LDAP + Active Directory Configuration Part 1
In this tutorial I going to show you how to setup a LDAP Directory working with Active Directory which holds the username and password but the LDAP Directory holds the groups and authorizations in the Linux Domain.
In this setup I am going to cover:
- 2 389-Directory Server on centos 7
- The 2 servers above as members of the Windows Domain and enabling the PAM Passthrough Plugin
- 1 Load Balancer
- Replication Master Single between 398 Directory Servers
The goal
The environment:
First step, configure the LDAP as a member of Windows Domain
This is because the our LDAP will transfer the username and the password to the Active Directory which validates both. To get this, we need to configure the sssd service.
Make sure the clocks on the LDAP server and Active Directory must be sync for kerberos to work properly.
Configure the DNS in the LDAP server with your Active Directory IP address. In my case my domain is sergio.lab and the AD ip is 10.0.2.6
cat /etc/resolv.conf search sergio.lab nameserver 10.0.2.6 Now install the following packages
yum install krb5-workstation samba-common-tools sssd-ad now set up Kerberos as follow
[logging] default = FILE:/var/log/krb5libs.log [libdefaults] default_realm = SERGIO.LAB dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = yes Now configure the SAMBA server
[global] workgroup = SERGIO client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log password server = AD.SERGIO.LAB realm = SERGIO.LAB security = ads In case you have multiple Active Directory, add as follow
[global] workgroup = SERGIO client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log password server = AD.SERGIO.LAB, AD2.SERGIO.LAB, * realm = SERGIO.LAB security = ads note: the asterisk represents the best option for samba to reach the AD
The next step is add the Linux server to the Active Directory domain (you will need a administrative user)
obtaining credentials for kerberos
add the server to the domain
net ads join -k -S ad.sergio.lab -U Administrator this create the /etc/krb5.keytab file.
we almost done
Again, if you have multiple AD make sure the AD servers is added in the krb5.conf file as follow:
Now run the following command to enable sssd for system authentication
authconfig --update --enablesssd --enablesssdauth --enablemkhomedir [sssd] domains = sergio.lab services = nss, pam, pac config_file_version = 2 [domain/sergio.lab] id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad ad_server = ad.sergio.lab ad_domain = sergio.lab cache_credentials = true use_fully_qualified_names = false default_shell = /bin/bash override_homedir = /home/%d/%u ignore_group_members = true ldap_referrals = false notice ldap_referrals = false and ignore_group_members = true this can boost performance in large environments. Please check /etc/sssd/sssd.conf have “root” as owner and group, and 600 file permissions
You can add more ad_server with comma separated values:
ad_server = ad.sergio.lab, ad2.sergio.lab systemctl restart sshd.service systemctl restart sssd.service To test your setup, you can run the id command following a username of the AD domain and get user information from AD server.
so far, we have our Linux server into Windows domain.
These steps are repeated in the second Linux Server ds2.sergio.lab
In the next part of the tutorial we will install the 389 Directory Server, create a self signed certificate for clients and configure ldap replication. See you on the flipside
Your thoughts and suggestions are always welcome, please feel free to comment or ask questions if you need a hand.