Home » Categories » Getting Started » Tweaks & Configuration

How do i configure Ezeelogin to authenticate using Windows_AD(Pam-Ldap) in centos?

Article ID: 186 | Rating: 5/5 from 1 votes | Last Updated: Mon, Jan 18, 2021 at 8:59 AM

 Integration of WINDOWS-AD (PAM-LDAP) in centos 7/6

Make sure that PHP-LDAP extension is installed on the server 

root@jumpserver:~# yum install php-ldap openldap openldap-clients; apachectl restart

 

  1.  Login to Web-GUI > open settings > Ldap 

      Add the details in LDAP setting page.Check the following video to fill and configure Pam-LDAP

 

        Add the details of LDAP configurations & Check the WINDOWS ACTIVE DIRECTORY 


2.  Under Settings > General Settings > Authentication > Change Webpanel authentication to ldap & Check PAM Authetication

3. Select the LDAP users and import to ezeelogin
ldap-user-import

 
    you can confirm the imported LDAP users were listed in Users 

 

  Now you can log in to ezeelogin with LDAP user in ezeelogin GUI

 

4. Make sure that UNIX ATTRIBUTES is enabled on WINDOWS(2003,2008,2012) SERVER 

you do not need to install unix attributes on windows 10 and windows 2016 server OS

 Login to windows server & open command prompt

 Enter the below command

Dism.exe/online/enable-feature /featurename:nis /all

  Reboot the server to complete installation

Win 2008 Unix Attributes

win-2012-ad

Window 2016 AD for a user. Note that the attributes such as uidNumber = 10001 , gidNumber = 12001 , unixHomeDirectory = /home/jake , loginShell=/usr/local/bin/ezsh are set.
 
windows 2016 AD
 
 
NOTE:  For the  Unix  Attributes  uidNumber, gidNumber, loginShell  to be visible, make sure to click on the Filter button and select  ONLY " Show Only Writable Attributes" as shown below.
windows AD Unix Attributes
 
Let's configure PAM_LDAP Authentication for SSH  
 
 
*Login to ezeelogin ssh server to configure pam-LDAP
 
 
1. Install pam-LDAP module by the following command

 #yum install nss-pam-ldapd nscd  

 
2. Enter the command to auto-configure  

#authconfig-tui  

   
 Select use LDAP & use LDAP authentication 
 
 
 
  Enter the details in LDAP setting. you can use the above video to fetch details  
 
  Add Binddn,bind password & Active Directory Mappings to /etc/nslcd.conf  
 

vi /etc/nslcd.conf

 

 

uri ldap://10.11.1.231

ldap_version 3

base cn=users,dc=admod,dc=net

binddn cn=Administrator,cn=Users,dc=admod,dc=net

bindpw admod_2012 

filter passwd (objectClass=User)
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory

ssl no
tls_cacertdir /etc/openldap/cacerts

 

If you are using LDAPS, then change SSL to YES

 
 Enable autocreate home directory on login by the following command  

authconfig --enablemkhomedir --update

 
Restart nslcd & nscd service

service nslcd restart && service nscd restart  

Ensure the login shell of ldap user is /usr/local/bin/ezsh  

     
Now run the id / finger /  command and see whether you are able get AD user details
 

[root@cen75 home]# finger jake

 

Login: jake           Name: jake

 

Directory: /home/jake               Shell: /usr/local/bin/ezsh

 

Last login Tue Jul  3 12:23 (IST) on pts/2 from 10.11.1.189

 

No mail.

 

No Plan.

 

 

[root@cen75 home]# id jake

uid=10001(jake) gid=12000 groups=12000

  

Run an ldapsearch to check the values returned from your AD server as follows. This is used for troubleshooting.

[root@cen75 home]# ldapsearch -x -LLL -E pr=200/noprompt -h 10.11.1.164 -D "administrator@ad2016.admod.net" -w admod_2016 -b "cn=jake,cn=users,dc=ad2016,dc=admod,dc=net"

 

dn: CN=jake,CN=Users,DC=ad2016,DC=admod,DC=net

 

objectClass: top

 

objectClass: person

 

objectClass: organizationalPerson

 

objectClass: user

 

cn: jake

 

givenName: jake

 

distinguishedName: CN=jake,CN=Users,DC=ad2016,DC=admod,DC=net

 

instanceType: 4

 

whenCreated: 20180703063304.0Z

 

whenChanged: 20180703063554.0Z

 

displayName: jake

 

uSNCreated: 45128

 

uSNChanged: 45136

 

name: jake

 

objectGUID:: ldpkFlnRs0O6irphlTq1AA==

 

userAccountControl: 512

 

badPwdCount: 0

 

codePage: 0

 

countryCode: 0

 

badPasswordTime: 0

 

lastLogoff: 0

 

lastLogon: 0

 

pwdLastSet: 131750731848783837

 

primaryGroupID: 513

 

objectSid:: AQUAAAAAAAUVAAAAmhs/bgMv2mlWATm4VQQAAA==

 

accountExpires: 9223372036854775807

 

logonCount: 0

 

sAMAccountName: jake

 

sAMAccountType: 805306368

 

userPrincipalName: jake@ad2016.admod.net

 

objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad2016,DC=admod,DC=net

 

dSCorePropagationData: 16010101000000.0Z

 

uidNumber: 10001

 

gidNumber: 12000

 

unixHomeDirectory: /home/jake

 

loginShell: /usr/local/bin/ezsh

# pagedresults: cookie= 
Posted by: - Wed, Feb 7, 2018 at 2:20 AM. This article has been viewed 4786 times.
Filed Under: Tweaks & Configuration
5 (1)
Article Rating (1 Votes)
Rate this article
    Attached Files
    There are no attachments for this article.
    Related Articles RSS Feed
    Add a server using ssh key pair in ezeelogin
    Viewed 1722 times since Fri, Mar 22, 2019
    How to add ssh public key for passwordless authentication in ssh
    Viewed 3711 times since Fri, Sep 1, 2017
    add amazon ec2 in jump server or aws jumpbox
    Viewed 4375 times since Tue, May 8, 2018
    How can i reset the default global key ?
    Viewed 1310 times since Fri, Jun 8, 2018
    Will Ezeelogin work behind a firewall or NAT or behind a Proxy?
    Viewed 6627 times since Sat, Jul 8, 2017
    Setting session time out for the webinterface
    Viewed 3697 times since Wed, Jun 14, 2017
    What setting to be changed in jump server configuration file if mysql is listening on a different port?
    Viewed 2381 times since Wed, Jun 14, 2017
    Can we map existing user group in ldap to ezeelogin as ezeelogin user group ?
    Viewed 4785 times since Mon, Sep 25, 2017
    configure jump server to use SSL for MySQL server 5.7 version
    Viewed 27483 times since Thu, Apr 12, 2018
    How to configure Yubikey two factor authentication in ssh ?
    Viewed 7172 times since Thu, Jun 15, 2017