[rhn-users] pam_ldap authentication against AD
lin77sys
lin77sys at yahoo.it
Fri Feb 10 07:17:03 UTC 2006
Hi Tom, I tried to configure Linux authentication with
AD some week ago. This contains some short notes and
references about my experience with Linux and AD.
To have an idea about the problem read:
http://enterprise.linux.com/enterprise/04/12/09/2318244.shtml?tid=102&tid=101&tid=100
To install and configure either Active Directory Win
2003 or ldap client on Linux read:
http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/08wsdsu.mspx#EEAA
Other useful info:
http://www.novell.com/it-it/coolsolutions/appnote/15120.html
http://www.saas.nsw.edu.au/solutions/ldap-auth1.html
This is a distilled about my experience:
I used for experiment a phisically isoled network
switch which I connected to two pc: a domain server e
a Linux redHat AS V 3, in order to avoid mistakes and
damages for my company Windows domain.
Some hint:
Have always a root terminal opened in order to avoid
to remain out of your linux box, especially when you
configure pam. Make copies of the original
configuration files and read before:
http://enterprise.linux.com/enterprise/04/12/09/2318244.shtml?tid=102&tid=101&tid=100
I inserted this line as suggested:
/lib/security/pam_localuser.so nel file system-auth.
You always will be able to connect as root even if LAN
network didnt work.
The configuration that worked for me was the one
reported in Microsoft document. Attributes name
cabled name and version of the package: Example:
msSFU30Gecos = Microsoft Service For Unix version 3.0.
Use tool ldapsearch to verify that administrator can
make query ldap. If it worked then you can do
troubleshooting on ldap.conf. But if it worked with
command line it will work with ldap.conf. It is only a
problem of parameters configuration.
Configure binddn=administrator and bindpw =
password_administrator_AD just to verify if you can
connect.
At this point, even if it worked I decided to try
windbind:
user AD anonymous, in fact, in my experience it cannot
explore ldap tree to verify msSFU30* attributes and I
should had put in clear text a dedicated user name in
ldap.conf to do user authentication.
In this case, hoever, any Linux user is able to read
ldap.conf and to do ldapsearch listing the whole
passsword database (yes, only the encryptioned
password but for John the ripper is sufficient, I
think).
So I am going to try winbind. Thats all. What about
the problem of anonymous user and password security ?
Did you resolved it ?
I hope this notes could be useful for you.
Bye.
Donato.
--- Tom Hodder <tom at ecnow.co.uk> ha scritto:
>
> Hi,
>
> I am using RHEL3 configured to use pam_ldap and
> microsoft Active
> Directory LDAP as an authentication backend.
>
> It seems that if no password has been set for the AD
> user, then the user
> can login using any string as a password except a
> blank password. I
> looked at the string stored in the AD ldap for
> msSFU30password, and the
> value is "ABCD!efgh12345$67890"
>
> So the default behaviour for pam_ldap is to allow
> any password for these
> users, which is not good.
>
> Can I change this behaviour?
>
> Thanks,
>
> Tom
>
>
>
>
> _______________________________________________
> rhn-users mailing list
> rhn-users at redhat.com
> https://www.redhat.com/mailman/listinfo/rhn-users
>
___________________________________
Yahoo! Messenger with Voice: chiama da PC a telefono a tariffe esclusive
http://it.messenger.yahoo.com
More information about the rhn-users
mailing list