Posts tagged ‘Active Directory’

Connecting to Active Directory with Kerberos on FreeBSD

So, I am trying to get Active Directory integration with FreeBSD and I have been researching this for a while as I have stated.
http://rhyous.com/2010/01/13/researching-the-process-for-integrating-freebsd-with-active-directory

I don’t have it all integrated yet. I keep running into road blocks.

First, I want to be able to do integration with Kerberos alone.

One part that is really easy is connecting to active directory with kerberos.

Step 1 – Collect Active Directory information.

Active Directory Domain LD.LAB
AD Domain Controller vmdc.ld.lab
Domain Admin user name administrator
Domain Admin password pw

Step 2 – Create the /etc/krb5.conf

Here is mine. Supposedly this is case sensitive, so make sure to match the case.

[libdefaults]
  clockskew = 300
  default_realm = LD.LAB

[realms]
  LD.LAB = {
    kdc = vmdc.ld.lab
    default_domain = LD.LAB
    kpasswd_server = vmdc.ld.lab
  }

[domain_realm]
  .LD.LAB = LD.LAB

Step 3 – Acquiring a ticket

  1. Use kinit and a domain user and password to acquire a certificate.# kinit administratorEnter the password when prompted.
  2. Use klist to list the kerberos tickets.

However, once I have this working, I don’t know how to change authentication using nsswitch.conf and /etc/pam.d/sshd or system to make it work.

I assumed I wouldn’t need to change nsswitch.conf and that for Step 4 I would just have to uncomment the pam_krb5.so lines in the the /etc/pam.d/sshd and /etc/pam.d/system but unfortunately, that isn’t enough.  Authentication is not working.

I can’t seem to find much documentation on pam and kerberos in FreeBSD.  I have tried to add “debug” to the lines in the /etc/pam.d/sshd and /etc/pam.d/system but if that is adding more logging then I am not seeing it.

How to configure dotProject 2.1.2 to authenticate using Active Directory's LDAP?

So previously I released the following post:
How to install dotProject 2.1.2 on FreeBSD 7.2 with Apache 2.2, PHP5, and MySQL 5.1 Server?

Now I am following up as promised with how to integrate this with Active Directory and AD’s LDAP. You need to know your LDAP Active Directory info. If you don’t, you need to get it. Or else maybe your domain is generic enough that looking at my examples will get you there.

  1. Log in to dotProject.
  2. Click on System Admin | Default User Preferences.

    We will make changes to the following sections:

    • User Authentication Settings
    • LDAP Settings

    These section are show in this screen shot. After this screen shot instructions on configuring these sections are provided.

  3. Scroll to the section called User Authentication Settings.
  4. Change the User Authentication Method setting to LDAP.
  5. Configure the LDAP Settings section.
    1. For LDAP Host, Enter the IP address of your Active Directory server.
    2. Do not change the LDAP Port or LDAP Version settings.
    3. On a default Active Directory installation, set the LDAP Base DN to the following:
      CN=Users,DC=YourDomain,DC=tld

      For example, the lab I am demoing this with is LD.Lab so it would be this:

      CN=Users,DC=ld,DC=lab
    4. For LDAP User Filter enter the following:
      (sAMAccountName=%USERNAME%)
    5. For the LDAP Search User, enter a domain user:
      CN=John Doe,CN=Users,DC=ld,DC=lab

      SUGGESTION: Create a service account on the domain with a really intense password and almost no rights, except of course the right to search LDAP so it can be an LDAP Search User.

    6. Obviously for the LDAP Search User Password, enter the password for the LDAP Search User.

      IMPORTANT! You must update this password here when the user’s changes in Active Directory (sorry for the “No duh” moment but it had to be said).

  6. Scroll down and on the bottom right of the Default User Preferences page, click Save.

Go ahead and try to login as a Domain User.

Note On Changing Permissions
Domain Users may appear to get the Administrator role, but this is not really the case. They only get the Anonymous role when they first login. See my forum post here:
How to make an LDAP user an administrator?

Also, it appears that if you want all users who login to get more permissions, then edit the Anonymous role or modify every user individually. (Yeah, so the project needs some features in this area…maybe you want to become a contributor and develop it yourself?)


Copyright ® Rhyous.com – Linking to this article is allowed without permission and as many as ten lines of this article can be used along with this link. Any other use of this article is allowed only by permission of Rhyous.com.

How to configure Bugzilla to Authenticate to Active Directory?

So I already have an article on installing Bugzilla. See it here:
How to install Bugzilla on a FreeBSD 7.2 with Apache + SSL and MySQL?

So I am not going to cover installing Bugzilla. Just how to get it to connect to Active Directory. Mostly the documentation was there, but there was not really a good example of actual implementation. If the documentation doesn’t provide an example (preferably multiple real world exmaples) then it is poor documentation. Yes, Bugzilla, you are free to take my documentation and put it in your manual, or link to this page.

  1. Gather the information from your production environment, especially the LDAP information for your Active Directory configuration: 
    • Bugzilla Server name: 
      http://myserver/bugzilla

       

    • The LDAP Servers (Active Directory servers):
      dc1.corp.mydomain.tld, dc2.corp.mydomain.tld

       

    • The LDAP Bind DN info of a user that can read Active Directory. (This can be any active directory user, as long as this user can read active directory’s users, which pretty much an user no matter how locked down can do.)So my username on the domain is JBarneck, but that is not what to use here. The LDAP Bind DN of my user name is like this (with company secret information changed).
      CN=Barneck\, Jared,OU=MyDepartment,OU=MyCity,DC=corp,DC=MyDomain,DC=tld:MyPasswd!

       

    • The LDAP Base DN, which is the LDAP information for the OU that your users are in.
      My LDAP Base DN for the OU I am in is this (again with company secret information changed). This is exactly what I pasted into my configuration, backslash and all. 

      OU=MyDepartment,OU=MyCity,DC=corp,DC=MyDomain,DC=tld
    • The LDAPuidattribute, which is sAMAccountName and I don’t know if you can changed in Active Directory.
      sAMAccountName

       

    Note: I’ll be honest. I didn’t have access to a domain controller or Active Directory so I used a tool called LDAPWhoAmI.exe (with an accompanying ldapinfo.dll) that is included in LANDesk’s Management Suite software. I can’t give you these files. But if you wanted to do a trial of LANDesk Management Suite, you could download a Management Suite trial (which is a gig or so) and extract it and get these files. You don’t have to install, just extract and search for the two files. Copy them to a Windows workstation on your domain, then open a command prompt and change to the directory where LDAPWhoAmI.exe and ldapinfo.dll was copied and run LDAPWhoAmI.exe.

  2. Log into Bugzilla as an administrator. There is not default administrative user for Bugzilla. You should have created a user account as part of the install.
  3. Enable the LDAP module.
    1. Click on Administration from the top menu bar.
    2. Click on Parameters.
    3. Click on User Authentication on the left menu bar.
    4. Scroll down to the user_verify_class setting.
    5. Highlight LDAP and click the up arrow so that it is first in the list. I left DB enabled. I left Radius disabled.
    6. At the bottom of the web page (yes you have to scroll all the way to the bottom) click the Save Changes button.
  4. Configure LDAP to connect to Active Directory.
    1. Click on LDAP on the left menu bar.
    2. Under LDAPserver put your Active Directory servers.
      dc1.corp.mydomain.tld, dc2.corp.mydomain.tld

       

    3. Under LDAPbinddn put your user’s ldap info.
      CN=Barneck\, Jared,OU=MyDepartment,OU=MyCity,DC=corp,DC=MyDomain,DC=tld:MyPasswd!

       

    4. Under LDAPBaseDN put your LDAP info for the OU with your users.
      CN=Barneck\, Jared,OU=MyDepartment,OU=MyCity,DC=corp,DC=MyDomain,DC=tld:MyPasswd!

       

    5. Under LDAPuidattribute put sAMAccountName.

      sAMAccountName

       

    6. At the bottom of the web page click the Save Changes button.
  5. test Authentication.
    1. Either log out or use a different browser or a different machine and connect to your bugzilla url: 
      http://myserver/bugzilla

       

    2. Log in using an Active Directory account. I was unsure if I was supposed use an email or my username and it worked using my Domain user name, JBarneck, and my Domain password.

    I hope this helps all of you get Bugzilla to authenticate using Active Directory much faster than if you had to scour the web for problems.


    Copyright ® Rhyous.com – Linking to this article is allowed without permission and as many as ten lines of this article can be used along with this link. Any other use of this article is allowed only by permission of Rhyous.com.