So this method wasn’t our first attempt to get our Linux farm authenticating against Windows AD. Our first attempt was to use the Microsoft Identity Management for UNIX component which is a role based component for Windows 2008 R2. We attempted to just do a one-way sync from AD to the Linux farm. This did work, but we latter found out that it’s just very insecure. Perhaps, I set it up wrong, but I tried to follow the instructions given or what I could find online the best I could.
There method was to have a Linux agent (ssod binary) that will need to run on every Linux box. That agent by default (and can be changed via /etc/sso.conf) is set to run on port 6677. It seemed the only purpose of this agent was to encrypt and decrypt the pass words so there were not being sent over the wire in plain text. Why I even thought that was a good idea without just enforcing LDAP over SSL or TLS from the get go, I have no idea. Anyhow, we choose to use that method. Well things were fine right up to the point of noticing that our network engineering accidentally started blocking port 6677 to the AD hosts. Had they not done that, we might still be using that insecure method. Anyhow with that port being blocked, low and behold I started noticing plain text being sent over the wire. Turns out if that ssod binary isn’t running or is getting blocked on the network, plain text pass words start getting sent. Well that definitely isn’t good, wouldn’t take very much effort to kill that ssod binary on any host, and fire up a sniffer. Shit snowball in full effect.
At that point, I needed to figure out how the hell to get either LDAPS (LDAP over SSL port 636) or TLS (port 389) working in AD, as of course, that being the secure method and well it being Microsoft that isn’t the default choice.
Long story short…here’s how.
First you need to install the CA manager in AD and/or a 3rd party CA. We have a CA at work, so I used this form. You of course will need to replace with your info.
#
# SSL request configuration file for
#
RANDFILE = /usr/local/certs/.rnd
####################################################################
[ req ]
default_bits = 2048
default_keyfile = keySS.pem
distinguished_name = req_distinguished_name
encrypt_rsa_key = no
default_md = md5
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_value = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_value = Washington
localityName = Locality Name (eg, city)
localityName_value = Seattle
organizationName = Organization Name (eg, company)
organizationName_value = YourCompany
organizationalUnitName = Organization Unit
organizationalUnitName_value = UNIXSE
commonName = Common Name (eg, YOUR name)
commonName_value = fqdn.example.com
WebmasterName= WebMaster email address
WebmasterName_value= youremail@example.com
PhoneName= Phone Number contact
PhoneName_value= 555 525 5252
Save this into a file like notepad, name it like ‘fqdn.example.com.cnf’. I’ll write up more on this if someone requests this, but there are a billion howto’s on how to create these self signed certs and to get Windows setup on that.
Make sure you save yourself a copy of the CA-cert, as you will need this on every Linux host you plan on authenticating from.
