User Tools

Site Tools


ldap_integration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
ldap_integration [2009/08/20 09:23]
172.26.0.166
ldap_integration [2012/02/06 08:43] (current)
aorth [Apache Authentication]
Line 2: Line 2:
  
 ILRI uses an Active Directory server for user authentication, which is primarily used for Exchange e-mail services.  Active Directory is Microsoft's proprietary version of LDAP with a little extra special sauce.  Currently users have an Active Directory username and password for their Windows-centric single sign on and e-mail, and then they have a separate account for use with the HPC.  There exists functionality in Linux to look at Active Directory for user authentication. ILRI uses an Active Directory server for user authentication, which is primarily used for Exchange e-mail services.  Active Directory is Microsoft's proprietary version of LDAP with a little extra special sauce.  Currently users have an Active Directory username and password for their Windows-centric single sign on and e-mail, and then they have a separate account for use with the HPC.  There exists functionality in Linux to look at Active Directory for user authentication.
 +
 +===== Implementation =====
 +
 +Active Directory integration will work if we use Likewise-Open.  It has been tested in a virtual server environment, but requires a few network changes to work on the HPC:
 +  * HPC must have the correct time (AD authenticates via Kerberos, which is heavily sensitive to time)
 +  * HPC must be able to access AD on several TCP ports (kerberos, LDAP, etc)
  
 ===== Notes ===== ===== Notes =====
 +===== Apache Authentication =====
 +It's possible to use Basic authentication via Active Directory in web applications.
 +
 +Make sure Apache has ''mod_perl'' installed and working first:
 +<code># apt-get install libapache2-mod-perl2 libapache2-mod-perl2-dev
 +# a2enmod perl
 +# apache2ctl graceful</code>
 +
 +Install the required perl dependencies for Apache and LDAP:
 +<code># apt-get install libauthen-simple-ldap-perl</code>
 +
 +Install the required AD Auth package and any dependencies it has using CPAN:
 +<code>$ sudo cpan
 +> install Apache2::AuthenMSAD</code>
 +
 +Then add a stanza such as this to your Apache config:
 +<file>
 +   AuthName "Microsoft Active Directory Authentication"
 +   AuthType Basic
 +
 +   PerlAuthenHandler Apache2::AuthenMSAD
 +   PerlSetVar MSADDomain ilri.cgiarad.org
 +   PerlSetVar MSADServer 172.26.0.218
 +
 +   #require valid-user
 +   require user aorth akihara</file>
 +
 +That stanza can go in a VirtualHost, a Directory, a Location, etc... restart Apache and you're golden. 
 +
 +==== Likewise-Open ====
 +Open source standalone implementation of Samba, OpenLDAP, Kerberos, etc for Active Directory integration: http://www.likewise.com/
 +
 +  * open ports in Firewall (Active Directory, NTP, Kerberos)
 +  * make sure time is in sync with the server!  NTP must be configured correctly before installing AD integration
 +  * Likewise-Open has their own CIFS server but can also work with existing Samba installs I think
 +
 +==== Using ldapsearch on Linux ====
 Try to search from a Linux machine which can talk to the AD server (HPC is behind firewall): Try to search from a Linux machine which can talk to the AD server (HPC is behind firewall):
 +<code>ldapsearch -x -H ldap://172.26.0.218 -b "dc=ilri,dc=cgiarad,dc=org" -D "cn=bioinfohpc,cn=users,dc=ilri,dc=cgiarad,dc=org" -W "(sAMAccountName=bioinfohpc)"</code>
 +
 <code>[aorth@shamba: ~]$ ldapsearch -x -H ldap://172.26.0.218:3268 -b "dc=ilri,dc=cgiard,dc=org" -D "cn=bioinfohpc,cn=users,dc=ilri,dc=cgiard,dc=org" -W "" <code>[aorth@shamba: ~]$ ldapsearch -x -H ldap://172.26.0.218:3268 -b "dc=ilri,dc=cgiard,dc=org" -D "cn=bioinfohpc,cn=users,dc=ilri,dc=cgiard,dc=org" -W ""
 Enter LDAP Password:  Enter LDAP Password: 
Line 13: Line 58:
 DEC: 1317 – ERROR_NO_SUCH_USER (The specified account does not exist.) DEC: 1317 – ERROR_NO_SUCH_USER (The specified account does not exist.)
 NOTE: Returns when username is invalid.</file> NOTE: Returns when username is invalid.</file>
 +==== binddn ====
 A note of possible interest regarding binding on Linux (from the [[http://lists.samba.org/archive/samba/2007-April/131385.html|samba mailing list]]): A note of possible interest regarding binding on Linux (from the [[http://lists.samba.org/archive/samba/2007-April/131385.html|samba mailing list]]):
-<file>AD domain controllers listen on the standard LDAPS port (636) and will  +<file>AD domain controllers listen on the standard LDAPS port (636) and will only accept binds on that port. 
-only accept binds on that port.  You cannot bind as a user on port 389.  I  +You cannot bind as a user on port 389.  I don't think they support TLS on port 389, but I have no tried in a 
-don't think they support TLS on port 389, but I have no tried in a long  + long time.</file> 
-time.</file>+==== Domain controller vs. Global catalog ==== 
 +As ILRI has many AD domains and our users could be coming from anywhere, we need to query a server running the global catalog service instead of a normal domain controller.  This note is of help: 
 +<file>All Windows 2000/2003 AD domain controllers (including Global Catalog Servers) listen for LDAP requests 
 + on the standard LDAP port 389. However, domain controllers (including Global Catalog Servers) respond to LDAP 
 + queries on port 389 with AD information from within its own AD domain only. Again, this works fine in a single 
 + domain configuration but not in a multi-domain setup. Global Catalog Servers additionally listen for LDAP  
 +requests on port 3268, Microsoft's AD LDAP port. Global Catalog Servers respond to LDAP queries on port 3268 
 + with AD information from the entire AD forest. In multi-domain AD environments, it is best to use port 3268.</file> 
 +ILRI Kenya has three Active Directory servers, and from what I can tell two of them run a global catalog: 
 +  * 172.26.0.218 <- running a global catalog (port 3268) 
 +  * 172.26.0.219 
 +  * 172.26.0.220 <- running a global catalog (port 3268)
  
 ===== pam_cgiar_ldap.c ===== ===== pam_cgiar_ldap.c =====
ldap_integration.1250760224.txt.gz · Last modified: 2010/05/22 14:19 (external edit)