Skip to Content

Configure Ezeelogin to authenticate using Windows_AD(Pam-Ldap) in ubuntu?

Configure Ezeelogin to authenticate using Windows_AD(Pam-LDAP) in Ubuntu 16.x 18.x 20.x?

 

Integration of WINDOWS-AD (PAM-LDAP) in Ubuntu

Make sure that PHP-LDAP extension is installed on the server 

[email protected]:~# apt-get install php5-ldap/php7-ldap /php-ldap

1.  Login to Web-GUI > open settings > Ldap 

       Add the details of LDAP configurations & Check the WINDOWS ACTIVE DIRECTORY 

    

2. open settings > general > Authentication > change webpanel authentication to ldap & Check PAM Authentication

        

3. Select the LDAP users and import to ezeelogin  

  

 you can confirm the imported LDAP users were listed in the Users 

 

Now you can log in to ezeelogin with LDAP user in ezeelogin GUI

After importing the users to Ezeelogin, log in with the user and set up security code for the user under Account > Password > New Security Code.

 

4. Make sure that UNIX ATTRIBUTES is enabled on WINDOWS(2003,2008,2012) SERVER 

You do not need to install unix attributes on windows 10 and windows 2016 server OS 

 Login to windows server & open command prompt

 Enter the below command

Dism.exe/online/enable-feature /featurename:nis /all

  Reboot the server to complete the installation

 

 5. Make sure to add the values for UID, GID, Login Shell, Home Directory

 Win 2008 Unix Attributes
For Window 2016 AD  user set the attributes such as uidNumber = 10001 , gidNumber = 12001 , unixHomeDirectory = /home/jake , loginShell=/usr/local/bin/ezsh 
 
 
NOTE:   For the  Unix  Attributes uidNumber, gidNumber, login shell to be visible, make sure to click on the Filter button and select  ONLY " Show Only Writable Attributes" as shown below.
windows AD Unix Attributes
 
 
Let's configure PAM_LDAP Authentication for SSH  
 
 
*Login to Ezeelogin ssh server to configure pam-LDAP
 
 
1. Install pam-LDAP module by the following command

[email protected]:~# apt-get install ldap-auth-client ldap-auth-config nscd

 
2. Enter LDAP URI, Base dn & select LDAP version 3
   
  Enter the details when it is prompted or you can add it later as follows.
 
3.  Add Binddn,bind password & Active Directory Mappings to /etc/ldap.conf  

nano /etc/ldap.conf

 base OU=developers,DC=adez,DC=com

 uri ldap://192.168.1.15

 binddn cn=admin,dc=eztest,dc=net

 bindpw [email protected]#234JH56hj^7

  And add binddn and bind password to the file

In Ubuntu 16.x, run the command  " ln -s /etc/ldap /etc/openldap"  as well.

 
4. Search for RF 2307 (AD) mapping & add or uncomment the following lines 
 

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

nss_override_attribute_value loginShell /usr/local/bin/ezsh

 
5. Append 'ldap' to password,group & shadow in /etc/nsswitch.conf  

[email protected]:~# cat /etc/nsswitch.conf

# /etc/nsswitch.conf

#

# Example configuration of GNU Name Service Switch functionality.

# If you have the `glibc-doc-reference' and `info' packages installed, try:

# `info libc "Name Service Switch"' for information about this file.

 

passwd:         compat  ldap   

group:          compat  ldap

shadow:         compat  ldap

 

hosts:          files mdns4_minimal [NOTFOUND=return] dns

networks:       files

 

protocols:      db files

services:       db files

ethers:         db files

rpc:            db files

 

netgroup:       nis

 
 
6.  Enable autocreate home directory on login by adding the following to /etc/pam.d/common-session by the following command

echo "session optional pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session

 
7. Edit /etc/pam.d/common-password and add the entries for ldap.
 

vi /etc/pam.d/common-password

#look for the lines starting with password and add the line below to enable authentication via ldap.

password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass

 
8 . Restart  nscd service

service nscd restart  

Ensure the login shell of ldap user is /usr/local/bin/ezsh  

     

Now run the id/finger command and see whether you are able to get AD user details 

[[email protected] ~]# finger franc

Login: jake           Name: jake t

Directory: /home/jake     Shell: /usr/local/bin/ezsh

Last login Wed Jun 13 05:02 (EDT) on pts/1 from 10.1.1.13

No mail.

No Plan.

[[email protected] ~]# id jake

uid=10001(jake) gid=120001(domain users) groups=1547600513(domain users)

 

Run an ldapsearch to check the values returned from your AD server as follows. This is used for troubleshooting. Ensure that it returns the values of uid,gid,home directory, and login shell.

[[email protected]]# ldapsearch -x -LLL -E pr=200/noprompt -h 10.11.1.164 -D "[email protected]" -w admod_2016 -b "cn=jake,cn=users,dc=ad2016,dc=admod,dc=net"

 

dn: CN=jake,CN=Users,DC=ad2016,DC=admod,DC=net

 

objectClass: top

 

objectClass: person

 

objectClass: organizationalPerson

 

objectClass: user

 

cn: jake

 

givenName: jake

 

distinguishedName: CN=jake,CN=Users,DC=ad2016,DC=admod,DC=net

 

instanceType: 4

 

whenCreated: 20180703063304.0Z

 

whenChanged: 20180703063554.0Z

 

displayName: jake

 

uSNCreated: 45128

 

uSNChanged: 45136

 

name: jake

 

objectGUID:: ldpkFlnRs0O6irphlTq1AA==

 

userAccountControl: 512

 

badPwdCount: 0

 

codePage: 0

 

countryCode: 0

 

badPasswordTime: 0

 

lastLogoff: 0

 

lastLogon: 0

 

pwdLastSet: 131750731848783837

 

primaryGroupID: 513

 

objectSid:: AQUAAAAAAAUVAAAAmhs/bgMv2mlWATm4VQQAAA==

 

accountExpires: 9223372036854775807

 

logonCount: 0

 

sAMAccountName: jake

 

sAMAccountType: 805306368

 

userPrincipalName: [email protected]

 

objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad2016,DC=admod,DC=net

 

dSCorePropagationData: 16010101000000.0Z

 

uidNumber: 10001

 

gidNumber: 12000

 

unixHomeDirectory: /home/jake

 

loginShell: /usr/local/bin/ezsh

# pagedresults: cookie=