Configure Ezeelogin to authenticate using Windows_AD / OpenLDAP (Pam-Ldap) in Debian?

Configure Ezeelogin to authenticate using Windows_AD / OpenLDAP (Pam-Ldap) in Debian?

Integration of WINDOWS-AD&Openldap (PAM-LDAP) in Debian

Make sure that PHP-LDAP extension is installed on the server

root@jumpserver:~# apt-get install php5-ldap/php7-ldap /php-ldap

1.  Login to Web-GUI > open settings > Ldap 

      Add the details in LDAP setting page. Check the following video to fill and configure Pam-LDAP

       

       Add the details of LDAP configurations & Check WINDOWS ACTIVE DIRECTORY  if you are authenticating with Windows AD  & Save

    

2. open settings > general > Authentication > change webpanel authentication to ldap & Check PAM Authentication

        

3. Select the LDAP users and import to ezeelogin  

  

 you can confirm the imported LDAP users were listed in Users 

 

Now you can log in to ezeelogin with LDAP user in ezeelogin GUI

 

Skip  4th & 5th step if you are configuring OpenLDAP

4. Make sure that UNIX ATTRIBUTES is enabled on WINDOWS(2003,2008,2012) SERVER 

You do not need to install unix attributes on windows 10 and windows 2016 server OS 

 Login to windows server & open command prompt

 Enter the below command

Dism.exe/online/enable-feature /featurename:nis /all

  Reboot the server to complete installation

 

 5. Make sure to add the values for UID, GID, Login Shell, Home Directory

 Win 2008 Unix Attributes
For Window 2016 AD  user set the attributes such as uidNumber = 10001 , gidNumber = 12001 , unixHomeDirectory = /home/jake , loginShell=/usr/local/bin/ezsh 
 
 
NOTE:   For the  Unix  Attributes  uidNumber, gidNumber, loginShell  to be visible, make sure to click on the Filter button and select  ONLY " Show Only Writable Attributes" as shown below.
windows AD Unix Attributes
 
 
Let's configure PAM_LDAP Authentication for SSH  
 
 
*Login to ezeelogin ssh server to configure pam-LDAP
 
 
1. Install pam-LDAP module by the following command

root@jumpserver:~# apt install libnss-ldap libpam-ldap ldap-utils nscd

 
2. Enter LDAP URI, Base dn , select Ldap version 3 , Bindpassword and BInddn on prompts
   
  you can reconfigure the settings with the following command
dpkg-reconfigure libnss-ldap
 

Skip the 3rd step if you are configuring OpenLDAP

 
3.  Add Active Directory Mappings to  /etc/libnss-ldap.conf
 
     Search for RF 2307 (AD) mapping & add or uncomment the following lines 
 

nano /etc/libnss-ldap.conf

 

nss_map_objectclass posixAccount user

nss_map_attribute uid sAMAccountName

nss_map_attribute homeDirectory unixHomeDirectory

nss_override_attribute_value loginShell /usr/local/bin/ezsh

 
4. Append 'ldap' to password,group & shadow in /etc/nsswitch.conf  

root@jumpserver:~# cat /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

 

passwd: files systemd ldap
group: files systemd  ldap
shadow: files  ldap
gshadow: files

 

hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files

 

protocols: db files
services: db files
ethers: db files
rpc: db files

 

netgroup: nis

 

 
 
 
5.  Enable autocreate home directory on login by adding the following to /etc/pam.d/common-session by the following command

echo "session optional pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session

 

  
 
 
6. Edit /etc/pam.d/common-password and Remove the option 'use_authtok' on the password 'pam_ldap' module configuraiton as below.
 

vi /etc/pam.d/common-password

Remove the option 'use_authtok' on the password 'pam_ldap' module configuraiton as below.

 

password [success=1 user_unknown=ignore default=die] pam_ldap.so  try_first_pass

 
 7Restart  nscd service

service nscd restart  

Ensure the login shell of ldap user is /usr/local/bin/ezsh  

     

Now run the id / finger command and see whether you are able get AD user details 

[root@jumpserver ~]# finger franc

Login: jake           Name: jake t

Directory: /home/jake     Shell: /usr/local/bin/ezsh

Last login Wed Jun 13 05:02 (EDT) on pts/1 from 10.1.1.13

No mail.

No Plan.

[root@jumpserver ~]# id jake

uid=10001(jake) gid=120001(domain users) groups=1547600513(domain users)

 

Run an ldapsearch to check the values returned from your AD server as follows. This is used for troubleshooting. Ensure that it returns the values of uid,gid,home directory and login shell.

[root@jumpserver]# ldapsearch -x -LLL -E pr=200/noprompt -h 10.11.1.164 -D "administrator@ad2016.admod.net" -w admod_2016 -b "cn=jake,cn=users,dc=ad2016,dc=admod,dc=net"

 

dn: CN=jake,CN=Users,DC=ad2016,DC=admod,DC=net

 

objectClass: top

 

objectClass: person

 

objectClass: organizationalPerson

 

objectClass: user

 

cn: jake

 

givenName: jake

 

distinguishedName: CN=jake,CN=Users,DC=ad2016,DC=admod,DC=net

 

instanceType: 4

 

whenCreated: 20180703063304.0Z

 

whenChanged: 20180703063554.0Z

 

displayName: jake

 

uSNCreated: 45128

 

uSNChanged: 45136

 

name: jake

 

objectGUID:: ldpkFlnRs0O6irphlTq1AA==

 

userAccountControl: 512

 

badPwdCount: 0

 

codePage: 0

 

countryCode: 0

 

badPasswordTime: 0

 

lastLogoff: 0

 

lastLogon: 0

 

pwdLastSet: 131750731848783837

 

primaryGroupID: 513

 

objectSid:: AQUAAAAAAAUVAAAAmhs/bgMv2mlWATm4VQQAAA==

 

accountExpires: 9223372036854775807

 

logonCount: 0

 

sAMAccountName: jake

 

sAMAccountType: 805306368

 

userPrincipalName: jake@ad2016.admod.net

 

objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad2016,DC=admod,DC=net

 

dSCorePropagationData: 16010101000000.0Z

 

uidNumber: 10001

 

gidNumber: 12000

 

unixHomeDirectory: /home/jake

 

loginShell: /usr/local/bin/ezsh

# pagedresults: cookie= 

5 (1)
Article Rating (1 Votes)
Rate this article
    Attached Files
    There are no attachments for this article.
    Related Articles RSS Feed
    How do i change the authentication from ldap to internal in the database?
    Viewed 2179 times since Thu, Jun 15, 2017
    How can i disable MySQL strict mode ?
    Viewed 3959 times since Tue, Feb 12, 2019
    How to configure Ezeelogin to authenticate using Open_Ldap(Pam-Ldap) in ubuntu?
    Viewed 3936 times since Fri, Feb 23, 2018
    Configure ssh certificate based authentication
    Viewed 1711 times since Fri, Apr 17, 2020
    Configure Ezeelogin to authenticate using Windows_AD(Pam-Ldap) in ubuntu?
    Viewed 3702 times since Wed, Feb 7, 2018
    How to add ssh public key for passwordless authentication in ssh
    Viewed 3737 times since Fri, Sep 1, 2017
    How do i change the web url / uri of my installation?
    Viewed 2720 times since Thu, Jun 15, 2017
    How to find a server by its hostname, ip address, very quickly in ezsh shell
    Viewed 2374 times since Tue, Mar 27, 2018
    How To Create a Self-Signed SSL Certificate for Nginx on debian
    Viewed 1929 times since Mon, Jun 4, 2018
    Custom private key / public key pair in ssh gateway Solution
    Viewed 3287 times since Thu, Jun 15, 2017