Configure Ezeelogin to authenticate using Windows_AD(Pam-LDAP) in Ubuntu 16.x 18.x 20.x?
Integration of WINDOWS-AD (PAM-LDAP) in Ubuntu
root@jumpserver:~# apt-get install php5-ldap/php7-ldap /php-ldap
1. Login to Web-GUI > open settings > LDAP
Add the details of LDAP configurations & Check the Windows Active Directory
2. open Settings > General > Authentication > change webpanel authentication to LDAP & Check External SSH Auth
3. Select the LDAP users and import them to ezeelogin
You can confirm the imported LDAP users were listed in the Users
Now you can log in to ezeelogin with LDAP user in ezeelogin GUI
After importing the users to Ezeelogin, log in with the user and set up security code for the user under Account > Password > New Security Code.
4. Make sure that UNIX ATTRIBUTES is enabled on WINDOWS(2003,2008,2012) SERVER
You do not need to install unix attributes on windows 10 and windows 2016 server OS
Login to windows server & open command prompt
Enter the below command
Dism.exe/online/enable-feature /featurename:nis /all
Reboot the server to complete the installation
5. Make sure to add the values for UID, GID, Login Shell, Home Directory
Win 2008 Unix Attributes
For Window 2016 AD user set the attributes such as uidNumber = 10001 , gidNumber = 12001 , unixHomeDirectory = /home/jake , loginShell=/usr/local/bin/ezsh
Let's configure PAM_LDAP Authentication for SSH
Login to Ezeelogin ssh server to configure pam-LDAP
1. Install pam-LDAP module by the following command
root@jumpserver:~# apt-get install ldap-auth-client ldap-auth-config nscd
2. Enter LDAP URI, Base dn & select LDAP version 3
Enter the details when it is prompted or you can add it later as follows.
3. Add Binddn,bind password & Active Directory Mappings to /etc/ldap.conf
root@jumpserver:~# nano /etc/ldap.conf
base OU=developers,DC=adez,DC=com
uri ldap://192.168.1.15
binddn cn=admin,dc=eztest,dc=net
bindpw chaSD@#234JH56hj^7
And add binddn and bind password to the file
In Ubuntu 16.x, run the command " ln -s /etc/ldap /etc/openldap" as well.
4. Search for RF 2307 (AD) mapping & add or uncomment the following lines
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
nss_override_attribute_value loginShell /usr/local/bin/ezsh
5. Append 'ldap' to password,group & shadow in /etc/nsswitch.conf
root@jumpserver:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
6. Enable autocreate home directory on login by adding the following to /etc/pam.d/common-session by the following command
root@jumpserver:~# echo "session optional pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
7. Edit /etc/pam.d/common-password and add the entries for ldap.
root@jumpserver:~# vi /etc/pam.d/common-password
#look for the lines starting with password and add the line below to enable authentication via ldap.
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
8. Restart nscd service
root@jumpserver:~# service nscd restart
Ensure the login shell of ldap user is /usr/local/bin/ezsh
Now run the id/finger command and see whether you are able to get AD user details
[root@jumpserver ~]# finger jake
Login: jake Name: jake t
Directory: /home/jake Shell: /usr/local/bin/ezsh
Last login Wed Jun 13 05:02 (EDT) on pts/1 from 10.1.1.13
No mail.
No Plan.
[root@jumpserver ~]# id jake
uid=10001(jake) gid=120001(domain users) groups=1547600513(domain users)
Run an ldapsearch to check the values returned from your AD server as follows. This is used for troubleshooting. Ensure that it returns the values of uid,gid,home directory, and login shell.
[root@jumpserver]# ldapsearch -x -LLL -E pr=200/noprompt -h 10.11.1.164 -D "[email protected]" -w admod_2016 -b "cn=jake,cn=users,dc=ad2016,dc=admod,dc=net"
dn: CN=jake,CN=Users,DC=ad2016,DC=admod,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: jake
givenName: jake
distinguishedName: CN=jake,CN=Users,DC=ad2016,DC=admod,DC=net
instanceType: 4
whenCreated: 20180703063304.0Z
whenChanged: 20180703063554.0Z
displayName: jake
uSNCreated: 45128
uSNChanged: 45136
name: jake
objectGUID:: ldpkFlnRs0O6irphlTq1AA==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 131750731848783837
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAmhs/bgMv2mlWATm4VQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: jake
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad2016,DC=admod,DC=net
dSCorePropagationData: 16010101000000.0Z
uidNumber: 10001
gidNumber: 12000
unixHomeDirectory: /home/jake
loginShell: /usr/local/bin/ezsh
pagedresults: cookie=
Related Articles:
1. How do I configure Ezeelogin to authenticate using Windows_AD(Pam-LDAP) in CentOS
