How to configure Ezeelogin to authenticate using Open_Ldap(Pam-Ldap) in Ubuntu?

190 Manu Chacko February 23, 2024 Tweaks & Configuration 11272

Integration of Open-LDAP (PAM-LDAP) in Ubuntu

Make sure that the PHP-LDAP extension is installed on the server. Replace the PHP version in the below command.

root@jumpserver:~# apt-get install phpx.x-ldap

eg: root@jumpserver:~# apt-get install php8.2-ldap

root@jumpserver:~# systemctl restart apache2

1. Login to Web-GUI > open settings > Ldap and add the details of LDAP configurations

2. Under Settings > General Settings > Authentication > change Webpanel authentication to LDAP & Check External SSH Auth

3. Select the LDAP users and import them to ezeelogin

You can confirm the imported LDAP users were listed in Users

Now you can login to ezeelogin with ldap user in ezeelogin GUI

After importing the users to Ezeelogin, log in with the user and set up security code for the user under Account > Password > New Security Code.

Let's configure PAM_LDAP Authentication for SSH

1. Install pam-LDAP module by the following command

root@jumpserver:~# apt-get install ldap-auth-client ldap-auth-config nscd

2. Enter LDAP URI, Base DB & select LDAP version 3.

Enter the details in the LDAP setting.

3. Add Binddn&bind password /etc/ldap.conf

root@jumpserver:~# nano /etc/ldap.conf 
binddn cn=admin,dc=eztest,dc=net
bindpw chaSD@#234JH56hj^7 

In Ubuntu 16.x, link the directory /etc/openldap with /etc/ldap as follows

root@jumpserver:~# ln -s /etc/ldap /etc/openldap

4. Append 'ldap' to password,group & shadow in /etc/nsswitch.conf

root@jumpserver:~# cat /etc/nsswitch.conf

# /etc/nsswitch.conf

# Example configuration of GNU Name Service Switch functionality.

# If you have the `glibc-doc-reference' and `info' packages installed, try:

# `info libc "Name Service Switch"' for information about this file.

passwd: compat ldap

group: compat ldap

shadow: compat ldap

hosts: files mdns4_minimal [NOTFOUND=return] dns

networks: files

protocols: db files

services: db files

ethers: db files

rpc: db files

netgroup: nis

5. Enable autocreate home directory on login by adding the following to /etc/pam.d/common-session by the following command

root@jumpserver:~# echo "session optional pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session

6. Restart nscd service

root@jumpserver:~# service nscd restart  

Ensure the login shell of ldap user is /usr/local/bin/ezsh

Now run the id/finger command and see whether you are able to get LDAP user details

[root@jumpserver ~]# finger jake
Login: jake           Name: franc t
Directory: /home/jake     Shell: /usr/local/bin/ezsh
Last login Wed Jun 13 05:02 (EDT) on pts/1 from 10.1.1.13
No mail.
No Plan.
[root@jumpserver ~]# id jake
uid=1547601108(franc) gid=1547600513(domain users) groups=1547600513(domain users) 

Run an ldapsearch to check the values returned from your AD server as follows. This is used for troubleshooting.

[root@75 home]# ldapsearch -x -LLL -E pr=200/noprompt -h 10.11.1.164 -D "[email protected]" -w admod_2016 -b "cn=jake,cn=users,dc=ad2016,dc=admod,dc=net"
 
dn: CN=jake,CN=Users,DC=ad2016,DC=admod,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: jake
givenName: jake
distinguishedName: CN=jake,CN=Users,DC=ad2016,DC=admod,DC=net
instanceType: 4
whenCreated: 20180703063304.0Z
whenChanged: 20180703063554.0Z
displayName: jake
uSNCreated: 45128
uSNChanged: 45136
name: jake
objectGUID:: ldpkFlnRs0O6irphlTq1AA==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 131750731848783837
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAmhs/bgMv2mlWATm4VQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: jake
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad2016,DC=admod,DC=net
dSCorePropagationData: 16010101000000.0Z
uidNumber: 10001
gidNumber: 12000
unixHomeDirectory: /home/jake
loginShell: /usr/local/bin/ezsh
# pagedresults: cookie= 

Related Articles:

1. How do I configure Ezeelogin to authenticate using OpenLdap(Pam-Ldap) in CentOS

1 people found this article helpful what about you?