Sunday, March 9, 2008

Authenticating Linux to AD using idmap_ldap.

If Active Directory schema is not extended to define linux/unix attributes, the best and hassle free mehtod of authenticating a Linux system to AD is by using idam_rid backend. Since idmap_ldap can also be used for this purpose, where sid-to-uid/gid mapping would be saved in a backend ldap server and retrieved from the ldap database whenever required, and it was dominant before developing idamp_rid plugin, I wish to include details on how to configure this.

The problem with idmap_ldap backend is that it requires an additional ldap server to be running, possibly more than one for redundancy purposes, which makes administration and managing of services a bit complex. If there already is an ldap server in the network, using that ldap server would be fine. Below is step-by-step instructions on how to configure ldap server and samba for this purpose. Openldap is used as the ldap server in this setup.

How to setup the ldap server?

1 - Install openldap-servers package.

#yum install openldap-servers

2 - Below is my slapd.conf after removing comments.

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
allow bind_v2
pidfile /var/run/openldap/
argsfile /var/run/openldap/slapd.args
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
database bdb
suffix "dc=samba,dc=example,dc=com"
rootdn "cn=admin,dc=samba,dc=example,dc=com"
rootpw password
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

3 - Below is details of how I created slapd.pem

# cd /etc/pki/tls/certs
# rm -f slapd.pem
# make slapd.pem

Give details on every prompt as appropriate.

#chown ldap.ldap slapd.pem

4 - Use the simple ldif file given below to initialize the ldap database.

dn: dc=samba,dc=example,dc=com
dc: samba
objectClass: top
objectClass: domain

dn: ou=idmap,dc=samba,dc=example,dc=com
ou: idmap
objectClass: top
objectClass: organizationalUnit

Initialize the database using the below command.

# slapadd -d 3 -l ldif-file

If you already have an ldap server running in your network, Just add an OU named idmap under the ldap name space heirarchy, add a user in the ldap databse and give that user write permission to the OU.

5 - Start ldap server. service ldap start.

How to setup the Samba server.

I only include my smb.conf and some basic details on setting this up.

workgroup =
netbios name =
server string = RHEL4 Idmap Ldap Backend
security = ads
password server =
log file = /var/log/samba/%m.log
max log size = 50
printcap name = /etc/printcap
ldap admin dn = cn=admin,dc=samba,dc=example,dc=com
ldap delete dn = yes
ldap idmap suffix = ou=idmap
ldap suffix = dc=samba,dc=example,dc=com
idmap backend = ldap:"ldaps://ip or hostname of ldap server"
idmap uid = 1500-100000
idmap gid = 1500-100000
winbind separator = +
winbind use default domain = yes
cups options = raw
template shell = /bin/bash
winbind enum users = yes
winbind enum groups = yes

comment = Home Directories
read only = No
browseable = No

comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

Add the password for "ldap admin dn" to samba tdb databse.

# smbpasswd -w password

password is what we defined in the slapd.conf in the earlier step.

Now what happens is, suppose you have 1000 users named user1 to user1000 in AD, when user1 logs in to system1, samba would check whether a sid/uid mapping is already present in the ldap database. If it finds one, it would assign that uid to user1. If it does not find one, it would take the next free uid from the range defined, assign that to user1 and save the sid/uid mapping in the ldap database. Now, after sometime, if user1 tries to log in from machine B, samba in machine B would check whether an sid/uid mapping is there in the ldap database. It should find one and assign that uid to user1.

Below is an example of how sid/uid mapping is represented in ldap database.

dn: sambaSID=S-1-5-21-2913803998-3319354983-1616611311-1001,ou=Idmap,dc=samba,dc=samba,dc=com
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
uidNumber: 1504
sambaSID: S-1-5-21-2913803998-3319354983-1616611311-1001

The above entry implies that the AD user with SID S-1-5-21-2913803998-3319354983-1616611311-1001 should be assigned the uid 1504.

Restart winbind and verify that everything works as expected.