Integrating Linux PAM Authentication with Active Directory LDAP (Without Winbind)


2 views

When you need Linux workstations to authenticate against Active Directory but can't use winbind (due to policy restrictions or technical constraints), LDAP becomes the logical alternative. Windows Server 2008 R2's AD does expose LDAP services, but requires specific configuration for seamless Linux integration.

First, ensure your AD is LDAP-ready:

# Verify LDAPS is enabled (Port 636)
Get-ChildItem -Path cert:\LocalMachine\My | Where-Object {$_.Subject -like "*CN=AD-Server*"}

Create a dedicated service account with minimal privileges:

New-ADUser -Name "svc_ldap_linux" -AccountPassword (ConvertTo-SecureString "P@ssw0rd123" -AsPlainText -Force) -Enabled $true
Set-ADAccountControl -Identity "svc_ldap_linux" -PasswordNeverExpires $true

Install required packages on CentOS/RHEL:

yum install -y openldap-clients nss-pam-ldapd authconfig

For Ubuntu/Debian:

apt-get install -y libpam-ldap libnss-ldap nslcd

Edit /etc/nslcd.conf with these AD-specific parameters:

uri ldaps://your-ad-server.example.com
base dc=example,dc=com
binddn cn=svc_ldap_linux,cn=Users,dc=example,dc=com
bindpw P@ssw0rd123
ssl start_tls
tls_reqcert demand
map passwd homeDirectory "/home/$uid"
map passwd loginShell "/bin/bash"

Modify /etc/pam.d/system-auth:

auth        sufficient    pam_ldap.so
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
password    sufficient    pam_ldap.so
session     optional      pam_ldap.so
  • Use ldapsearch -x -H ldaps://ad-server -b "dc=example,dc=com" to test connectivity
  • Check /var/log/messages and /var/log/secure for auth errors
  • Verify time synchronization between Linux clients and AD servers

Add this to /etc/pam.d/system-auth-ac:

session required pam_mkhomedir.so skel=/etc/skel umask=0022

When setting up Linux workstations in a Windows-dominated enterprise environment, authenticating users against Active Directory (AD) becomes crucial. The traditional winbind approach isn't always viable due to various constraints. Here's how to implement a reliable PAM-LDAP authentication solution against Windows Server 2008 R2's LDAP service.

Before proceeding, ensure you have:

  • Windows Server 2008 R2 with Active Directory Domain Services installed
  • Linux clients running a modern distribution (Ubuntu 20.04/CentOS 7+ used in examples)
  • Network connectivity between Linux clients and AD servers
  • Domain admin privileges for configuration

First, we need to enable LDAP access on the Windows Server:

# Open Active Directory Users and Computers
1. Right-click the domain → Properties → Security
2. Add "Authenticated Users" with "Read" permissions
3. Enable "Advanced Features" to modify permissions on specific attributes

# For secure LDAP (recommended)
1. Install Certificate Services if not present
2. Create a certificate template for LDAPS
3. Issue certificate to domain controller
4. Bind certificate to LDAP service using ldp.exe

Install required packages on Linux clients:

# Ubuntu/Debian
sudo apt-get install libpam-ldapd libnss-ldapd ldap-utils

# RHEL/CentOS
sudo yum install nss-pam-ldapd authconfig

Modify these essential files:

/etc/nslcd.conf:

uri ldaps://your.ad.server/
base dc=domain,dc=com
ssl on
tls_reqcert allow
binddn cn=ldapbind,cn=users,dc=domain,dc=com
bindpw password
filter passwd (objectClass=user)
map    passwd uid              sAMAccountName
map    passwd homeDirectory    "/home/%u"

/etc/pam.d/common-auth:

auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass

/etc/nsswitch.conf:

passwd: files ldap
shadow: files ldap
group:  files ldap

Verify your configuration with these commands:

# Test LDAP connectivity
ldapsearch -x -H ldap://your.ad.server -b "dc=domain,dc=com" -D "binduser@domain.com" -W

# Check name resolution
getent passwd domainuser

# Test authentication (from another terminal)
su - domainuser

Common issues to check:

  • Firewall rules blocking 389/636 ports
  • Time synchronization between clients and AD
  • DN syntax differences between Linux and AD
  • SSL certificate trust chain

For enterprise deployments, consider:

# Enable connection pooling in /etc/nslcd.conf
threads 5
idle_timelimit 60

# Configure failover with multiple servers
uri ldaps://ad1.domain.com ldaps://ad2.domain.com

For Kerberos integration (recommended for better security):

# Install kerberos packages
sudo apt-get install krb5-user

# Configure /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.COM
rdns = false

[realms]
DOMAIN.COM = {
    kdc = ad.domain.com
    admin_server = ad.domain.com
}

Always implement these security measures:

  1. Use LDAPS (636) instead of LDAP (389) whenever possible
  2. Create dedicated service accounts with minimal privileges
  3. Implement proper certificate management
  4. Monitor authentication logs on both Linux and Windows sides