[rhn-users] pam_ldap authentication against AD

lin77sys lin77sys at yahoo.it
Fri Feb 10 07:17:03 UTC 2006 

Hi Tom, I tried to configure Linux authentication with
AD some week ago. This contains some short notes and
references about my experience with Linux and AD.

To have an idea about the problem read:
http://enterprise.linux.com/enterprise/04/12/09/2318244.shtml?tid=102&tid=101&tid=100

To install and configure either Active Directory Win
2003 or ldap client on Linux read: 
http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/08wsdsu.mspx#EEAA

Other useful info:
http://www.novell.com/it-it/coolsolutions/appnote/15120.html
http://www.saas.nsw.edu.au/solutions/ldap-auth1.html

This is a “distilled” about my experience:

I used for experiment a phisically isoled network
switch which I connected to two pc: a domain server e
a Linux redHat AS V 3, in order to avoid mistakes and
damages for my company Windows domain.

Some hint:

Have always a root terminal opened in order to avoid
to remain out of your linux box, especially when you
configure pam. Make copies of the original
configuration files and read before:
http://enterprise.linux.com/enterprise/04/12/09/2318244.shtml?tid=102&tid=101&tid=100

I inserted this line as suggested:
 /lib/security/pam_localuser.so nel file system-auth. 
You always will be able to connect as root even if LAN
network didn’t work.

The configuration that worked for me was the one
reported in Microsoft document. Attributes name 
cabled name and version of the package: Example:
msSFU30Gecos = Microsoft Service For Unix version 3.0.

Use tool ldapsearch to verify that administrator can
make query ldap. If it worked then you can do
troubleshooting on ldap.conf. But if it worked with
command line it will work with ldap.conf. It is only a
problem of parameters configuration. 

Configure binddn=administrator and bindpw =
password_administrator_AD just to verify if you can
connect.

At this point, even if it worked I decided to try
windbind:
user AD anonymous, in fact, in my experience it cannot
explore ldap tree to verify msSFU30* attributes and I
should had put in clear text a dedicated user name in
ldap.conf to do user authentication. 
In this case, hoever, any Linux user is able to read
ldap.conf and to do ldapsearch listing the whole
passsword database (yes, only the encryptioned
password but for “John the ripper” is sufficient, I
think).

So I am going to try winbind. That’s all. What about
the problem of anonymous user and password security ?
Did you resolved it ? 

I hope this notes could be useful for you.

Bye.

Donato. 


--- Tom Hodder <tom at ecnow.co.uk> ha scritto: 

> 
> Hi,
> 
> I am using RHEL3 configured to use pam_ldap and
> microsoft Active 
> Directory LDAP as an authentication backend.
> 
> It seems that if no password has been set for the AD
> user, then the user 
> can login using any string as a password except a
> blank password. I 
> looked at the string stored in the AD ldap for
> msSFU30password, and the 
> value is "ABCD!efgh12345$67890"
> 
> So the default behaviour for pam_ldap is to allow
> any password for these 
> users, which is not good.
> 
> Can I change this behaviour?
> 
> Thanks,
> 
> Tom
> 
> 
> 
> 
> _______________________________________________
> rhn-users mailing list
> rhn-users at redhat.com
> https://www.redhat.com/mailman/listinfo/rhn-users
> 



		
___________________________________ 
Yahoo! Messenger with Voice: chiama da PC a telefono a tariffe esclusive 
http://it.messenger.yahoo.com

More information about the rhn-users mailing list