O&O Services - Software Development and Implementation
Portfolio
Overview
Software Development
Project Management
Strategic Consulting
Training
Service
Articles
Single-Sign-On
Windows vs. Linux
Project Request
O&O
Company
Philosophy
Jobs
Contact
  HomeArticlesSingle-Sign-On
  Deutsch
Single-Sign-On on Linux using LDAP with Active Directory
Michael Ganss (michael.ganss@oo-services.com)
Managing Director, O&O Services
March 2002

This article discusses how you can integrate Linux into a Windows-based network by making it authenticate against an Active Directory server and having it get passwd and group information from Active Directory as well.

It starts by giving a quick rundown on traditional authentication mechanisms in UNIX, then delves into the details of setting up NSS and PAM with Active Directory.

The Problem

With the increasing proliferation of heterogenous IT infrastructures many enterprises are facing the problem of how to keep user data in a unified manner that makes administration and use as efficient as possible.

User data are involved in a number of processes, especially during authentication, which we will discuss in-depth here. Other possible uses includes enterprise-wide address books or the centralized supply of data about shared resources like file systems or printers.

During the design of a centralized directory service which has to build on existing infrastructures, which in turn rely on established, traditional processes, you have to keep a number of requirements in mind:

  • Centralized Administration (User data will only be manipulated at a central site)
  • "Ease of Use"® from the user's point of view (Data should be kept consistent across platforms and in one place only, i.e. only one password for all services)
  • Security (Passwords shouldn't be visible to attackers)

In this article we assume the following scenario:
A number of machines running Linux are to be integrated into an existing network consisting exclusively of Windows 2000/XP machines. Existing user accounts should be usable on the Linux machines with as few restrictions as possible, e.g. the Windows password should also be used for login.

Furthermore, the user should not have to revert to Windows-specific processes, e.g. the password should be changeable via passwd(1).

Our scenario assumes there is already a centralized user administration via Active Directory on a Windows 2000 server.

Traditional User Administration under UNIX

In order to better understand the problems during integration, we'll first give a short rundown of classic authentication mechanisms under UNIX.

/etc/passwd

The traditional user administration under UNIX stems from the era of mainframes and terminals, i.e. from an environment where joint user accounts on different computers in a network were not integrated into the concept.

In this model, user data are held in the files /etc/passwd and /etc/group (among others, which we'll abstract from here). Both files are readable for everyone. /etc/passwd contains one line per user with the following data:

login_name
The login name of the user
password
The crypted password
UID
The numeric user id
GID
The primary numeric group id
user_name
A free-form field of additional user data, commonly used for the full user name, telephone number etc. Also called the GECOS-Field.
directory
The home directory
shell
The complete path to the login shell

For example: 

username:Npge08pfz4wuk:503:100:Full Name:/home/username:/bin/sh
Authentication of a user is carried out at the start of a login session through login(1), which gathers the entry for the user logging in through getpwent(3) or a similar function. login(1) then crypts the password string typed by the user and compares it to the entry in /etc/passwd returned by getwpwent(3).

This form of user administration and authentication is still in use today. Over time, several enhancements were introduced to the process in order to combat some of its shortcomings.

/etc/shadow

As stated earlier, /etc/passwd is readable for everyone and contains the crypted password of each user. To make it harder for attackers to carry out dictionary attacks, shadow passwords were introduced. The password no longer resides in /etc/passwd but in /etc/shadow instead. /etc/shadow (and /etc/gshadow resp) is only readable for root and the group shadow.

Programs that need to access user data have to run suid root or sgid shadow.

NIS

In order for a number of machines to have access to information in /etc/passwd and /etc/group, Sun invented NIS (Network Information System, formerly Sun Yellow Pages).

With NIS, user data are kept in the same format as in /etc/passwd and /etc/group in a central database and are collected by remote machines via RPC.

In order to use NIS, no changes have to be applied to existing applications, only the C library has to be changed.

NSS

In order to be able to configure the source for the data in /etc/passwd and /etc/group, Sun also introduced NSS (Name Service Switch). In terms of NSS, a name service refers to the data in one of the configuration files traditionally kept in /etc/ (such as /etc/passwd) and is named according to the file name the data are traditionally kept in (such as passwd).

With NSS, the source for a certain type of data such as passwd, but also including others like hosts for data from /etc/hosts, is kept in a configuration file /etc/nsswitch.conf. This file is read by the C library which decides for each name service where the data is gathered from (files, nis, etc).

This method is very flexible, allowing for the implementation of arbitrary sources through dynamic libraries. For example, data can be gathered from an LDAP directory through the use of nss_ldap.

PAM

All methods described above have one problem in common: They all rely on authentication information solely represented by the old crypt(3)-encrypted password.

To gain flexibility in this respect, PAM (Pluggable Authentication Modules) were invented. With this library it is possible to have any number of authentication mechanisms, such as smart cards, finger print scanners etc. Authentication is no longer carried out by applications themselves but rather by the library which, depending on the actual configuration, can delegate the authentication step to various means.

Unfortunately, using PAM makes it necessary to change all authenticating applications in order for them to use PAM instead of getpwent(3) and crypt(3) for authentication purposes. Luckily, nearly all commonly used applications that do authentication have PAM support already.

There is a patch for CVS as well as nserver, an alternative to pserver that supports PAM.

Integration of Linux and Active Directory

Active Directory provides the central user administration means in a Windows network. It subsumes a number of services:
  • LDAP Server
  • DNS Server
  • Kerberos Server
Here we will use the LDAP server in order to provide NSS-Information and an authentication mechanism.

The Architecture

On the Linux side we'll use the libraries nss_ldap and pam_ldap by PADL to communicate via LDAP with the Active Directory server and to serve as an interface to NSS and PAM. Both are contained in most major distributions.

There is an LDAP schema that contains the information from /etc/passwd and /etc/group: RFC 2307.

Of course this schema is not supported by a default Active Directory server, in fact the Active Directory schema collides with RFC 2307 in certain aspects, e.g. the attribute homeDirectory. Nonetheless it is possible to extend the Active Directory schema in such a way that it is possible to enter the necessary information into Active Directory and have it read correctly by nss_ldap.

Security is ensured by using SSL/TLS in the communication between Active Directory and pam_ldap/nss_ldap.

Figure 1. Single-Sign-On Architecture

Extending the Active Directory Schema

Step-by-step instructions for changing the Active Directory Schema can be found in the HOWTO by JJ Streicher-Bremer.

It describes the steps necessary to change the Active Directory Schema analogous to those of Microsoft Services for UNIX.

As soon as the changes are in place, you can fill in the additional attributes for users and groups using any LDAP browser.

Maxime Batourine has created a plugin for Active Directory, which makes it possible to change user and group data right in Active Directory Users and Computers.

For testing purposes you might use the LDAP utilities from the OpenLDAP-Suite.

Cofiguration of nss_ldap and pam_ldap

As mentioned before, many distributions contain the libraries nss_ldap and pam_ldap. Unfortunately, they are sometimes not configured properly to work with Active Directory. It is necessary to configure nss_ldap with the options --enable-rfc2307bis and --enable-schema-mapping.

Important: Systems that use bash as their /bin/sh may have problems while umounting or shutting down if NSS lookups go over LDAP. This is because the shell script /etc/init.d/umountfs (may also be found under /etc/rc.d/init.d/umountfs) which umounts all filesystems during shutdown is executed by bash which in turn calls getpwnam(3), loading LDAP shared libraries. This can result in the filesystem where the LDAP shared libraries reside not being able to umount because it is busy with the mmapped shared libraries.

A possible workaround is to change the shebang-path in /etc/init.d/rc and /etc/init.d/umountfs from /bin/sh to /bin/ash (as well as all calls to sh in these scripts). Ash doesn't have the getpwnam(3) problem.

Both pam_ldap and nss_ldap work directly over SSL/TLS only if they are compiled with Netscape's LDAP SDK. If you use a different LDAP library you can use SSL/TLS via stunnel.

The configuration file for pam_ldap and nss_ldap is usually found in /etc/ldap.conf (both use the same configuration file). Different distributions may place the configuration file at different locations such as /etc/pam_ldap.conf or /etc/libnss_ldap.conf.

In order to level the incompatibilities between the Active Directory schema (Microsoft Services for UNIX, msSFU) and RFC 2307, it is necessary to make a few changes to ldap.conf. Here's an example: 

# Your LDAP server. Must be resolvable without using LDAP.
host 192.168.100.1

# The distinguished name of the search base.
base dc=oo-services,dc=com

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=Guest,cn=Users,dc=oo-services,dc=com

# The credentials to bind with. 
# Optional: default is no credential.
bindpw secret

# The port.
port 389

# The search scope.
scope sub

nss_base_passwd CN=Users,DC=oo-services,DC=com
nss_base_shadow CN=Users,DC=oo-services,DC=com
nss_base_group CN=Group,DC=oo-services,DC=com
 
nss_map_objectclass posixAccount user
nss_map_attribute uid msSFUName
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute cn msSFUName
nss_map_attribute userPassword msSFUPassword
nss_map_attribute uniqueMember member

pam_filter objectclass=user
pam_login_attribute sAMAccountName
pam_password ad

Configuring NSS

The configuration of NSS is done via /etc/nsswitch.conf. Changes in /etc/nsswitch.conf have immediate effect making it easy to lock yourself out unintentionally, e.g. if the connection to the ADS does not work right away.

It is recommended you keep a root shell open while testing the setup so you can always fix a faulty configuration.

The configuration of NSS in /etc/nsswitch.conf consists of one line for each name service, first the name of the service followed by the lookup methods in the order they are tried. For nss_ldap the following configuration might be used: 

passwd:         files ldap
group:          files ldap
shadow:         files ldap
Local files (/etc/passwd and so forth) are tried first, followed by LDAP, i.e. Active Directory. This way local values have higher precedence which might be useful for local root accounts etc.

Configuring PAM

PAM can be configured by two different means, either in a single file for all applications (/etc/pam.conf) or in a separate directory /etc/pam.d with one file per application.

The pam_ldap distribution contains example files for most applications. For the login service the file /etc/pam.d/login might look like this: 

#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_warn.so
auth       required     /lib/security/pam_unix_auth.so try_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_warn.so
account    required     /lib/security/pam_unix_acct.so
password   required     /lib/security/pam_ldap.so
session    required     /lib/security/pam_unix_session.so
session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
session    optional     /lib/security/pam_console.so
The module pam_mkhomedir.so makes sure that a home directory is created during the first login. This makes sense if you don't want to create a home directory when you create a new user in Active Directory.

SSL via stunnel

In order to authenticate a user, pam_ldap carries out an LDAP-bind and transmits the password typed by the user in cleartext. In order to keep attackers from abusing this with protocol sniffers, you should use SSL/TLS between nss_ldap/pam_ldap and Active Directory.

A tool that comes in handy for this purpose is stunnel, which provides a proxy (or tunnel) between unsecure and secure connections.

Since the tunnel is running on the client side only, you don't need a certificate, only an unused port. If you have an LDAP server on the client side as well, you might have to move to another port than 389, which makes it necessary to patch ldap.conf accordingly.

If that isn't the case, simply start stunnel on the Linux machine as follows: 

stunnel -c -d localhost:389 -r ads:636
where ads is the DNS name of the Windows 2000 server.

Conclusion

It is indeed possible to have an Active Directory server perform authentication and even host NSS data with users on both sides not noticing the difference. You have to watch out for some quirks though, most of which I have hopefully outlined in this article.

Resources

  • Check out these hands-on instructions on how to set up Active Directory and Linux.
  • You might want to download the Active Directory plugin to maintain UNIX-specific attributes in AD from CSS Solutions.
  • The Open-IT Project focuses on Directory Service management tools and system integration.
  • The LDAP Implementation HOWTO has an excellent section on authentication against LDAP.
  • PADL are the authors of the excellent pam_ldap and nss_ldap libraries.

About the Author

Michael Ganss is Managing Director of O&O Services, based in Berlin, Germany, where he has worked on numerous projects ranging from 3D weather visualization systems to BER-codec development for the telecommunications industry.

You can reach Michael at michael.ganss@oo-services.com.

© 2002-2003 O&O Services GmbH. All Rights Reserved.
A company of the O&O Group | Webmaster | Contact us

1