Total Hit Counter

Monday, May 18, 2015

Openldap pass-through authentication with active directory @CIGNEX Datamatics


1. Install cyrus-sasl, openldap servers and clients
yum install openldap-servers openldap-client* *cyrus*sasl*

2. Edit /etc/sysconfig/saslauthd as below
[root@localhost ~]# vim /etc/sysconfig/saslauthd 
[root@localhost ~]# cat /etc/sysconfig/saslauthd
SOCKETDIR=/run/saslauthd
MECH=ldap
FLAGS='-O /etc/saslauthd.conf'

3. Create /etc/saslauthd.conf and paste below content (AD details)
[root@localhost ~]# vim /etc/saslauthd.conf
[root@localhost ~]# cat /etc/saslauthd.conf
ldap_servers: ldap://172.16.197.138
ldap_search_base: CN=Users,dc=myad,dc=com
ldap_timeout: 10
ldap_filter: sAMAccountName=%U
ldap_bind_dn: CN=Administrator,CN=Users,dc=myad,dc=com
ldap_password: Test1234
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
ldap_auth_method: bind

4. Create file /usr/lib64/sasl2/slapd.conf with below content.
[root@localhost ~]# vim /usr/lib64/sasl2/slapd.conf
[root@localhost ~]# cat /usr/lib64/sasl2/slapd.conf
pwcheck_method: saslauthd
saslauthd_path: /run/saslauthd/mux

5. Edit /etc/openldap/ldap.conf and add below lines.
sasl-host localhost
sasl-secprops none
BASE dc=myad,dc=com
URI ldap://localhost
[root@localhost ~]# tail -5 /etc/openldap/ldap.conf
sasl-host localhost
sasl-secprops none
BASE dc=myad,dc=com
URI ldap://localhost

6. Restart saslauthd and slapd service and test as below
/usr/sbin/testsaslauthd -u administrator -p Test123

8. Execute commands as below: 
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG 
chown ldap. /var/lib/ldap/DB_CONFIG 
service slapd restart

9. Get encrypted password using slappasswd command
[root@localhost ~]# slappasswd 
New password: 
Re-enter new password: 
{SSHA}rSzjUq/YAVYjnybwN01AsHYs3jHTeZam


10. create chrootpw.ldif as below content. Replase {SSHA}xxxxxxxxxxxxxxxxxxxxxx with output of above command.
[root@localhost ~]# vim chrootpw.ldif
[root@localhost ~]# cat chrootpw.ldif 
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}rSzjUq/YAVYjnybwN01AsHYs3jHTeZam

[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"


13. Execute below commands and get again encrypted password for your admin account using slappasswd command
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif 

[root@localhost ~]# slappasswd 
New password: 
Re-enter new password: 
{SSHA}HBRqaFKHvhq6EFF5T+MK9/oUN7WQB7Ov


14. Create chdomain.ldif as below. Replase {SSHA}xxxxxxxxxxxxxxxxxxxxxx with output of above command.
[root@localhost ~]# vim chdomain.ldif
[root@localhost ~]# cat chdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
 read by dn.base="cn=Manager,dc=myad,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=myad,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=myad,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}HBRqaFKHvhq6EFF5T+MK9/oUN7WQB7Ov

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
 dn="cn=Manager,dc=myad,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=myad,dc=com" write by * read




15. Execute below command. 

[root@localhost ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"




16. Create basedomain.ldif with below content.

[root@localhost ~]# cat basedomain.ldif 
dn: dc=myad,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Myad Com
dc: myad

dn: cn=Manager,dc=myad,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=myad,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=myad,dc=com
objectClass: organizationalUnit
ou: Group


17. Execute below command. 

[root@localhost ~]# ldapadd -x -D cn=Manager,dc=myad,dc=com -W -f basedomain.ldif 
Enter LDAP Password: 
adding new entry "dc=myad,dc=com"

adding new entry "cn=Manager,dc=myad,dc=com"

adding new entry "ou=People,dc=myad,dc=com"

adding new entry "ou=Group,dc=myad,dc=com"


18. Create new user in ldap to map with AD. Create new file as below content

[root@localhost ~]# cat user.ldif 
dn: uid=user01,ou=People,dc=myad,dc=com
uid: user01
cn: user01
loginShell: /bin/bash
uidNumber: 2055
gidNumber: 100
sn: user01
homeDirectory: /home/o/user01
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: top
userPassword: {SASL}india@myad.com

19. ldapadd -x -D cn=Manager,dc=myad,dc=com -W -f user.ldif -v


ldapsearch -H ldap://172.16.197.152:389 -x -D "uid=user01,ou=People,dc=myad,dc=com" -W -b "uid=user01,ou=People,dc=myad,dc=com" -s sub -a always -z 1000 "(objectClass=*)" "objectClass"  | grep -v ^# | grep -v ^$

No comments: