In this tutorial, we will configure EdgeRouter Active Directory Authentication. This will allow you to login to your EdgeRouter using your Active Directory accounts.

There are a few different methods to go about this, we will use sssd because it is recommended by Red Hat

  1. Add Debian Repos
  2. Escalate to root
    sudo su -
  3. Install sssd
    apt-get install sssd libnss-sss libpam-sss
  4. Configure /etc/sssd/sssd.conf, make it look similar to the below (Note ldap_default_bind_dn and ldap_default_authtok should match your bind user credentials)
    [sssd]
    config_file_version = 2
    reconnection_retries = 3
    sbus_timeout = 30
    services = nss, pam
    domains = DOMAIN.DOMAIN.NET
    
    [nss]
    reconnection_retries = 3
    
    [pam]
    reconnection_retries = 3
    
    # Local LAN AD
    [domain/DOMAIN.DOMAIN.NET]
    description =  AD DC
    enumerate = true
    min_id = 1000
    id_provider = ldap
    auth_provider = krb5
    chpass_provider = krb5
    
    ldap_uri = ldap://192.168.69.100
    
    # Uncomment below if you are using TLS
    #ldap_id_use_start_tls = true
    #ldap_tls_cacert = /etc/ssl/certs/addc.pem
    
    ldap_schema = rfc2307bis
    ldap_default_bind_dn = CN=Bind User,CN=Users,DC=domain,DC=domain,DC=net
    ldap_default_authtok_type = password
    ldap_default_authtok = SuperSecretPassword
    ldap_user_search_base = CN=Users,DC=domain,DC=domain,DC=net
    ldap_group_search_base = CN=Users,DC=domain,DC=domain,DC=net
    ldap_user_object_class = user
    ldap_user_name = sAMAccountName
    ldap_user_uid_number = uidNumber
    ldap_user_gid_number = gidNumber
    ldap_user_home_directory = unixHomeDirectory
    ldap_user_shell = loginShell
    ldap_user_principal = userPrincipalName
    ldap_group_object_class = group
    ldap_group_gid_number = gidNumber
    ldap_force_upper_case_realm = True
    
    krb5_server = DOMAIN.DOMAIN.NET
    krb5_realm = DOMAIN.DOMAIN.NET
  5. Set the permissions for sssd.conf
    sudo chmod 0600 /etc/sssd/sssd.conf
    sudo chown root.root /etc/sssd/sssd.conf
  6. Now we need to modify /etc/nsswitch.conf to tell it to search sss for passwd, shadow, and group info. Find the appropriate lines and modify them to include sss
    passwd:         compat sss
    group:          compat sss
    shadow:         compat sss
  7. Add the AD DC as the primary nameserver into /etc/resolv.conf. You can leave other nameservers, just make sure that the following is the first line:
    nameserver 192.168.69.100
  8. Add AD admin group to sudoers file (/etc/sudoers)
    # Members of the LinuxAdmins group may gain root privileges
    %LinuxAdmins ALL=(ALL) ALL
  9. Start sssd
    service sssd restart
  10. Verify that the machine can see AD accounts
    getent passwd $ACTIVE_DIRECTORY_USER
    # Should see something similar to
    dlasley:*:2000:3000::/home/dlasley:/bin/bash
    id $ACTIVE_DIRECTORY_USER
    # Should output something similar to
    uid=2000(dlasley) gid=3000(LinuxAdmins) groups=3000(LinuxAdmins)
  11. To allow the user into the WebUI, we need to create a node for them in the system configuration (replace $NEW_USER_NAME with your username)
    mkdir -p /opt/vyatta/config/active/system/login/user/$NEW_USER_NAME/level/
  12. Now we need to set a permission level for this user. Valid permissions are admin and operator. This should be the only text in the following file:
    /opt/vyatta/config/active/system/login/user/dlasley/level/node.val
1