Child pages
  • Configuring NMIS to use Secure Active Directory Authentication (ms-ldaps)

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Make sure Net::LDAP is up to date ( min version 0.64 )
    1. cpan Net::LDAP
  2. Make sure IO::Socket::SSL is new enough (must be 1.998 or newer)
    1. cpan -f IO::Socket::SSL ( -f is because some tests don't pass on some VMs )
  3. Copy CA cert onto server, in this example it goes into /tmp/YOUR_CACERT.pem, only pem files have been tested, others may work.

  4. Add CA cert into DB (line requires a nickname, as well as the path to the cert copied onto the server)

    Code Block
    certutil -d /etc/openldap/certs/ -A -n YOUR_CERT_NICKNAME -i /tmp/YOUR_CACERT.pem -t "TCu,TCu,TCu"
  5. Verify the cert is in the DB 

    Code Block
    [root@opmantek certs]# certutil -d /etc/openldap/certs/ -L
     
    Certificate Nickname                                         Trust Attributes
                                                                 SSL,S/MIME,JAR/XPI
    YOUR_CERT_NICKNAME                                           CT,C,C
  6. Verify LDAP connectivity using ldapsearch, you will have to set -H, -b and -D, they can come from your current NMIS ms-ldap config if you have one:  -b is auth_ms_ldap_base, -D is auth_ms_ldap_dn_acc:

    Code Block
    # note, you will have to set -H, -b and -D
    ldapsearch -H ldap://ad-server.name.or.ip:389 -x -b "cn=eg,dc=egg,dc=com" -D "cn=OK,cn=EG,dc=egg,dc=com" -w 'password' -ZZ -d 9
    # this will have a long string of stuff or end in an error, most likely about finding certificates
  7. Change NMIS Auth code to use certificate directory, note it's using LDAP instead of LDAPS and adds a new line with a new config item.

    Code Block
    # /usr/local/nmis8/lib/Auth.pm (line 716 approx)
    # change 
    $ldap = new Net::LDAPS($C->{'auth_ms_ldaps_server'});
    # to
    $ldap = new Net::LDAP($C->{'auth_ms_ldaps_server'}, version => 3);
    my $mesg = $ldap->start_tls( capath => $C->{'auth_openldap_certs'} );
  8. Modify configuration to use ms-ldaps and set new auth_openldap_certs path 

    Code Block
    'auth_method_1' => 'ms-ldaps',
    'auth_ms_ldaps_server' => 'ad-server.name.or.ip',
    'auth_openldap_certs' => '/etc/openldap/certs/', # this line is new
    'auth_ms_ldap_attr' => 'sAMAccountName',
    'auth_ms_ldap_base' => 'DC=corp,DC=shurely,DC=com,DC=nz'
    'auth_ms_ldap_dn_acc' => 'LDAPRead',
    'auth_ms_ldap_dn_psw' => 'SecurePassword123',
  9. Test login, check /var/log/httpd/error_log and /usr/local/nmis8/loglogs/auth.log for issues.

Users.nmis will need to have an entry for each user who can authenticate or the default settings for a user will need to be set.

...