Using LDAP for authentication against the CGIAR Active Directory for SSH, local and GUI logins to a Linux computer.
Properly configured user accounts in the active directory (UserPrincipalName property in the form email@example.com)
Authentication on a Linux PC’s is managed by PAM modules (Pluggable Authentication Modules). A special PAM module should be used, configured to test username an password credentials against an Active Directory domain controller. An PAM module of that sort has been implemented by CIP for authenticating users to the HPC.
Compiling the sources of the custom LDAP module:
gcc -fPIC -c pam_cgiar_ldap.c
Linking the sources
ld -x –shared -o pam_cgiar_ldap.so pam_cgiar_ldap.o –lldap
The library pam_cgiar_ldap.so must be copied where the other PAM modules are saved, that is:
on the HPC
PAM configuration files for each PAM enabled application we want to work with should be configured.
Remember than when using the pam_cgiar_ldap.so module in the PAM file it cannot be on top of the auth stack.
For example to use LDAP authentication for SSH logins we shall include into the file /etc/pam.d/sshd a call to our custom PAM module.
See document: CGIAR-HPC-COP.doc