ldap_integration
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
ldap_integration [2009/08/14 08:58] – aorth | ldap_integration [2010/10/05 19:26] – aorth | ||
---|---|---|---|
Line 1: | Line 1: | ||
===== LDAP Integration ===== | ===== LDAP Integration ===== | ||
- | ILRI uses an Active Directory server for user authentication, | + | ILRI uses an Active Directory server for user authentication, |
+ | ===== Implementation ===== | ||
+ | Active Directory integration will work if we use Likewise-Open. | ||
+ | * HPC must have the correct time (AD authenticates via Kerberos, which is heavily sensitive to time) | ||
+ | * HPC must be able to access AD on several TCP ports (kerberos, LDAP, etc) | ||
+ | |||
+ | ===== Notes ===== | ||
+ | ===== Apache Authentication ===== | ||
+ | It's possible to use Basic authentication via Active Directory in web applications. | ||
+ | |||
+ | Make sure Apache has '' | ||
+ | < | ||
+ | # a2enmod perl | ||
+ | # apache2ctl graceful</ | ||
+ | |||
+ | Install the required perl dependencies for Apache and LDAP: | ||
+ | < | ||
+ | |||
+ | Install the required AD Auth package and any dependencies it has using CPAN: | ||
+ | < | ||
+ | > install Apache2:: | ||
+ | |||
+ | Then add a stanza such as this to your Apache config: | ||
+ | < | ||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | # | ||
+ | | ||
+ | |||
+ | That stanza can go in a VirtualHost, | ||
+ | |||
+ | ==== Likewise-Open ==== | ||
+ | Open source standalone implementation of Samba, OpenLDAP, Kerberos, etc for Active Directory integration: | ||
+ | |||
+ | * open ports in Firewall (Active Directory, NTP, Kerberos) | ||
+ | * make sure time is in sync with the server! | ||
+ | * Likewise-Open has their own CIFS server but can also work with existing Samba installs I think | ||
+ | |||
+ | ==== Using ldapsearch on Linux ==== | ||
+ | Try to search from a Linux machine which can talk to the AD server (HPC is behind firewall): | ||
+ | < | ||
+ | |||
+ | < | ||
+ | Enter LDAP Password: | ||
+ | ldap_bind: Invalid credentials (49) | ||
+ | additional info: 80090308: LdapErr: DSID-0C090334, | ||
+ | According to the web this error means the user does not exist. | ||
+ | < | ||
+ | DEC: 1317 – ERROR_NO_SUCH_USER (The specified account does not exist.) | ||
+ | NOTE: Returns when username is invalid.</ | ||
+ | ==== binddn ==== | ||
+ | A note of possible interest regarding binding on Linux (from the [[http:// | ||
+ | < | ||
+ | You cannot bind as a user on port 389. I don't think they support TLS on port 389, but I have no tried in a | ||
+ | long time.</ | ||
+ | ==== Domain controller vs. Global catalog ==== | ||
+ | As ILRI has many AD domains and our users could be coming from anywhere, we need to query a server running the global catalog service instead of a normal domain controller. | ||
+ | < | ||
+ | on the standard LDAP port 389. However, domain controllers (including Global Catalog Servers) respond to LDAP | ||
+ | | ||
+ | | ||
+ | requests on port 3268, Microsoft' | ||
+ | with AD information from the entire AD forest. In multi-domain AD environments, | ||
+ | ILRI Kenya has three Active Directory servers, and from what I can tell two of them run a global catalog: | ||
+ | * 172.26.0.218 <- running a global catalog (port 3268) | ||
+ | * 172.26.0.219 | ||
+ | * 172.26.0.220 <- running a global catalog (port 3268) | ||
+ | |||
+ | ===== pam_cgiar_ldap.c ===== | ||
+ | Someone hacked up a PAM module several years ago which could be dropped into a Linux server and allow AD authentication with minimal configuration. | ||
+ | <note warning> | ||
+ | |||
+ | This was working once, using a // | ||
+ | * Compile the code: '' | ||
+ | * Link the code: '' | ||
+ | |||
+ | **pam_cgiar_ldap.c**: | ||
+ | <code c> | ||
+ | #define DEFAULT_USER " | ||
+ | |||
+ | #include < | ||
+ | |||
+ | /* | ||
+ | * here, we make definitions for the externally accessible functions | ||
+ | * in this file (these definitions are required for static modules | ||
+ | * but strongly encouraged generally) they are used to instruct the | ||
+ | * modules include file to define their prototypes. | ||
+ | */ | ||
+ | |||
+ | #define PAM_SM_AUTH | ||
+ | #define PAM_SM_ACCOUNT | ||
+ | #define PAM_SM_SESSION | ||
+ | #define PAM_SM_PASSWORD | ||
+ | |||
+ | #include < | ||
+ | #include < | ||
+ | #include < | ||
+ | #include < | ||
+ | #include < | ||
+ | #include < | ||
+ | |||
+ | int testBind(char* loginDN, char* password) | ||
+ | { | ||
+ | struct timeval timeOut = {10, | ||
+ | int returnValue=0; | ||
+ | char* pass2; | ||
+ | pass2=password; | ||
+ | char tempPass[100]; | ||
+ | |||
+ | // | ||
+ | strcat(loginDN," | ||
+ | //syslog (LOG_ERR, " | ||
+ | |||
+ | LDAP *ld; | ||
+ | int version = LDAP_VERSION3; | ||
+ | ldap_set_option( NULL, LDAP_OPT_PROTOCOL_VERSION, | ||
+ | ldap_set_option( NULL, LDAP_OPT_NETWORK_TIMEOUT, | ||
+ | ld = ldap_init(" | ||
+ | if (ld==NULL) printf(" | ||
+ | int rc; | ||
+ | //if (ldap_simple_bind_s( ld, loginDN, | ||
+ | if (ldap_simple_bind_s( ld, loginDN, | ||
+ | |||
+ | |||
+ | { | ||
+ | returnValue =0; | ||
+ | syslog (LOG_ERR, " | ||
+ | | ||
+ | } | ||
+ | else | ||
+ | { | ||
+ | | ||
+ | syslog (LOG_ERR, " | ||
+ | |||
+ | } | ||
+ | /* | ||
+ | FILE* outFile; | ||
+ | outFile=fopen ("/ | ||
+ | fprintf(outFile," | ||
+ | // if (rc==PAM_SUCCESS) | ||
+ | fprintf(outFile," | ||
+ | | ||
+ | */ | ||
+ | // return(0); | ||
+ | return (returnValue); | ||
+ | |||
+ | } | ||
+ | |||
+ | /* --- authentication management functions --- */ | ||
+ | |||
+ | PAM_EXTERN | ||
+ | int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,const char **argv) | ||
+ | { | ||
+ | int retval,rc; | ||
+ | const char *user=NULL; | ||
+ | char *p; | ||
+ | //syslog (LOG_ERR, " | ||
+ | |||
+ | /* | ||
+ | * authentication requires we know who the user wants to be | ||
+ | */ | ||
+ | retval = pam_get_user(pamh, | ||
+ | if (retval != PAM_SUCCESS) { | ||
+ | D((" | ||
+ | return retval; | ||
+ | } | ||
+ | |||
+ | // rc=pam_get_item (pamh, PAM_AUTHTOK, | ||
+ | |||
+ | | ||
+ | if (user == NULL || *user == ' | ||
+ | D((" | ||
+ | retval = pam_set_item(pamh, | ||
+ | if (retval != PAM_SUCCESS) | ||
+ | return PAM_USER_UNKNOWN; | ||
+ | } | ||
+ | // user = NULL; /* clean up */ | ||
+ | |||
+ | // return PAM_SUCCESS; | ||
+ | |||
+ | //changes introduced by lavila | ||
+ | // I still cannot put this module on top of the stack | ||
+ | // I have to put it at least on second place | ||
+ | // or my password information returns null when using get_itme | ||
+ | // | ||
+ | rc=pam_get_item (pamh, PAM_AUTHTOK, | ||
+ | // if (rc == PAM_SUCCESS) | ||
+ | |||
+ | char luser[100]; | ||
+ | | ||
+ | // if (p!=NULL) | ||
+ | /* { | ||
+ | FILE* outFile; | ||
+ | outFile=fopen ("/ | ||
+ | fprintf(outFile," | ||
+ | fprintf(outFile," | ||
+ | fclose(outFile); | ||
+ | rc = testBind(luser, | ||
+ | }*/ | ||
+ | |||
+ | |||
+ | rc = testBind(luser, | ||
+ | |||
+ | // rc=0; | ||
+ | if (rc==1) | ||
+ | return PAM_SUCCESS; | ||
+ | else return PAM_AUTH_ERR; | ||
+ | |||
+ | // return PAM_USER_UNKNOWN; | ||
+ | // | ||
+ | |||
+ | |||
+ | |||
+ | } | ||
+ | |||
+ | PAM_EXTERN | ||
+ | int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc | ||
+ | , | ||
+ | { | ||
+ | | ||
+ | // return PAM_USER_UNKNOWN; | ||
+ | |||
+ | } | ||
+ | |||
+ | /* --- account management functions --- */ | ||
+ | |||
+ | PAM_EXTERN | ||
+ | int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc | ||
+ | , | ||
+ | { | ||
+ | | ||
+ | |||
+ | } | ||
+ | |||
+ | /* --- password management --- */ | ||
+ | |||
+ | PAM_EXTERN | ||
+ | int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc | ||
+ | , | ||
+ | { | ||
+ | | ||
+ | |||
+ | |||
+ | } | ||
+ | |||
+ | /* --- session management --- */ | ||
+ | |||
+ | PAM_EXTERN | ||
+ | int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc | ||
+ | ,const char **argv) | ||
+ | { | ||
+ | return PAM_SUCCESS; | ||
+ | } | ||
+ | |||
+ | PAM_EXTERN | ||
+ | int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc | ||
+ | ,const char **argv) | ||
+ | { | ||
+ | | ||
+ | } | ||
+ | |||
+ | /* end of module definition */ | ||
+ | |||
+ | #ifdef PAM_STATIC | ||
+ | |||
+ | /* static module data */ | ||
+ | |||
+ | /*struct pam_module_pam_permit_modstruct = { | ||
+ | " | ||
+ | struct pam_module_pam_cgiar_ldap_modstruct = { | ||
+ | " | ||
+ | pam_sm_authenticate, | ||
+ | pam_sm_setcred, | ||
+ | pam_sm_acct_mgmt, | ||
+ | pam_sm_open_session, | ||
+ | pam_sm_close_session, | ||
+ | pam_sm_chauthtok | ||
+ | }; | ||
+ | |||
+ | #endif | ||
+ | </ |