[ale] RHEL 6 authenticate against LDAP?

James Sumners james.sumners at gmail.com
Mon Jun 16 13:33:13 EDT 2014 

Okay, for the Internet at large, forget about that SSSD garbage. The
following will get a fresh install of RHEL 6 (and I assume 7)
authenticating against and Active Directory server (without caring about
updating the AD password and such):

$ yum install pam_ldap
$ authconfig --enableldapauth --enablelocauthorize --update
$ openssl s_client -connect ldap.example.com:636 2>&1 | sed -ne '/-BEGIN
CERTIFICATE-/,/-END CERTIFICATE-/p' >
/etc/openldap/cacerts/ldap.example.com.crt # press "return" again to
terminate process
$ cacertdir_rehash

Finally, configure /etc/pam_ldap.conf appropriately:

`````
# Set to the base LDAP tree for the users you want to authorize
base OU=Cool Guys,OU=Departments,dc=example,dc=com

# URI of the LDAP server
uri ldaps://ldap.example.com/
# A user that can search the LDAP tree
binddn CN=Searcher,cn=Users,DC=example,DC=com
# The search user's password
bindpw the_correct_directory_reader_password

scope sub

pam_filter objectClass=User
pam_login_attribute sAMAccountName
pam_password ad

# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniquteMember member

ssl on
sasl_secprops maxssf=0
referrals no
`````


On Fri, Jun 13, 2014 at 9:21 AM, Jim Kinney <jim.kinney at gmail.com> wrote:

> You will need to check nsswitch file to have password by LDAP or sssd and
> home by files. Then every user add will require multiple steps. Add in AD
> then again on each machine.
> On Jun 13, 2014 9:10 AM, "James Sumners" <james.sumners at gmail.com> wrote:
>
>> I'm sorry, I do not know what question you are answering. I never
>> mentioned wanting password changes propagated to anything. In fact, these
>> accounts are normally created with no valid password at all on the local
>> machine. That's what I want: user attempts to login, system checks with AD
>> to verify credentials, and then home dir shell etc is pulled from the the
>> local user account.
>>
>> On Sat, Jun 7, 2014 at 10:20 AM, Jim Kinney <jim.kinney at gmail.com> wrote:
>>
>>> Hmm. As much as it pains me to say this, sssd can use AD as the master
>>> auth process. Unless AD admin provides an access id  with write ability,
>>> password changes will have to occur on AD and then propagate to IPA.
>>>
>>
>>
>>
>> --
>> James Sumners
>> http://james.roomfullofmirrors.com/
>>
>> "All governments suffer a recurring problem: Power attracts pathological
>> personalities. It is not that power corrupts but that it is magnetic to the
>> corruptible. Such people have a tendency to become drunk on violence, a
>> condition to which they are quickly addicted."
>>
>> Missionaria Protectiva, Text QIV (decto)
>> CH:D 5
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>


-- 
James Sumners
http://james.roomfullofmirrors.com/

"All governments suffer a recurring problem: Power attracts pathological
personalities. It is not that power corrupts but that it is magnetic to the
corruptible. Such people have a tendency to become drunk on violence, a
condition to which they are quickly addicted."

Missionaria Protectiva, Text QIV (decto)
CH:D 59
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140616/4020f075/attachment.html>

More information about the Ale mailing list