Authenticating Against Active Directory

Paul Nijjar
Waterloo Wellington IT Professionals Group

June 27 2011

The Issue

Active Directory gives you a store of usernames, passwords and security groups. Maintaining multiple sets of usernames/passwords is a pain. Sometimes companies other than Microsoft create tools that you want to use in your organization. Wouldnt it be nice to authenticate against Active Directory?

The tools: LDAP and Kerberos

Active Directory (AD) is a big Lightweight Directory Access Protocol (LDAP) database/directory. Domain logins are done via Kerberos (but other authentication is not...) Idea: Third party applications can authenticate via LDAP lookups.

Things you need

An understanding of the Active Directory structure for your organization. A minimally privileged user to do LDAP lookups. LDAP support for the application you are authenticating. Blissful ignorance of the security implications involved.

My Environment

Active Directory (forest level Windows 2003) Clients/webapps running on Debian or Ubuntu GNU/Linux

LDAP Structure

Think of AD as a folder structure, with DCs, OUs, CNs as the folders and attributes as the les. You need the path to your users and groups, e.g.
CN=Paul Nijjar,CN=Staff,OU=TWC,DC=theworkingcentre,DC=org

The attribute for username is sAMAccountName Tools: adsiedit.msc , AD Users and Computers, ldp.exe

Lookup User

AD does not allow anonymous LDAP lookups, so I made a user: LDAP Lookups and gave it access (Delegate Control) to read all attributes in AD Users and Computers. The password for this account will often be stored in plaintext, so lock it down: Take the user out of the Domain Users group Restrict the computers the user can log into Keep the user in a distinct OU from your regular users (?) Keep track of the LDAP path for this user, eg
CN=LDAP Lookups,CN=Users,DC=theworkingcentre,DC=org

Examples

Example: Apache .htaccess

This requires the mod_authnz_ldap Apache module.
AuthBasicProvider ldap # DN of Active Directory server AuthLDAPUrl ldap://dc1.theworkingcentre.org/ DC=theworkingcentre,DC=org?sAMAccountName ?sub?(objectClass=*) AuthLDAPBindDN "cn=LDAP Lookups,cn=Users, dc=theworkingcentre,dc=org" AuthLDAPBindPassword XXX

Apache cong, part 2

# Require groups AuthLDAPGroupAttributeIsDN on require ldap-group CN=it-department,OU=Groups, OU=TWC,DC=theworkingcentre,DC=org # Prevent Internal error: pcfg_openfile() # called with NULL filename errors AuthUserFile /dev/null

Example: Request Tracker

Request Tracker is a trouble-ticket system. I needed a third-party module to do LDAP authentication for it.

Request Tracker, part 2

$LdapServer="dc1.theworkingcentre.org"; $LdapUser="cn=LDAP Lookups,cn=Users, dc=theworkingcentre,dc=org"; $LdapPass="XXX"; $LdapBase="ou=Staff,ou=TWC, dc=theworkingcentre,dc=org"; $LdapUidAttr="sAMAccountName";

More RT authentication

# Could filter more here... $LdapFilter="(objectclass=user)"; # map LDAP attributes to RT3 $LdapMap = { Name => $RT::LdapUidAttr, EmailAddress => mail, RealName => cn, };

Other Apps

Cacti graphing system Drupal content management system Mediawiki Anything that has an LDAP plugin should work.

Now, the Bad News

Licencing!

Your domain controllers run on Windows Server (duh) Anything that accesses Windows Server requires a CAL (even DHCP leases!) So LDAP lookups denitely require CALs

Security!

Is central authentication a good idea? By default, LDAP lookups on port 389 are unencrypted! (Including passwords?) Websites without SSL throw around passwords or their hashes in cleartext! Any sloppy implementation jeopardizes the security of Active Directory! More reading: The Godzilla Security Tutorial, Part 3:
http://www.cs.auckland.ac.nz/~pgut001/tutorial/

The End

Bonus: Joining Linux Clients to Domains

There are two general approaches:

1 2

Use winbind from the Samba suite to enumerate every user and password in Active Directory. Store Linux user information in Active Directory directly, using PAM, Kerberos and LDAP.

Both approaches require you to congure both LDAP lookups and Kerberos authentication.

Winbind

The likewise-open package makes the Winbind method easy, but it appears to be incompatible with newer releases of Samba. Manual instructions: https://help.ubuntu.com/community/
ActiveDirectoryWinbindHowto

Advantage: works with AD forest level 2003 without schema modications. Disadvantage: enumerating users for big domains is inefcient.

Direct Method

Instructions: https:
//help.ubuntu.com/community/ActiveDirectoryHowto

Advantage: This is the most similar to Windows client interactions. Disadvantage: You must modify the AD schema for forest level 2003 or lower, using the Services for UNIX package. (Server 2003 R2 and higher include the schema changes natively.)

The End (Really)