Ubuntu

Active Directory/LDAP Password Synchronization

Asked by wgrimes

I have a windows 2003 domain, and have added an Ubuntu (edgy) based postfix mailserver to the mix. In order to centralize user administration and security, I'd like to figure out a way to have the user information kept on the Ubuntu box synchronize with our Active Directory install. I have seen a lot of articles out there with solutions that are almost right, but seem to be not quite right.

The Ubuntu mailserver has local users, and the only thing that the server does is serve mail--the users have no shell access, and access their mail via Squirrelmail. Ubuntu users can change their password with a Squirrelmail plugin. Ubuntu users do not currently have corresponding users in Active Directory, but I can easily add them.

How is the best way to accomplish this? Am I even going about it in the right manner--is my thought process correct? Or should I go about this in a different manner?

Thanks in advance for your help. I can provide any further information necessary.

Wade

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Massimo Forti (slackwarelife) said : 		#1

If I have undestood, You have this situation:

AD server for identification
Ubuntu server for mail

You want management all the users present on the Ubuntu server using Active directory. It's right?

Do do this the ubuntu server does not use the users information present in /etc/passwd, but the information present in ldap server.
Can you specify the configuration of your Active Diretory.

Revision history for this message
wgrimes (wgrimes) said : 		#2

Hey, thanks a lot for the response--

You are exactly right. We want to use AD for all identification and user management, and Ubuntu server for mail. Exactly right.

We have a windows 2003 AD domain replicating between a win2k3 dc (holds global catalog and all fsmo roles) and a win2k dc. What kind of configuration are you looking for? I'll be happy to provide any information necessary....

Wade

Revision history for this message
Massimo Forti (slackwarelife) said : 		#3

you can do this in a shell:

sudo apt-get update
sudo apt-get install libnss-ldap

A windows blue start:
1) enter the address of the Active Directory server in the first answer;
2) enter the address of the Active Directory server in the second answer;
3) enter the address of the Active Directory server

There are other answer, you replay.
After do this you can edit the file /etc/libnns_ldap.conf like this:

# libnss-ldap.conf

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host "your host"

# The distinguished name of the search base.
base dc=you host name,dc=com

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# RFC 2307 (AD) mappings
# <to> <from>
nss_map_attribute userPassword sambaPassword
nss_map_attribute gecos name
nss_map_attribute uid unixName
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
pam_filter objectclass=User
pam_password crypt

# Disable SASL security layers. This is needed for AD.
sasl_secprops maxssf=0

After edit the file /etc/nsswitch,conf like this:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: files ldap
group: files ldap
shadow: files ldap

hosts: files dns mdns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

The getent command will show the name service contents, so with Active Directory configured with a user and libnss-ldap configured you should be able to see the extra users and groups

$ getent passwd

it return like this:

gdm:x:106:111:Gnome Display Manager:/var/lib/gdm:/bin/false
test:x:1000:1000:Test,,,:/home/test:/bin/bash
wendy:x:1002:1002:wendy:/home/wendy:/bin/bash
$ getent group

gdm:x:111:
test:x:1000:
wendy:x:1002:

A simple file test will show whether Ubuntu understands a username from AD

$ cd /tmp
$ touch moo
$ ls -l moo
-rw-rw-r-- 1 root root 0 2006-07-20 14:27 moo
$ sudo chown wendy moo
$ ls -l moo
-rw-rw-r-- 1 wendy root 0 2006-07-20 14:27 moo

To view the users via LDAP install the ldap-utils package

$ sudo apt-get install ldap-utils

$ ldapsearch -x -H ldap://your host "(objectClass=posixAccount)" sAMAccountName

# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (objectClass=posixAccount)
# requesting: sAMAccountName
#

# wendy, Users, EXAMPLE.COM
dn: cn=wendy,cn=Users,dc=EXAMPLE,dc=COM
sAMAccountName: wendy

# search result

Now I want to know if you use kerberos.
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Revision history for this message
wgrimes (wgrimes) said : 		#4

Firstly, This is really great information, thanks a lot.

So when I do this, will i need to migrate all the users from the Ubuntu server, and give them accounts in Active Directory, or will it sync the data between the systems? Also, where will I manage these users from--Active Directory or the Ubuntu server? For instance, if I change the user's password in AD, will it flow through to Ubuntu?

Thanks again.

Revision history for this message
Massimo Forti (slackwarelife) said : 		#5

II need an other information to finish the how-to, you use a kerberos server in order to accept the identification ?
Is importat to test it in a virtual machine or in a test machine (it is no so easy to do all). Probably we will have modify something for having a working system.

The system architecture will be like this:

1) AD server with all users and password
2) Ubuntu mail server without local user (we change the pam modue identification)
3) all change applay in AD apply in Ubuntu.

It is what do you want ???

Revision history for this message
wgrimes (wgrimes) said : 		#6

Yes, exactly what I want. All users in AD, all changes to AD apply to Ubuntu.

Revision history for this message
Massimo Forti (slackwarelife) said : 		#7

Ok, but you must answer to my question about kerberos server ???

There is another problem probably, the nsswitch bind the server LDAP to serch users information, to do this it needs to use a user with have corret privileges, of usual the LDAP administretor because it can manage the server. In my configuration I prefer to create a users with less privileges, this in order to increase the security. You can create a user that has the sufficient privileges to add, dell and change users information without has the power of server ???

Revision history for this message
wgrimes (wgrimes) said : 		#8

Sorry for the delay--

We are *not* using a kerberos server.

Revision history for this message
Massimo Forti (slackwarelife) said : 		#9

We must change somthing:

other the pkg I heve sayed before, you must install pam-ldap mocules:

sudo apt-get install pam-ldap

The /etc/libnss_ldap.conf and the /etc/pam_ldap.conf must be like this:

## IMPORTANT
## The /etc/ldap.conf file is used by PAM. There is another ldap.conf file in
## /etc/openldap.
## The file, /etc/openldap/ldap.conf, is used by ldap tools, such as ldapsearch.
## If you intend to use those tools you will need to add a TLS_CACERT directive to that
## file also.

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space.
uri ldap://192.168.0.2

# MODIFY
# The distinguished name of the search base.
base dc=example,dc=org

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# MODIFY
# The distinguished name to bind to the server with.
# We will use the root dn until we can create a lesser privileged user.
binddn uid=your_less_users,ou=Users,dc=example,dc=org
bindpw your_less_users_pass.

# MODIFY
# Note: "ou=Users" and "ou=Groups" should match what
# you entered in smb.conf for "ldap group suffix"
# and "ldap user suffix"
nss_base_passwd ou=Users,dc=openfreedom,dc=org?one
nss_base_passwd ou=Computers,dc=openfreedom,dc=org?one
nss_base_shadow ou=Users,dc=openfreedom,dc=org?one
nss_base_group ou=Groups,dc=openfreedom,dc=org?one
nss_initgroups_ignoreusers root,ldap

ssl no
pam_password md5
# We need to tell PAM where the certificate used to authenticate the LDAP
# server (i.e. is the LDAP server the one we think it is).
#tls_cacertfile /etc/ldap/cacert.pem
#tls_cacertdir /etc/ldap

# If you experience difficulty authenticating after enabling TLS, try uncommenting
# the next line. You will know that you are having problems if you
# issue "getent group" and do not see any of the MS Windows groups
# that have been created in your LDAP database.
#tls_checkpeer no

Than you must change pam module, it is dangerous because it can brocke the server (if you do some errors probably you will not be able to enter in your machines)
The pam modules have another problem, when you change it the dbus daemon stop to work correcly (you can not be able to use automount with usb and cd device)
I don't know to fix it, I modify my /etc/fstab and so I mount the device with shell.

The files you must change are in /etc/pam.d, you edit these like this:

commom-account:

account sufficient pam_ldap.so
account required pam_unix.so

commom-auth:

auth sufficient pam_ldap.so nullok_secure
auth required pam_unix.so use_first_pass

commom-password:

password sufficient pam_ldap.so
password required pam_unix.so try_first_pass nullok obscure min=4 max=8 md5

commom-session:

session sufficient pam_ldap.so
session required pam_unix.so

Can you help with this problem?

Provide an answer of your own, or ask wgrimes for more information if necessary.

To post a message you must log in.