User Tools

Site Tools


ldap_integration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
ldap_integration [2009/08/20 09:31] 172.26.0.166ldap_integration [2012/02/06 08:43] (current) – [Apache Authentication] aorth
Line 2: Line 2:
  
 ILRI uses an Active Directory server for user authentication, which is primarily used for Exchange e-mail services.  Active Directory is Microsoft's proprietary version of LDAP with a little extra special sauce.  Currently users have an Active Directory username and password for their Windows-centric single sign on and e-mail, and then they have a separate account for use with the HPC.  There exists functionality in Linux to look at Active Directory for user authentication. ILRI uses an Active Directory server for user authentication, which is primarily used for Exchange e-mail services.  Active Directory is Microsoft's proprietary version of LDAP with a little extra special sauce.  Currently users have an Active Directory username and password for their Windows-centric single sign on and e-mail, and then they have a separate account for use with the HPC.  There exists functionality in Linux to look at Active Directory for user authentication.
 +
 +===== Implementation =====
 +
 +Active Directory integration will work if we use Likewise-Open.  It has been tested in a virtual server environment, but requires a few network changes to work on the HPC:
 +  * HPC must have the correct time (AD authenticates via Kerberos, which is heavily sensitive to time)
 +  * HPC must be able to access AD on several TCP ports (kerberos, LDAP, etc)
  
 ===== Notes ===== ===== Notes =====
 +===== Apache Authentication =====
 +It's possible to use Basic authentication via Active Directory in web applications.
 +
 +Make sure Apache has ''mod_perl'' installed and working first:
 +<code># apt-get install libapache2-mod-perl2 libapache2-mod-perl2-dev
 +# a2enmod perl
 +# apache2ctl graceful</code>
 +
 +Install the required perl dependencies for Apache and LDAP:
 +<code># apt-get install libauthen-simple-ldap-perl</code>
 +
 +Install the required AD Auth package and any dependencies it has using CPAN:
 +<code>$ sudo cpan
 +> install Apache2::AuthenMSAD</code>
 +
 +Then add a stanza such as this to your Apache config:
 +<file>
 +   AuthName "Microsoft Active Directory Authentication"
 +   AuthType Basic
 +
 +   PerlAuthenHandler Apache2::AuthenMSAD
 +   PerlSetVar MSADDomain ilri.cgiarad.org
 +   PerlSetVar MSADServer 172.26.0.218
 +
 +   #require valid-user
 +   require user aorth akihara</file>
 +
 +That stanza can go in a VirtualHost, a Directory, a Location, etc... restart Apache and you're golden. 
 +
 +==== Likewise-Open ====
 +Open source standalone implementation of Samba, OpenLDAP, Kerberos, etc for Active Directory integration: http://www.likewise.com/
 +
 +  * open ports in Firewall (Active Directory, NTP, Kerberos)
 +  * make sure time is in sync with the server!  NTP must be configured correctly before installing AD integration
 +  * Likewise-Open has their own CIFS server but can also work with existing Samba installs I think
  
 ==== Using ldapsearch on Linux ==== ==== Using ldapsearch on Linux ====
 Try to search from a Linux machine which can talk to the AD server (HPC is behind firewall): Try to search from a Linux machine which can talk to the AD server (HPC is behind firewall):
 +<code>ldapsearch -x -H ldap://172.26.0.218 -b "dc=ilri,dc=cgiarad,dc=org" -D "cn=bioinfohpc,cn=users,dc=ilri,dc=cgiarad,dc=org" -W "(sAMAccountName=bioinfohpc)"</code>
 +
 <code>[aorth@shamba: ~]$ ldapsearch -x -H ldap://172.26.0.218:3268 -b "dc=ilri,dc=cgiard,dc=org" -D "cn=bioinfohpc,cn=users,dc=ilri,dc=cgiard,dc=org" -W "" <code>[aorth@shamba: ~]$ ldapsearch -x -H ldap://172.26.0.218:3268 -b "dc=ilri,dc=cgiard,dc=org" -D "cn=bioinfohpc,cn=users,dc=ilri,dc=cgiard,dc=org" -W ""
 Enter LDAP Password:  Enter LDAP Password: 
Line 21: Line 64:
  long time.</file>  long time.</file>
 ==== Domain controller vs. Global catalog ==== ==== Domain controller vs. Global catalog ====
 +As ILRI has many AD domains and our users could be coming from anywhere, we need to query a server running the global catalog service instead of a normal domain controller.  This note is of help:
 <file>All Windows 2000/2003 AD domain controllers (including Global Catalog Servers) listen for LDAP requests <file>All Windows 2000/2003 AD domain controllers (including Global Catalog Servers) listen for LDAP requests
  on the standard LDAP port 389. However, domain controllers (including Global Catalog Servers) respond to LDAP  on the standard LDAP port 389. However, domain controllers (including Global Catalog Servers) respond to LDAP
Line 27: Line 71:
 requests on port 3268, Microsoft's AD LDAP port. Global Catalog Servers respond to LDAP queries on port 3268 requests on port 3268, Microsoft's AD LDAP port. Global Catalog Servers respond to LDAP queries on port 3268
  with AD information from the entire AD forest. In multi-domain AD environments, it is best to use port 3268.</file>  with AD information from the entire AD forest. In multi-domain AD environments, it is best to use port 3268.</file>
 +ILRI Kenya has three Active Directory servers, and from what I can tell two of them run a global catalog:
 +  * 172.26.0.218 <- running a global catalog (port 3268)
 +  * 172.26.0.219
 +  * 172.26.0.220 <- running a global catalog (port 3268)
  
 ===== pam_cgiar_ldap.c ===== ===== pam_cgiar_ldap.c =====
ldap_integration.1250760714.txt.gz · Last modified: 2010/05/22 14:19 (external edit)