Linux Authentication Against Active Directory
on LDAP/SSL

Linux Authentication Against Active Directory (LDAP/SSL)

LAAAD
SYSTEM Linux / Windows 200X server
APPLICATION Linux authentication against Active Directory through LDAP/SSL
ABSTRACT allows for integration of Linux workstations into Windows 200X (Active Directory) networks using standard protocols
FEATURES LDAP authentication against Active Directory:
-user authentication from external Active Directory accounts (with no local Linux user account)
-SSL-secure queries
-home folder (directory) automatic creation on logging
-open and close SMB session to SMB server's user folders, automatic mount and unmount of network volume
TECHNOLOGIES technologies used:
- LDAP to query centralized account database for authentication
- SSL encryption of queries with either
   -
OpenLDAP+OpenSSL or
   -OpenLDAP+stunnel (which uses OpenSSL) as either xinetd service or standalone service, thus bypassing some OpenLDAP nasty bugs
- NSS (Name Service Switch) to integrate Active Directory accounts
- PAM for SMB session management and net volume mount and unmount (no need to be root)
- PAM for automatic creation of user home folder
- operations are possible on an SSH channel
AUTHOR Bernard Bou bbou@ac-toulouse.fr
FEEDBACK Bernard Bou bbou@ac-toulouse.fr
DATE 20/12/2004
VERSION 2.0
REVISION 2
KEY WORDS Linux LDAP NSS SSL PAM Active Directory nss_ldap stunnel pam_mount pam_mkhomedir

Read first

Read this first

Modules

LAAAD inherits from the Unix tradition of integrating existing modules. Integration is carried out through shell or Python scripts. See modules and installed or modified files for further details.

Things that LAAAD does


Active Directory
  • extend Active Directory schema so that it contains Unix attributes : among other things, posixAccount and posixGroup classes are defined
  • fill in these extra attributes (choose user shell, point to Unix user home directory, hash password) : this is performed by scripts - or optional additional DB2DIR software
  • install a certification authority if needed (necessary for next step)
  • certify domain directory servers (with Group Policies)

Linux

  • make sure that openldap, openssl, stunnel, nss_ldap, pam_mount (and optionally python, tkinter) packages are installed
  • configure nss, nss_ldap, nss,  LDAP, stunnel
  • configure pam_mount
  • configure pam_mkhomedir
  • do the above remotely, on an SSH channel

The whole install process on Linux workstations is automated by scripts, which allows for minimal workload when a number of Linux workstations are installed. Moreover, remote operation is possible whenever an SSH connection is available.