OPSI DokuWiki

User Tools

Site Tools

Trace:
opsi-server_authentication_over_windows_ad_based_on_ldap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

opsi-server_authentication_over_windows_ad_based_on_ldap [2015/05/22 10:42]
koepkek created 		opsi-server_authentication_over_windows_ad_based_on_ldap [2021/08/23 08:37]
Line 1: Line 1:
- 1 ==== OPSI Server authentication over Windows AD based on LDAP ==== 
- 
-=== Purpose: === 
- 
-You can use your Windows user and password to authenticate against the following services: 
- 
-  * SSH  
-  * SAMBA 
-  * OPSI ConfigEditor 
- 
- 
-=== Configuration steps: === 
- 
-This procedure is tested with Debian 6.0.10 and OPSI 4.0.5 
- 
- 
-  * Before you can use the login to the OPSI host with your Windows user and password, you have to create a local *NIX user account (no password necessary). Use as *NIX username the Windows sAMAccountName. 
-     *''addusers --no-create-home --ingroup opsiadmin <sAMAccountName>'' 
- 
-  * Install additional package: 
-     * ''apt-get install libpam-ldap'' 
- 
-  * Here is the relevant configuration part for pam_ldap.conf: 
-     * Windows AD Domain Controller: dc1.mywin.domain  (in this case the DC holds the PDC role) 
-     * AD user account: OpsiAdRead 
-     * AD user pass: secretpw 
- 
- 
-/etc/pam_ldap.conf 
-<code> 
-# 
- 
-# The distinguished name of the search base. 
-base dc=mywin,dc=domain 
- 
-# Another way to specify your LDAP server is to provide an 
-uri ldap://dc1.mywin.domain  
- 
-# The LDAP version to use (defaults to 3 
-# if supported by client library) 
-ldap_version 3 
- 
-# The distinguished name to bind to the server with. 
-# Optional: default is to bind anonymously. 
-binddn cn=OpsiAdRead,cn=Users,dc=mywin,dc=domain 
- 
-# The credentials to bind with. 
-# Optional: default is no credential. 
-bindpw secretpw 
- 
-# The search scope. 
-scope sub 
- 
-# Search timelimit 
-timelimit 5 
- 
-# Bind/connect timelimit 
-bind_timelimit 5 
- 
-# Reconnect policy: hard (default) will retry connecting to 
-# the software with exponential backoff, soft will fail 
-# immediately. 
-bind_policy soft 
- 
-# The user ID attribute (defaults to uid) 
-pam_login_attribute sAMAccountName 
- 
-# Hash password locally; required for University of 
-# Michigan LDAP server, and works with Netscape 
-# Directory Server if you're using the UNIX-Crypt 
-# hash mechanism and not using the NT Synchronization 
-# service. 
-pam_password crypt 
- 
-# Update Active Directory password, by 
-# creating Unicode password and updating 
-# unicodePwd attribute. 
-pam_password ad 
- 
-# RFC 2307 (AD) mappings 
-nss_map_objectclass posixAccount user 
-nss_map_objectclass shadowAccount user 
-nss_map_attribute uid sAMAccountName 
-nss_map_attribute homeDirectory unixHomeDirectory 
-nss_map_attribute shadowLastChange pwdLastSet 
-nss_map_objectclass posixGroup group 
-nss_map_attribute uniqueMember member 
-pam_login_attribute sAMAccountName 
-pam_filter objectclass=User 
-pam_password ad 
-</code> 
- 
-  * Here is the relevant configuration changes for the smb.conf: 
-     * For the “password server” option you can use more as one server, if one server not reachable the next one is used. Use as server name the Netbios name and not the FQDN or the IP address. If one of the servers rejects the password the connection failed, Samba does not ask the next server. 
- 
-/etc/samba/smb.conf 
-<code> 
-[global] 
- 
-## Browsing/Identification ### 
- 
-# Change this to the workgroup/NT-domain name your Samba server will part of 
-    workgroup = MYWIN 
- 
-####### Authentication ####### 
- 
-# "security = user" is always a good idea. This will require a Unix account 
-# in this server for every user accessing the server. See 
-# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html 
-# in the samba-doc package for details. 
-   security = domain 
- 
-# You may wish to use password encryption.  See the section on 
-# 'encrypt passwords' in the smb.conf(5) manpage before enabling. 
-   encrypt passwords = true 
- 
-# If you are using encrypted passwords, Samba will need to know what 
-# password database type you are using. 
-#   passdb backend = tdbsam 
-   password server = dc1 dc2  
- 
-   obey pam restrictions = yes 
-# 
-</code> 
- 
-Join the OPSI host to the Windows AD domain 
- 
-DC1 = Netbios name of the windows domain controller dc1.mywin.domain 
-Administrator = Domain admin account 
- 
-net rpc join -S DC1 -U Administrator 
- 
-Create a domain user account <pcpatch> 
- 
-Use for the domain user <pcpatch> the same password as for the OPSI user <pcpatch>. 
- 
-passwd pcpatch  <secret_pcpatch_password> 
-smbpasswd –U pcpatch  <secret_pcpatch_password> 
- 
-opsi-admin -d task setPcpatchPassword <secret_pcpatch_password> 
- 
-Create a global host parameter with the ConfigEd. 
- 
-clientconfig.depot.user :  MYWIN\pcpatch 
- 
-* 
-http://thejoyofstick.com/blog/2012/03/31/authenticating-linux-users-against-microsoft-active-directory/ 
  
opsi-server_authentication_over_windows_ad_based_on_ldap.txt · Last modified: 2021/08/23 08:37 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki