Active Directory Auth – Ubiquiti EdgeRouter
In this tutorial, we will configure EdgeRouter Active Directory Authentication. This will allow you to login to your EdgeRouter using your Active Directory accounts.
There are a few different methods to go about this, we will use sssd because it is recommended by Red Hat
- Add Debian Repos
- Escalate to root
sudo su -
- Install
sssdapt-get install sssd libnss-sss libpam-sss
- Configure
/etc/sssd/sssd.conf, make it look similar to the below (Noteldap_default_bind_dnandldap_default_authtokshould match your bind user credentials)[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = DOMAIN.DOMAIN.NET [nss] reconnection_retries = 3 [pam] reconnection_retries = 3 # Local LAN AD [domain/DOMAIN.DOMAIN.NET] description = AD DC enumerate = true min_id = 1000 id_provider = ldap auth_provider = krb5 chpass_provider = krb5 ldap_uri = ldap://192.168.69.100 # Uncomment below if you are using TLS #ldap_id_use_start_tls = true #ldap_tls_cacert = /etc/ssl/certs/addc.pem ldap_schema = rfc2307bis ldap_default_bind_dn = CN=Bind User,CN=Users,DC=domain,DC=domain,DC=net ldap_default_authtok_type = password ldap_default_authtok = SuperSecretPassword ldap_user_search_base = CN=Users,DC=domain,DC=domain,DC=net ldap_group_search_base = CN=Users,DC=domain,DC=domain,DC=net ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_gid_number = gidNumber ldap_force_upper_case_realm = True krb5_server = DOMAIN.DOMAIN.NET krb5_realm = DOMAIN.DOMAIN.NET
- Set the permissions for
sssd.confsudo chmod 0600 /etc/sssd/sssd.conf sudo chown root.root /etc/sssd/sssd.conf
- Now we need to modify
/etc/nsswitch.confto tell it to searchsssfor passwd, shadow, and group info. Find the appropriate lines and modify them to includessspasswd: compat sss group: compat sss shadow: compat sss
- Add the AD DC as the primary nameserver into
/etc/resolv.conf. You can leave other nameservers, just make sure that the following is the first line:nameserver 192.168.69.100
- Add AD admin group to sudoers file (
/etc/sudoers)# Members of the LinuxAdmins group may gain root privileges %LinuxAdmins ALL=(ALL) ALL
- Start
sssdservice sssd restart
- Verify that the machine can see AD accounts
getent passwd $ACTIVE_DIRECTORY_USER # Should see something similar to dlasley:*:2000:3000::/home/dlasley:/bin/bash
id $ACTIVE_DIRECTORY_USER # Should output something similar to uid=2000(dlasley) gid=3000(LinuxAdmins) groups=3000(LinuxAdmins)
- To allow the user into the WebUI, we need to create a node for them in the system configuration (replace $NEW_USER_NAME with your username)
mkdir -p /opt/vyatta/config/active/system/login/user/$NEW_USER_NAME/level/
- Now we need to set a permission level for this user. Valid permissions are
adminandoperator. This should be the only text in the following file:/opt/vyatta/config/active/system/login/user/dlasley/level/node.val
Will this persist through firmware upgrades? If I setup an OpenVPN server can I have it authenticate against this Active Directory integration?
Unfortunately, the changes will not persist past an upgrade. During an upgrade, basically everything other than the contents of `/config/*` are wiped.
In regards to OpenVPN, I haven’t gone that in depth with its configuration yet. I would say that if you are able to get it to authenticate against system users, then this would work. If you do try this – please let me know the results, and feel free to send me an email if I can be of assistance.
Very interesting, what is actually being authenticated the administration or traffic flowing through the router?
Thanks
Jack
This will allow you to sign in to your Edge Router (SSH/WebUI) using your AD accounts. Apologies if I was unclear, I have updated the article to point this out.
Thanks very much great tutorial!
Is there / will there be an update to this entry?
This solution doesn’t cleanly work with the 1.9.0 firmware
Hey Zach,
We haven’t had a chance to play with the 1.9.0 firmware just yet. Could you let me know what issue you ran into when trying to set this up on the EdgeRouter?
Thanks!
-Ted
Hey, Thanks for the great article
I set this up and have it working fine, but have some small issues that seem to be related and i thought you might have encountered them as well, and maybe have an idea how to fix ? :)
1. After succesfull login with LDAP.. I am no longer able to use “?” to get the next available command options.. It seems like it has disabled alot of the EdgeOS features..
2. To enter configuration-mode I have to go into “root” (sudo su) and from their enter configuration-mode, with the limitations as mentioned above..
Please let me know if you have any ideas :)
Thanks