Centralized directory services such as OpenLDAP or Active Directory (AD) simplify password management for the administrator and the user. In terms of Linux servers, the aspect of SSH authentication via AD is especially interesting. From the point of view of IT security, this solution is also advantageous:
- Administrators no longer need to choose and manage different passwords for each server. You can log in to the servers with the AD password.
- The password change or deactivation of an account can be made via the AD.
- Centrally managed root passwords no longer need to be known to all administrators.
The following article shows how to configure authentication with an AD on Debian 7 wheezy via mod_pam with libpam-ldapd . After configuration, the authentication is not only valid for SSH but for all services that use PAM (as well as sudo ). Since there are the libpam-ldapd packages for Ubuntu, the manual can also be applied to Ubuntu.
Prerequisites and purpose
The following information is needed for the setup:
- The LDAP URL of the AD server.
- The search or base DN the users are in.
- (recommended) A bind DN including password used to search the AD or Base DN.
- For TLS
- The certificate file for encrypted communication (since the passwords are transmitted between server <-> AD during authentication, encrypted communication is strongly recommended).
- On the server itself, the users who want to log in must already exist .
In addition, briefly summarized the objectives of the following instructions:
- Password authentication of users via the passwords stored in the AD.
- Other things, such as groups, home paths, etc., are not retrieved from the AD.
- The user root should still be able to log on with the local password.
Attention: Configurations on PAM modules may mean that you can no longer log in / authenticate. Always have a root terminal ready for emergencies!
Test connection to AD
The first step is to test the connection between server <-> AD. When using LDAP with START_TLS, communication occurs over port 389:
# telnet ldap.example.com 389 Trying ... Connected to ldap.example.com Escape character is '^]'.
Then an actual LDAP query is performed via an ldapsearch (for an encrypted connection – parameter ‘-ZZ’ – the certificate must be configured in the file /etc/ldap.conf ):
ldapsearch -x -H ldap: //ldap.example.com -D "CN = Georg Schönberger, OU = Users, DC = example, DC = com" \ -b OU = Users, DC = example, DC = com -W -ZZ sAMAccountName = gschoenberger
Installing libpam ldapd
The central component of the Debian server is the package libpam-ldapd (packages.debian.org). This package also installs the nslcd (packages.debian.org) daemon that handles communication between server <-> AD.
# apt-get install libpam-ldapd [...] The following NEW packages will be installed: bind9-host geoip-database ldap-utils libbind9-80 libcap2 libdns88 libgeoip1 libisc84 libisccc80 libisccfg82 liblwres80 libnss-ldapd libpam-ldapd libxml2 nscd nslcd sgml-base xml-core
If you want to run the package configuration again to adjust values, just call
# dpkg-reconfigure nslcd
Configuration of nslcd
The following map and filter entries, binddn and bindpw, and TLS options must be added to the file /etc/nslcd.conf :
[...] base ou = Users, dc = example, dc = com map passwd uid sAMAccountName filter passwd (objectClass = user) # The LDAP protocol version to use. ldap_version 3 # The DN to bind with normal lookups. binddn cn = reader, dc = example, dc = com bindpw secret [...] # SSL options ssl start_tls tls_reqcert demand tls_cacertfile /etc/ssl/certs/Example-com-cacert.pem [...]
In the file /etc/nslcd.conf are, as shown above, the settings made the package installation.
Configuration of pam_ldap
Basically, the configuration of the package installation is already suitable for AD authentication . However, users can authenticate with the default configuration using both AD / LDAP and local password. In order to no longer allow local passwords for users other than root , the following change must be made to the file /etc/pam.d/common-auth.conf .
Attention: After this change, only root can use its local password. All other users rely on the AD and a working connection between server <-> AD:
# vi /etc/pam.d/common-auth [...] auth sufficient pam_ldap.so minimum_uid = 1000 auth requisite pam_succeed_if.so uid eq 0 auth sufficient pam_unix.so nullok_secure # here's the fallback if no module succeeds [...]
After that, for all users with uid> 1000, an AD login authentication is sufficient. The local passwords do not work anymore!
The configuration of AD authentication is completed after the above steps.
The nslcd daemon provides Debus mode for analyzing LDAP authentication:
# nslcd -d nslcd: DEBUG: add_uri (ldap: //ldap.example.com) nslcd: DEBUG: ldap_set_option (LDAP_OPT_X_TLS_REQUIRE_CERT, 2) [...] nslcd: accepting connections
If the parameter is
-dspecified more often, the debug level of nslcd increases .
Something is misleading the error message
DEBUG: failed to bind to ldap server ldap: //ldap.example.com: Invalid credentials: 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v23f0
which also occurs when a user account does not yet exist on the server.
If you want to customize the pam rules in the file /etc/pam.d/common-auth.conf , you ‘ll get the error in the log file /var/log/auth.log
pam_succeed_if (sshd: auth): incomplete condition detected
if the pam_succeed_if.so expressions are not correct.