Linux

如何使用 Active Directory 對 linux 使用者進行身份驗證

  • August 15, 2013

使用 Active Directory 對 linux (Debian) 機器上的使用者進行身份驗證的最佳實踐是什麼?

我希望它工作的方式是將 AD 使用者添加到一個組中 - 例如linux administratorslinux webserver,並根據他們的組成員身份,他們將/不會被授予對特定伺服器的訪問權限。理想情況下,root 帳戶將是唯一以標準方式維護的帳戶。

我這樣做的目標如下:

  • 允許在一處更改密碼
  • 使用他們的 AD 憑據自動授予某些人訪問 linux 伺服器的權限
  • 將我們所有的使用者資訊整合到一個數據庫中

我要避免的事情是:

  • 我們的 Active Directory 管理員難以管理/違反直覺的任何事情
  • 如果由於某種原因無法訪問 AD 伺服器(即,它需要以某種方式記憶體憑據),則將使用者鎖定在外
  • 任何過於復雜或不標準的東西,在我下次升級伺服器時會損壞。

另請參閱 Windows 域上的 Linux 客戶端針對 AD 對 Linux 伺服器進行身份驗證的實用性如何?

您沒有理由在大多數發行版上使用任何外部軟體。

對於 Debian/Ubuntu,您可以使用 libnss-ldap 和 libpam-krb5 來完成。有一些技巧可以100%獲得它。這假設您為 Linux 使用者填充了“unixHomeDirectory”,您的 Linux 機器使用 Windows 系統通用的 NTP(Kerberos 要求),並且您可以使用純文字 NSS 查找(不是密碼,而是組成員資訊等) - 您也可以使用 TLS,但設置起來更複雜)。除非您設置為使用 TLS,否則不應將 pam_ldap 作為 PAM 中的密碼或身份驗證源。

/etc/ldap.conf

# LDAP Configuration for libnss-ldap and libpam-ldap.
# Permit host to continue boot process with out contacting LDAP server
bind_policy soft
# Define LDAP servers to use for queries, these must be Global Catalog servers
uri ldap://ldap.site.company.local
# Define root search location for queries
base dc=company,dc=local
#debug 1
# LDAP version, almost always going to be v3, it is quite mature
ldap_version 3
# Username used to proxy authentication. You can have this in a separate file owned by root for security OR use TLS/SSL (see man page)
# Do NOT use LDAP for authentication if you are using plain text binds, use Kerberos instead (and LDAP for authorization only). See libpam-krb5.
binddn cn=ldap-auth-svc,ou=ldap,ou=services,dc=site,dc=company,dc=local
# Password for proxy acct
bindpw SooperSekeretPazzwerd
#  TCP port to perform queries on, 3268 is a Global Catalog port which will reply for all users in *.company.local
port 3268
# Search range scope (sub = all)
scope sub
# Tell the client to close TCP connctions after 30 seconds, Windows will do this on the server side anyways, this will prevent errors from showing up in the logs.
idle_timelimit 30
# Expect queries for group membership to return DN for group members instead of usernames (lets you use MSAD group membership seamlessly)
nss_schema rfc2307bis
# Filters - User accounts must have a UID >= 2000 to be recognized in this configuration and must have a unixHomeDirectory defined.
nss_base_group dc=company,dc=local?sub?&(objectClass=group)(gidNumber=*)
nss_base_user dc=company,dc=local?sub?&(objectClass=user)(!(objectClass=localputer))(uidNumber>=2000)(unixHomeDirectory=*)
nss_base_shadow dc=company,dc=local?sub?&(objectClass=user)(!(objectClass=localputer))(uidNumber>=2000)(unixHomeDirectory=*)
# Object Class mappings.  You may want to have the posixAccount to map to "mail" and have users login with their email addresses, i.e.  "nss_map_objectclass posixAccount mail".
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
# Attribute mappings.
nss_map_attribute uniqueMember member
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
# Attribute in LDAP to query to match the username used by PAM for authentication
pam_login_attribute sAMAccountName
# Filter for objects which are allowed to login via PAM
pam_filter objectclass=User

您不需要編輯 /etc/krb5.conf 假設您的 Linux 機器正在使用了解 AD 的 DNS 伺服器(具有適當 SRV 記錄的 _msdcs 區域是可解析的)

/etc/nsswitch.conf 應該有使用者、組、影子的“文件 ldap”。

對於使用 SSSD 的紅帽:

/etc/sssd/sssd.conf

[domain/AD]
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

ldap_uri = ldap://ldap.company.local:3268/
ldap_search_base = dc=company,dc=com
ldap_default_bind_dn = cn=ldap-auth-svc,ou=ldap,ou=services,dc=site,dc=company,dc=local
ldap_default_authtok = SooperSekeretPazzwerd
ldap_schema = rfc2307bis
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
enumerate = true
ldap_tls_reqcert = never
ldap_tls_cacertdir = /etc/openldap/cacerts

ldap_id_use_start_tls = False
cache_credentials = True
krb5_realm = SITE.COMPANY.COM
case_sensitive = false
[sssd]
services = nss, pam
config_file_version = 2

domains = AD
[nss]
filter_users = root,named,avahi,nscd

引用自:https://serverfault.com/questions/23632