Windows 2012 AD

Question

Windows 2012 AD

TheRo0T opened this issue 5 years ago · 6 comments

Hi!
Does authorization work in MS LDAP (Windows 2012 AD)?
The second day I try to install authorization in AD.
In the log: AUTH-PAM: BACKGROUND: user 'testuser' could not authenticate: user is not known to the basic authentication module.

Answer 1 · 2019-08-01T15:59:06.000Z

Hi.
I'm afraid that this is untested with MS LDAP (which I've never heard of). It's certainly not designed to work with Active Directory, though I can't see why PAM could be modified to do so.
This was primarily designed to work with OpenLDAP and I don't have any resources to test against AD, so that's not something I'm going to work on. However if you're interested in doing that then I'm always happy to accept PRs.

Answer 2 · 2019-12-27T10:07:05.000Z

Hi,
This is my small contribution :) i have the same issue than TheRo0T to use the project with an Active Directory. I run a debug off nslcd and i found the problem. By default nslcd add a filter when he read the bind dn user, this filter have an objectclass=posixaccount but this attribut doesn't exist in an Active directory environnement. So to resolve you need to had a line "filter passwd (objectClass=user)" in the /etc/nslcd.conf.

Enjoy :)

Answer 3 · 2020-01-02T10:17:13.000Z

Cheers. I've created an active_directory branch and a container: wheelybird/openvpn-ldap-otp:ad.
If you set the env variable ACTIVE_DIRECTORY_COMPAT_MODE to true when launching the container then it'll add the line you mentioned to nscld.conf.
Please give it a try and let me know if it works.

Answer 4 · 2020-01-02T15:31:02.000Z

hi, Thanks for your answer.
I make test but it doesn't add the line to nslcd.conf
This is my Docker run:

docker run
--name openvpn
--volume /openvpn:/etc/openvpn
--detach=true
-p 1194:1194/udp
-e "OVPN_SERVER_CN=vpn.xxx.fr"
-e "OVPN_ENABLE_COMPRESSION=false"
-e "OVPN_DNS_SERVERS=192.168.1.210"
-e "LDAP_LOGIN_ATTRIBUTE=sAMAccountName"
-e "LDAP_URI=ldap://192.168.1.210"
-e "LDAP_BASE_DN=dc=csi,dc=local"
-e "LDAP_BIND_USER_DN=CN=user,CN=Users,DC=CSI,DC=local"
-e "LDAP_BIND_USER_PASS=password"
-e "ACTIVE_DIRECTORY_COMPAT_MODE=true"
--cap-add=NET_ADMIN
wheelybird/openvpn-ldap-otp:ad

Thanks for help

Answer 5 · 2020-01-02T15:57:45.000Z

Oops. There was a bug in that. I've pushed a new version. I've changed it so that you don't need to set LDAP_LOGIN_ATTRIBUTE either when you use ACTIVE_DIRECTORY_COMPAT_MODE.
Incidentally you didn't need to manually update nslcd.conf - you could have set LDAP_FILTER=(objectClass=user). But I think having this as a single option makes it easier for people.

Answer 6 · 2020-01-02T20:25:21.000Z

Very nice it's works fine :) Great job.
Thanks.