for each thirty day period will nonetheless be a significant in addition in just Zune Pass’ choose.

  18. Keep up the excellent work , I read few posts on this site and I think that your web blog is really interesting and holds bands of wonderful information.

  19. Wow. you have a really good site, some basic changing and improvement of your article will make your site more Amazing, anyway i will come back later looking forward for your good improvements

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>