Contents
Howto authenticate with eToken against Active Diretory
- date: 15.09.2008
author: CorneliusKoelbel
<cornelius.koelbel AT lsexperts DOT de>
- used eToken: eTokenPro 64K 4.2B
- used RTE: 4.55 deb
- used software: windows 2003 server, Microsoft Tools for Unix 3.5
Wanted Scenario
On a windows domain controller a new user is created. An eToken is enrolled for this newly created user. Without any additional actions the user can log on to a linux system with this eToken.
Preparations on the windows side
On the windows 2003 server you need to install Microsoft Tools for Unix 3.5. This is a schema extension to add unix attributes to the AD users.
Create a new user account
Now you can create a new user. When you create the user, you also need to fill in the necessary attributes on the "Unix" Tab of the users properties.
Confiure Linux to authenticate against AD
adapt nsswitch.conf
The /etc/nsswitch.conf is to be adapted as follows:
passwd: files ldap
shadow: files ldap
group: files ldap
adapt ldap.conf
The file /etc/ldap.conf holds the configuration of your ldap client. Here you need to add the host name of your LDAP server, in this case the domain controller:
host 10.100.42.2
base ou=systms,dc=lse-systems,dc=de
ssl no # less hassle ;)
binddn cn=Administrator,ou=SC-Users,ou=systems,dc=lse-systems,dc=de
bindpw PASSWORT
scope sub
# where to find your users
nss_base_passwd ou=systems,dc=lse-systems,dc=de?sub
nss_base_shadow ou=systems,dc=lse-systems,dc=de?sub
nss_base_group ou=systems,dc=lse-systems,dc=de?sub
# Services for UNIX 3.5 mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn
pam_login_attribute sAMAccountName
pam_filter objectclass=user
pam_member_attribute msSFU30PosixMember
pam_password md5
sasl_secprops maxssf=0
krb5_ccname FILE:/etc/.ldapcache
tls_cacertdir /etc/openldap/cacerts
PAM
Now PAM needs to be configured so that the accounting will be done against the LDAP/AD server. This might look as follows:
auth sufficient /lib/security/pam_pkcs11.so
auth required /lib/security/pam_unix.so use_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix.so
password sufficient /lib/security/pam_ldap.so use_first_pass
password sufficient /lib/security/pam_unix.so
session sufficient /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required /lib/security/pam_unix_session.so
session optional /lib/security/pam_console.soThe authentication is done with the pam_pkcs11 module which will be explained later.
The accounting and the password change is processed by pam_ldap, so that user accounts - existing in Active Directoy - will be able to login to this machine.
The module pam_mkhomedir creates a new home directory for the user, if the user logs in for the first time. But the home directories can of course well be exported by an NFS server or a samba share.
We also keep the pam_unix module as sufficient to have the possibility to login with local account like local root.
Configure Linux to authenticate with eToken
(also see HowTos/eToken_and_PAM)
Here we configure the already mentioned PAM module pam_pkcs11. The files of interest might be
/etc/pam_pkcs11/pam_pkcs11.conf /etc/pam_pkcs11/cacerts/*
or at another location according to your distribution.
Drop your CA certificate into the directory /etc/pam_pkcs11/cacerts/. pam_pkcs11 needs hash links to point to all CA files. So run make_hash_link.sh after dropping the CA certificate.
pam_pkcs11.conf would look like this:
pam_pkcs11 {
nullok = true;
debug = false;
use_first_pass = false;
try_first_pass = false;
use_authtok = false;
use_pkcs11_module = aladdin;
pkcs11_module aladdin {
module = /usr/lib/libeTPkcs11.so;
description = "Aladdin pkcs#11 module";
slot_num = 0;
ca_dir = /etc/pam_pkcs11/cacerts;
crl_dir = /etc/pam_pkcs11/crls;
crl_policy = none;
}
use_mappers = subject, ads, ms, null;
mapper_search_path = /usr/lib/pam_pkcs11;
mapper subject {
debug = false;
# module = /usr/lib/pam_pkcs11/subject_mapper.so;
module = internal;
ignorecase = false;
mapfile = file:///etc/pam_pkcs11/subject_mapping;
}
mapper null {
debug = false;
# module = /usr/lib/pam_pkcs11/null_mapper.so;
module = internal ;
# select behavior: always match, or always fail
default_match = false;
# on match, select returned user
default_user = nobody ;
}
mapper ads {
debug = false;
module = /usr/lib/pam_pkcs11/ldap_mapper.so;
# where base directory resides
basedir = /etc/pam_pkcs11/mapdir;
# hostname of ldap server
ldaphost = "10.100.42.2";
# Port on ldap server to connect
ldapport = 389;
# Scope of search: 0 = x, 1 = y, 2 = z
scope = 0;
# DN to bind with. Must have read-access for user entries under "base"
binddn = "cn=Administrator,ou=SC-User,ou=systems,dc=lse-systems,dc=de"
passwd = Passwort
# Searchbase for user entries
base = "ou=systems,dc=lse-systems,dc=de";
# Attribute of user entry which contains the certificate
attribute = "userCertificate:";
# Searchfilter for user entry. Must only let pass user entry for the login user.
#filter = "(&(cn=%s) (objectClass=inetOrgPerson))";
#filter = "(&(objectClass=posixAccount)(uid=%s))"
filter = "(msSFU30Name=%s)";
}
mapper ms {
debug = false;
module = internal;
# module = /usr/lib/pam_pkcs11/ms_mapper.so;
ignorecase = false;
ignoredomain = false;
domain = "lse-systems.de";
}
}use_pkcs11_module = aladdin points to the definition of the aladdin pkcs11 library to be able to find certificates on the eToken.
use_mappers = subject, ads, ms, null defines the mapping of certificate to user names. We were already using the subject mapping in HowTos/eToken_and_PAM. Thus additional users - not located in the Active Directory - may get access to the system.
The mapper ads is a modified LDAP-mapper definition. The connection to the domain controller is defined. The attribute msSFU30Name needs to match the username entered at the login prompt.
The mapper ms maps the user part of the windows logon name contained in the certificate to the name entered at the logon dialog. Using this mapper you do not need to publish certificates in Active Directory.