Authenticating Against Active Directory: Paul Nijjar
Authenticating Against Active Directory: Paul Nijjar
Authenticating Against Active Directory: Paul Nijjar
Paul Nijjar
Waterloo Wellington IT Professionals Group
June 27 2011
The Issue
Active Directory gives you a store of usernames, passwords and security groups. Maintaining multiple sets of usernames/passwords is a pain. Sometimes companies other than Microsoft create tools that you want to use in your organization. Wouldnt it be nice to authenticate against Active Directory?
Active Directory (AD) is a big Lightweight Directory Access Protocol (LDAP) database/directory. Domain logins are done via Kerberos (but other authentication is not...) Idea: Third party applications can authenticate via LDAP lookups.
An understanding of the Active Directory structure for your organization. A minimally privileged user to do LDAP lookups. LDAP support for the application you are authenticating. Blissful ignorance of the security implications involved.
My Environment
Active Directory (forest level Windows 2003) Clients/webapps running on Debian or Ubuntu GNU/Linux
LDAP Structure
Think of AD as a folder structure, with DCs, OUs, CNs as the folders and attributes as the les. You need the path to your users and groups, e.g.
CN=Paul Nijjar,CN=Staff,OU=TWC,DC=theworkingcentre,DC=org
The attribute for username is sAMAccountName Tools: adsiedit.msc , AD Users and Computers, ldp.exe
Lookup User
AD does not allow anonymous LDAP lookups, so I made a user: LDAP Lookups and gave it access (Delegate Control) to read all attributes in AD Users and Computers. The password for this account will often be stored in plaintext, so lock it down: Take the user out of the Domain Users group Restrict the computers the user can log into Keep the user in a distinct OU from your regular users (?) Keep track of the LDAP path for this user, eg
CN=LDAP Lookups,CN=Users,DC=theworkingcentre,DC=org
Examples
# Require groups AuthLDAPGroupAttributeIsDN on require ldap-group CN=it-department,OU=Groups, OU=TWC,DC=theworkingcentre,DC=org # Prevent Internal error: pcfg_openfile() # called with NULL filename errors AuthUserFile /dev/null
Request Tracker is a trouble-ticket system. I needed a third-party module to do LDAP authentication for it.
More RT authentication
# Could filter more here... $LdapFilter="(objectclass=user)"; # map LDAP attributes to RT3 $LdapMap = { Name => $RT::LdapUidAttr, EmailAddress => mail, RealName => cn, };
Other Apps
Cacti graphing system Drupal content management system Mediawiki Anything that has an LDAP plugin should work.
Licencing!
Your domain controllers run on Windows Server (duh) Anything that accesses Windows Server requires a CAL (even DHCP leases!) So LDAP lookups denitely require CALs
Security!
Is central authentication a good idea? By default, LDAP lookups on port 389 are unencrypted! (Including passwords?) Websites without SSL throw around passwords or their hashes in cleartext! Any sloppy implementation jeopardizes the security of Active Directory! More reading: The Godzilla Security Tutorial, Part 3:
http://www.cs.auckland.ac.nz/~pgut001/tutorial/
The End
Use winbind from the Samba suite to enumerate every user and password in Active Directory. Store Linux user information in Active Directory directly, using PAM, Kerberos and LDAP.
Both approaches require you to congure both LDAP lookups and Kerberos authentication.
Winbind
The likewise-open package makes the Winbind method easy, but it appears to be incompatible with newer releases of Samba. Manual instructions: https://help.ubuntu.com/community/
ActiveDirectoryWinbindHowto
Advantage: works with AD forest level 2003 without schema modications. Disadvantage: enumerating users for big domains is inefcient.
Direct Method
Instructions: https:
//help.ubuntu.com/community/ActiveDirectoryHowto
Advantage: This is the most similar to Windows client interactions. Disadvantage: You must modify the AD schema for forest level 2003 or lower, using the Services for UNIX package. (Server 2003 R2 and higher include the schema changes natively.)