Oracle Enterprise Linux 5 LDAP authentication against Windows 2008 Active Directory


When asked to setup an authentication mechanism for our Oracle Enterprise Linux 5.5 servers to authenticate against a Windows 2008 Active Directory.
I did not find a complete instruction on How To accomplish this. Here are the steps i took to make this work.

Prepair your Windows Active Directory
The Windows 2008 R2 Active Directory needs to contain the Identity Management for Unix Role

Now setup an user with for example these setting

Link also the Group “yenlo_sudo_beheer” to an Group ID ( GID )

Setup Oracle Enterprise Linux 5.5

Install missing packages


[root@ysgw03 ~]# yum install nss_ldap krb5-libs openldap-clients openldap ntp
Loaded plugins: security
Setting up Install Process
Package nss_ldap-253-25.el5.x86_64 already installed and latest version
Package nss_ldap-253-25.el5.i386 already installed and latest version
Package krb5-libs-1.6.1-36.el5_4.1.x86_64 already installed and latest version
Package krb5-libs-1.6.1-36.el5_4.1.i386 already installed and latest version
Package openldap-clients-2.3.43-12.el5.x86_64 already installed and latest version
Package openldap-2.3.43-12.el5.x86_64 already installed and latest version
Package openldap-2.3.43-12.el5.i386 already installed and latest version
Package ntp-4.2.2p1-9.el5_4.1.x86_64 already installed and latest version
Nothing to do
[root@ysgw03 ~]#

/etc/ldap.conf


host ad01.hosting.yenlo.nl
base dc=hosting,dc=yenlo,dc=nl
binddn ldapbind@hosting.yenlo.nl
bindpw password
scope sub
ssl no
timelimit 10
bind_timelimit 10
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
nss_base_passwd dc=hosting,dc=yenlo,dc=nl?sub
nss_base_shadow dc=hosting,dc=yenlo,dc=nl?sub
nss_base_group dc=hosting,dc=yenlo,dc=nl?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member

/etc/openldap/ldap.conf


uri ldap://ad01.hosting.yenlo.nl/
base dc=hosting,dc=yenlo,dc=nl

/etc/pam.d/system-auth


#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_access.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so

Now login and test


Division:~ jhelvoort$ ssh -l jhelvoort 10.1.2.22
jhelvoort@10.1.2.22's password:
Last login: Wed Mar 2 19:30:17 2011 from 10.1.5.132
[jhelvoort@ysgw03 ~]$ id
uid=10000(jhelvoort) gid=10001(yenlo_sudo_beheer) groups=10001(yenlo_sudo_beheer)
[jhelvoort@ysgw03 ~]$

Now if you want to give SuDo privledges

[jhelvoort@ysgw03 ~]$ sudo su -
[sudo] password for jhelvoort:
jhelvoort is not in the sudoers file. This incident will be reported.

Add the following line to your sudoers file.

/etc/sudoers


%yenlo_sudo_beheer ALL=(ALL) ALL

And try again


[jhelvoort@ysgw03 ~]$ sudo su -
[sudo] password for jhelvoort:
[root@ysgw03 ~]#