Skip to Content

How do I configure Ezeelogin to authenticate using Windows_AD(Pam-LDAP) in CentOS?

186  Manu Chacko October 7, 2024  Tweaks & Configuration

Integration of WINDOWS-AD (PAM-LDAP) in CentOS 7/6

Overview: This article details the steps to integrate WINDOWS-AD (PAM-LDAP) in CentOS 7/6. It includes PHP-LDAP installation, LDAP configuration via web GUI, and setting up PAM_LDAP for SSH access, ensuring seamless LDAP user import and configuration verification.

Note: Make sure that the PHP-LDAP extension is installed on the server

root@gateway:~# yum install php-ldap openldap openldap-clients; apachectl restart

Step 1: Login to Web-GUI -> open settings -> Ldap 

How to find base DN and bind RDN

Step 2: Add the details of LDAP configurations & enable Windows Active Directory

Step 3: Under Settings -> General Settings -> Authentication -> Change web panel authentication to LDAP & enable External SSH Auth

Step 4: Select the LDAP users and import them to Ezeelogin

Step 5: You can confirm the imported LDAP users were listed in the users tab. After the successful import you can login as the LDAP user.

Note:  When importing an LDAP user, they will be assigned to the default group or the mapped user group. After the import, if we change the LDAP user to another user group, we will receive a note saying "Group Mismatch." This is not an error.

Note:

After importing the users to Ezeelogin, log in with the user and set up security code for the user under Account > Password > New Security Code.

Step 6: Make sure that UNIX ATTRIBUTES are enabled on WINDOWS(2003,2008,2012) SERVER 

Note:

You do not need to install Unix attributes on windows 10, windows 2012 and windows 2016 server OS

  Step 7: Login to Windows server, open Command Prompt, and enter the following command:

Dism.exe/online/enable-feature /featurename:nis  /all

   Reboot the server to complete the installation

   Win 2008 Unix Attributes

                                                            win-2012-ad

Window 2016 AD for a user . Note that the attributes such as uidNumber = 10001 , gidNumber = 12001 , unixHomeDirectory = /home/jake , loginShell=/usr/local/bin/ezsh are set.

                           windows 2016 AD

Note:  For the  Unix  Attributes uidNumber, gidNumber, and login shell to be visible, make sure to click on the Filter button and select  ONLY " Show Only Writable Attributes" as shown below.

                                                              windows AD Unix Attributes

Let's configure PAM_LDAP Authentication for SSH   

Login to Ezeelogin ssh server to configure pam-LDAP.

Step 1: Install pam-LDAP module by the following command

root@gateway:~# yum install nss-pam-ldapd nscd

Step 2: Enter the command to auto-configure   

root@gateway:~# authconfig-tui

 Step 3: Select use  LDAP  & use LDAP authentication 

 
                         
 

Step 4: Add binddn,bind password & Active Directory Mappings to /etc/nslcd.conf  

root@gateway:~# vi /etc/nslcd.conf

uri ldap://10.11.1.231

ldap_version 3

base cn=users,dc=admod,dc=net

binddn cn=Administrator,cn=Users,dc=admod,dc=net

bindpw admod_2012 

filter passwd (objectClass=User)
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory

map passwd loginShell  "/usr/local/bin/ezsh"

map passwd gidNumber   "100"
 

ssl no
tls_cacertdir /etc/openldap/cacerts

 

Note: If you are using LDAPS, then change SSL to YES

 Step 5: Enable auto-create home directory on login by the following command   

root@gateway:~# authconfig --enablemkhomedir --update

Step 6: Restart nslcd & nscd service

root@gateway:~# service nslcd restart && service nscd restart   

Note:  Ensure the login shell of LDAP user is /usr/local/bin/ezsh

Step 7: Now run the id/finger command and see whether you are able to get AD user details

root@gateway:~# finger jake

Login: jake                     Name: jake

Directory: /home/jake           Shell: /usr/local/bin/ezsh

Last login Tue Jul 3 12:23 (IST) on pts/2 from 10.11.1.189

No mail.

No Plan.

root@gateway:~# id jake

uid=10001(jake) gid=12000 groups=12000

  

Note:  Run a ldapsearch to check the values returned from your AD server as follows. This is used for troubleshooting.

root@gateway:~# ldapsearch -x -LLL -E pr=200/noprompt -h 10.11.1.164 -D "[email protected]" -w admod_2016 -b "cn=jake,cn=users,dc=ad2016,dc=admod,dc=net"

dn: CN=jake,CN=Users,DC=ad2016,DC=admod,DC=net

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

cn: jake

givenName: jake

distinguishedName: CN=jake,CN=Users,DC=ad2016,DC=admod,DC=net

instanceType: 4

whenCreated: 20180703063304.0Z

whenChanged: 20180703063554.0Z

displayName: jake

uSNCreated: 45128

uSNChanged: 45136

name: jake

objectGUID:: ldpkFlnRs0O6irphlTq1AA==

userAccountControl: 512

badPwdCount: 0

codePage: 0

countryCode: 0

badPasswordTime: 0

lastLogoff: 0

lastLogon: 0

pwdLastSet: 131750731848783837

primaryGroupID: 513

objectSid:: AQUAAAAAAAUVAAAAmhs/bgMv2mlWATm4VQQAAA==

accountExpires: 9223372036854775807

logonCount: 0

sAMAccountName: jake

sAMAccountType: 805306368

userPrincipalName: [email protected]

objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad2016,DC=admod,DC=net

dSCorePropagationData: 16010101000000.0Z

uidNumber: 10001

gidNumber: 12000

unixHomeDirectory: /home/jake

loginShell: /usr/local/bin/ezsh

# pagedresults: cookie=

Related Articles:

Configure Ezeelogin to authenticate using Windows_AD(Pam-Ldap) in Ubuntu.

How do I configure Ezeelogin to authenticate using OpenLdap(Pam-Ldap) in CentOS?
Rating: 4.27 (11 Votes)