PAM: Authenticate Linux / Unix Users against ActiveDirectory (without installing Unix Extensions)
If you’re going to deal with authentication of *x Systems against ActiveDirectory, you will need to install the Unix Extensions to your ActiveDirectory scheme to provide your accounts with proper UID-, GID- and SHELL variables. Unfortunately it is sometimes not applicable to install those extensions to your AD, especially when the companies core IT department is refusing to do so ( of course they might have their reasons ).
To resolve this issue, we decided to create a hybrid authentication scenario, featuring a local LDAP which stores the account information while checking the passphrase directly against the central AD infrastructure.
Read more after the break
Convert the user accounts of your AD into your local LDAP
- Crawl through all user accounts available within your AD (or a needed organizational unit) and rewrite / add fields you need in addition to the provided ones. As UID, you can use the field “uSNCreated” you will find within your AD scheme.
- If the data within your AD is subject to change, you have to provide some sort of synchronization mechanism to keep your site up to date, especially when it comes to users that are moving to another department etc.
Instruct your pam to check the passphrase from AD
- Use the pam_exec.so module within the common-auth section/file to hand over authentication to a third-party script or application.
- Let your third-party script/app bind against your AD using the credentials provided by the user. Let it return the result of the bind operation where exit codes are defined as usual (0: success, >0: fail).