In this tutorial, we will configure EdgeRouter Active Directory Authentication. This will allow you to login to your EdgeRouter using your Active Directory accounts.
There are a few different methods to go about this, we will use `sssd` because it is recommended by [[https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html|Red Hat]]
# [[http://community.ubnt.com/t5/EdgeMAX-CLI-Basics-Knowledge/Add-Other-Debian-Packages-to-EdgeOS/ta-p/413071|Add Debian Repos]]
# Escalate to root
{{{
sudo su –
}}}
# Install `sssd`
{{{
apt-get install sssd libnss-sss libpam-sss
}}}
# Configure `/etc/sssd/sssd.conf`, make it look similar to the below (Note `ldap_default_bind_dn` and `ldap_default_authtok` should match your bind user credentials)
{{{
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = DOMAIN.DOMAIN.NET
[nss]
reconnection_retries = 3
[pam]
reconnection_retries = 3
# Local LAN AD
[domain/DOMAIN.DOMAIN.NET]
description = AD DC
enumerate = true
min_id = 1000
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://192.168.69.100
# Uncomment below if you are using TLS
#ldap_id_use_start_tls = true
#ldap_tls_cacert = /etc/ssl/certs/addc.pem
ldap_schema = rfc2307bis
ldap_default_bind_dn = CN=Bind User,CN=Users,DC=domain,DC=domain,DC=net
ldap_default_authtok_type = password
ldap_default_authtok = SuperSecretPassword
ldap_user_search_base = CN=Users,DC=domain,DC=domain,DC=net
ldap_group_search_base = CN=Users,DC=domain,DC=domain,DC=net
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_gid_number = gidNumber
ldap_force_upper_case_realm = True
krb5_server = DOMAIN.DOMAIN.NET
krb5_realm = DOMAIN.DOMAIN.NET
}}}
# Set the permissions for `sssd.conf`
{{{
sudo chmod 0600 /etc/sssd/sssd.conf
sudo chown root.root /etc/sssd/sssd.conf
}}}
# Now we need to modify `/etc/nsswitch.conf` to tell it to search `sss` for passwd, shadow, and group info. Find the appropriate lines and modify them to include `sss`
{{{
passwd: compat sss
group: compat sss
shadow: compat sss
}}}
# Add the AD DC as the primary nameserver into `/etc/resolv.conf`. You can leave other nameservers, just make sure that the following is the first line:
{{{
nameserver 192.168.69.100
}}}
# Add AD admin group to sudoers file (`/etc/sudoers`)
{{{
# Members of the LinuxAdmins group may gain root privileges
%LinuxAdmins ALL=(ALL) ALL
}}}
# Start `sssd`
{{{
service sssd restart
}}}
# Verify that the machine can see AD accounts
{{{
getent passwd $ACTIVE_DIRECTORY_USER
# Should see something similar to
dlasley:*:2000:3000::/home/dlasley:/bin/bash
}}}
{{{
id $ACTIVE_DIRECTORY_USER
# Should output something similar to
uid=2000(dlasley) gid=3000(LinuxAdmins) groups=3000(LinuxAdmins)
}}}
# To allow the user into the WebUI, we need to create a node for them in the system configuration (replace $NEW_USER_NAME with your username)
{{{
mkdir -p /opt/vyatta/config/active/system/login/user/$NEW_USER_NAME/level/
}}}
# Now we need to set a permission level for this user. Valid permissions are `admin` and `operator`. This should be the only text in the following file:
{{{
/opt/vyatta/config/active/system/login/user/dlasley/level/node.val
}}}
Leave a Reply