CA API Gateway 9.1

9.4 9.1

Configure Authentication Method for Active Directory Integration

This topic describes how to integrate the authentication method of the and Microsoft Active Directory. You will learn how to retrieve and validate User ID/Group ID information from the Active Directory for authentication.
gateway83
This topic describes how to integrate the authentication method of the 
API Gateway
 and Microsoft Active Directory. You will learn how to retrieve and validate User ID/Group ID information from the Active Directory for authentication.
This topic assumes that you are familiar with Microsoft Active Directory.
 Instructions on configuring the Microsoft Active Directory are provided "as is" and are accurate at the time of writing. The Microsoft Active Directory interface may change at any time without notice. Consult the Active Directory documentation from Microsoft for the most current information.
 
Prerequisites:
 
  • Ensure that the Windows Domain has Services for UNIX or a similar extension to the schema incorporated.
  • Create an LDAP browser user through Active Directory Users and Computers MMC. Define that User cannot change password and Password never expires. After the user is created, set the UNIX attributes for the user to UID and GID 499, with home directory set to: 
    /dev/null and shell /bin/false
     
  • Secure TLS connections should have a certificate that is imported into the Domain Controller. This certificate should be available as a standalone PEM file or available through a URL
Contents:
 
 
Step 1: Preparation
Configure the user and group objects for the Windows accounts, to ensure POSIX compliancy.
  1. Connect to the Active Directory Server and open the 
    Active Directory Users and Computers
     management tool.
  2. Modify a group object to function as a POSIX group:
    1. Right-click the group object and select 
      Properties
      .
    2. Select the 
      Unix Attributes
       tab.
    3. Complete the 
      NIS Domain
       and 
      GID
       number as appropriate.
  3. Modify a user object to function as a POSIX user:
    1. Right-click the user object and select 
      Properties
      .
    2. Select the 
      Unix Attributes 
      tab.
    3. Complete the fields on the tab. 
      Tip:
       The "Home Directory" is the same as "/home/" on the Linux file system.
  4. Add the user as a UNIX member of the group:
    1. Right-click the group object and select 
      Properties.
       
    2. Select the 
      Unix Attributes
       tab.
    3. Ensure that the NIS Domain is correct.
    4. Click 
      Add
      .
    5. Select your user and then click 
      OK
      .
Step 2: Configure Authentication Method on the Gateway
  1. Access the Gateway main menu.
  2. Select 
    1
     (Configure system settings) and then 
    4
     (Configure authentication method).
  3. Select 
    2
     (LDAP) as the authentication method.
  4. Complete the authentication wizard as follows:
    1.  
      Is the directory service to be used an Active Directory?
       
      y
       
    2.  
      Do you want to use LDAPS (secure)?
       Enter 
      y
       or 
      n
       as appropriate
       
    3.  
      Enter the address of the LDAP server:
       Enter the address of the LDAP server (for example, "machine.mycompany.com").
    4.  
      Enter the LDAP server port:
       The default port should suffice. Enter a custom port number if you know it has changed.
    5.  
      Enter the LDAP base DN:
       Enter the Base DN that defines where the LDAP query begins looking for objects in the Active Directory (for example, "dc=example,dc=com")
      The scope attribute confines the search to the base, one level below, or to search through all lower levels. Specify the scope by entering 
      base
      one
      , or 
      sub
      , respectively.
    6.  
      Do you want to enable LDAP Anonymous Bind?
       Enter 
      y
       or 
      n
       as appropriate for the needs of your organization. Anonymous binding is a bind request that uses simple authentication with no (that is, zero length) bind DN or password.
      If you enable LDAP Anonymous Bind, the next two prompts are not displayed.
       
    7.  
      (If Anonymous Bind disabled) Enter the LDAP bind DN:
       Optionally specify the Bind DN (for example, cn=browse,cn=users,dc=example,dc=com).
      Without a secure communication, a bind user is required to query the LDAP contents. This account is a domain user with read access. The password for this user should be written to the 
      /etc/ldap.secret
       file and should not be visible as plain text.
    8.  
      (If Anonymous Bind disabled) Enter the LDAP bind password:
       Enter the password for the LDAP browser user.
    9.  
      Which object in the LDAP will be used to find the password for users:
       Specify the appropriate object. This is usually "CN=Users".
    10.  
      Enter the object class that contains the attributes for creating the local user account:
       Specify the appropriate class. The default is often sufficient ("posixAccount, Default ActiveDirectory=user").
    11.  
      Do you want to change the current setting:
       Enter 
      y
      .
    12.  
      Select the filter for account access:
       
      pam_filter
      •  
        pam_filter
         filters by account attributes. Example:"gidNumber=4000" grants access to accounts that have attribute "gidNumber" and the value is "4000".
      •  
        groupdn
         filters by the full domain name of the target group that contains the list of memberUid.
    13. Enter the pam_filter to limit account access: Enter a gidNumber (for example: "gidNumber=501").
    14. Specify the PAM login attribute name: 
      uid
       
  5. You should now see a summary of your configuration (example below). Review your settings carefully before applying the configuration.
    Authentication Configuration Summary
    -------------------------------------------------------
    Label                                     | Value
    ------------------------------------------------------------------------------
    Secure                                    | false
    ActiveDirectory                           | false
    Server                                    | ad.example.com 
    BaseDn                                    | dc=example,dc=com
    Port                                      | 389
    AnonymousBind                             | false
    BindDn                                    | CN=test,CN=Users,dc=l7net,dc=local
    BindPassword                              | <Hidden>
    Object for finding the password for users | CN=Users
    Certificate Action                        | NEVER
    Filter for account access                 | gidNumber=501
    PAM login attribute                       | uid
Step 3: Map Attributes
Certain 
nss
 attributes on the local UNIX LDAP differ from how they are referenced on the Windows server. You resolve these differences by mapping the attributes.
Before you proceed, ensure that you have:
  • A print out of your test users' attribute
  • Access to one of the domain controllers (preferably one that has permissions to modify the attribute values).
 The UNIX attribute names vary slightly depending on the version of the SFU packages. Use the suggestions that are shown here for reference purposes only. 
Map the following attributes to suit your environment:
  •  
    nss_base_passwd
     
  •  
    nss_base_shadow
     
  •  
    nss_base_group
     
In general, you can use the value of the base variable. If your Active Directory authenticates for a sub-domain, you must adjust accordingly.
 The userPassword line is not necessary when pam_password is set to 'ad'. In this case, the pam_ldap module controls the management of password functions, using the Active Directory password stored in the unicodePwd attribute.
Step 4: Update LDAP Configuration File
  1. Open 
    /etc/pam_ldap.conf
     in a text editor.
  2. Uncomment the following lines in the file:
    # RFC 2307 (AD) mappings
    nss_map_objectclass posixAccount user
    nss_map_objectclass shadowAccount user
    nss_map_attribute uid sAMAccountName
    nss_map_attribute homeDirectory unixHomeDirectory
    nss_map_attribute shadowLastChange pwdLastSet
    nss_map_objectclass posixGroup group
    nss_map_attribute uniqueMember member
    nss_override_attribute_value loginShell /bin/bash
    nss_map_attribute uidNumber uidNumber
    pam_login_attribute sAMAccountName
    pam_filter objectclass=User
    pam_password ad
    About the PAM attributes:
    •  
      Pam_login_attribute
       defines the username that the user logs in with. To ensure consistency with Active Directory and Services for UNIX, use the 
      sAMAccountName
       attribute.
    •  
      Pam_filter
       filters user accounts. This helps prevent you from authenticating users against other Active Directory objects.
    •  
      Pam_password
       defines the password for Active Directory. Set this to 
      ad
       to prevent issues from occurring when you change your password from the Linux workstation
  3. Save and exit.
Step 5: Updates for CentOS and RHEL
Update the following files when configuring LDAP authentication for CentOS and RHEL:
  • /etc/pam.d/sshd
  • /etc/pam.d/login 
Add 
account sufficient pam_localuser.so
 before 
account required pam_ldap.so ignore_authinfo_unavail ignore_unknown_user
 as shown below:
account sufficient pam_localuser.so

account required pam_ldap.so ignore_authinfo_unavail ignore_unknown_user
Step 6: Restart the Gateway
Restart the Gateway for the configuration changes to take effect:
  1. Select 
    X
     (Exit menu).
  2. Select 
    R
     (Reboot the Gateway appliance).

Content feedback and comments