Centos7/Active Directory authentication using nss-pam-ldapd,

Centos7/Active Directory authentication using nss-pam-ldapd,

Centos uses an AD account for verification. There are many online queries, including samba + winbind, sssd, nss-pam-ldapd, and other methods. Today, we will introduce how to use nss-pam-ldap to verify the Active Directory account.

I. experiment environment:

Two hosts: One windows Server R2 Domain Controller and one centos7.2 client using the AD account for verification

1. windows OS: Active Directory 2012 R2

IP: 10.10.1.1

Hostname: ad

Domain ghost.com

2. linux OS: centos 7.2 1511

IP: 10.10.1.10

Hostname: server1.ghost.com

Ii. Experiment steps:

AD domain control:

Hostname: ad

IP: 10.10.1.1

1. Create AD and DNS Server: Server Manager ----> Add roles and features ----> Active Directory Domain Services + DNS Server detailed steps here (everyone knows ^_^)

2. Because windows 2012 R2 does not require Identity Management for UNIX Component to be enabled, windows does not need to install this Component. The command is as follows:

Dism.exe/online/enable-feature/featurename: adminui

Dism.exe/online/enable-feature/featurename: nis

Dism.exe/online/enable-feature/featurename: psync

You can also refer to the following link:

Https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731178 (v = ws.11)

After this component is enabled, the UNIX Attributes drop-down box is added to the Account Attributes. If advanced features are enabled in the AD users and Computers view, the Attribute Editor is displayed.

 

3. Disable windows Firewall and add the record of Server 1 in DNS: 10.10.1.10 domain name resolution.

4. Create ou ghost and user zhangsan. linux_ad is used for verification. If linux_ad prompts a verification problem, try using the administrator account, as shown in.

4. The above is a bit cool! Next we will talk about things of interest to you, related linux settings.

1. After the system is installed, disable selinux and firewalld.

2. Set IP and DNS

[Root @ server1 ~] # Vim/etc/sysconfig/network-scripts/ifcfg-eth0

TYPE = Ethernet
BOOTPROTO = static
DEFROUTE = yes
PEERDNS = yes
PEERROUTES = yes
20174_failure_fatal = no
NAME = eth0
DEVICE = eth0
ONBOOT = yes
IPADDR = 10.10.1.10
NETMASK = 255.255.0.0
DNS = 10.10.1.1
[Root @ server1 ~] # Cat/etc/resolv. conf
Search localdomain ghost.com
Nameserver 10.10.1.1
[Root @ server1 ~] # Yum-y install nss-pam-ldapd openldap-clients telnet
The following files must be configured for nss-pam-ldapd verification. The system-auth-ac and password-auth-ac are modified in the same way.

[Root @ server1 ~] # Cat/etc/nslcd. conf

Uid nslcd
Gid ldap
Uri ldap: // ad.ghost.com: 389 #
Base ou = GHOST, dc = ghost, dc = com # OU, and DC must correspond to each other.
Binddn cn = linux_ad, cn = users, dc = ghost, dc = com # cn, and dn information can be viewed through the distinguishedName value in Aittribute Editor of the account in AD.
Bindpw linux_ad
Scope group sub
Scope hosts sub
Bind_timelimit 3
Timelimit 3
Pagesize 1000
Referrals off
Filter passwd (& (objectClass = user )(! (ObjectClass = computer) (unixHomeDirectory = *))
Map passwd homeDirectory unixHomeDirectory
Filter shadow (& (objectClass = user )(! (ObjectClass = computer) (unixHomeDirectory = *))
Map shadow shadowLastChange pwdLastSet
Filter group (objectClass = group)
Scope sub
Ssl off
Tls_reqcert never

 

[Root @ server1 ~] # Cat/etc/nsswitch. conf
Passwd: files ldap # Add ldap authentication method
Shadow: files ldap
Group: files ldap
Hosts: files dns
Bootparams: nisplus [NOTFOUND = return] files
Ethers: files
Netmasks: files
Networks: files
Protocols: files
Rpc: files
Services: files ldap
Netgroup: files ldap
Publickey: nisplus
Automount: files ldap
Aliases: files nisplus

 

[Root @ server1 ~] # Cat/etc/pam. d/system-auth-ac
# % PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
Auth required pam_env.so
Auth sufficient pam_unix.so nullok try_first_pass
Auth requisite pam_succeed_if.so uid> = 1000 quiet_success
Auth sufficient pam_ldap.so use_first_pass # Add the ldap authentication method
Auth required pam_deny.so

Account required pam_unix.so broken_shadow
Account sufficient pam_localuser.so
Account sufficient pam_succeed_if.so uid <1000 quiet
Account [default = bad success = OK user_unknown = ignore] pam_ldap.so # Add ldap authentication method
Account required pam_permit.so

Password requisite pam_pwquality.so try_first_pass local_users_only retry = 3 authtok_type =
Password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
Password sufficient pam_ldap.so use_authtok # Add the ldap authentication method
Password required pam_deny.so

Session optional pam_keyinit.so revoke
Session required pam_limits.so
-Session optional pam_systemd.so
Session [success = 1 default = ignore] pam_succeed_if.so service in crond quiet use_uid
Session required pam_unix.so
Session optional pam_ldap.so # Add the ldap authentication method

 

Test whether port 389 of AD is normal.

[Root @ server1 ~] # Telnet 10.10.1.1 389
Trying 10.10.1.1...
Connected to 10.10.1.1.
Escape character is '^]'.
 

Start the nslcd Service

[Root @ server1 ~] # Systemctl start nslcd
[Root @ server1 ~] # Systemctl status nslcd
● Nslcd. service-Naming services LDAP client daemon.
Loaded: loaded (/usr/lib/systemd/system/nslcd. service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2012-02-07 16:29:57 CST; 13 s ago
Process: 6904 ExecStart =/usr/sbin/nslcd (code = exited, status = 0/SUCCESS)
Main PID: 6905 (nslcd)
CGroup:/system. slice/nslcd. service
2017-6905/usr/sbin/nslcd

Feb 07 16:29:57 server1.ghost.com restart EMD [1]: Starting Naming services LDAP client daemon ....
Feb 07 16:29:57 server1.ghost.com systemd [1]: PID file/var/run/nslcd. pid not readable (yet ?) After start.
Feb 07 16:29:57 server1.ghost.com nslcd [6905]: version 0.8.13 starting
Feb 07 16:29:57 server1.ghost.com nslcd [6905]: accepting connections
Feb 07 16:29:57 server1.ghost.com unzip EMD [1]: Started Naming services LDAP client daemon ..
Feb 07 16:30:06 server1.ghost.com unzip EMD [1]: Started Naming services LDAP client daemon ..

 

Use the ldapsearch command to test whether the verification is successful.

Ldapsearch-h ad.ghost.com-B dc = ghost, dc = com-D cn = linux_ad, cn = users, dc = ghost, dc = com-W-p 389

 

Check whether zhangsan exists in linux.

[Root @ server1 ~] # Id zhangsan

Uid = 10001 (zhangsan) gid = 10000 groups = 10000

Now Centos has passed the AD account verification !!!