Setting up LDAP Authentication on Debian in an Active Directory environment

It takes a lot to run a Cyber Defense Competition beyond just a large VMware cluster, and many of those systems aren’t Windows boxes. I’ve seen solutions to bind *nix boxes to Active Directory using Kerberos, but that wasn’t really necessary. Here’s a solution for Debian that only requires LDAP.

Note that this requires you to install Identity Management for UNIX on your domain controllers; see this Technet article for instructions on how to do it.

First, install the necessary packages:

apt-get install libnss-ldapd libpam-ldapd

Now edit /etc/nslcd.conf:

# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://windc1.example.com ldap://windc2.example.com

# The search base that will be used for all queries.
base dc=example,dc=com

# The LDAP protocol version to use.
ldap_version 3

# The DN to bind with for normal lookups.
binddn ldap@example.com
bindpw <password>

# The DN used for password modifications by root.
# Leave this blank unless you want to allow password changes from your debian systems
# If so, you will need to place the password in /etc/ldap.secret - be sure it is only readable by root
#rootpwmoddn cn=admin,dc=example,dc=com

# The search scope.
scope sub

# Mappings for Active Directory
# This is the important bit; these fields match up with the fields added by Directory Services for UNIX
pagesize 1000
#referrals no
filter passwd (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
# If you wish to override the shell given by LDAP, uncomment the next line
#map    passwd loginShell       "/bin/bash"
filter shadow (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (&(objectClass=group)(gidNumber=*))
#map    group  gid              member

# SSL options
tls_reqcert never
#ssl start_tls
#ssl on
#tls_cacertfile /etc/ssl/ca.pem

In /etc/nsswitch.conf:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files dns ldap
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Make sure LDAP authentication is enabled by running

pam-auth-update

In /etc/pam.d/common-session add the following at the bottom of the file:

# make home directories
session required   pam_mkhomedir.so skel=/etc/skel/ umask=0077

This umask will prevent users from reading each others’ home directories. If you’d prefer to be more open, use umask=0022 instead.

If you wish to restrict who can login, edit /etc/pam.d/sshd and uncomment the following line:

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
account  required     pam_access.so

You can do the same in /etc/pam.d/login for console logins.

Then edit /etc/security/access.conf and add the following lines at the bottom:

#these users can always log in
+ : root : ALL
+ : localadmin : ALL
#anyone in the local ssh-users group can login
+ : (ssh-users) : ALL
#deny everyone else : ALL
- : ALL : ALL

Be sure to add users to the ssh-users group in /etc/group.

Reboot (or restart nslcd, nscd, and sshd) and you should be good to go!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>