Active Directory Auth – Ubiquiti EdgeRouter

In this tutorial, we will configure EdgeRouter Active Directory Authentication. This will allow you to login to your EdgeRouter using your Active Directory accounts.

There are a few different methods to go about this, we will use `sssd` because it is recommended by [[https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html|Red Hat]]

# [[http://community.ubnt.com/t5/EdgeMAX-CLI-Basics-Knowledge/Add-Other-Debian-Packages-to-EdgeOS/ta-p/413071|Add Debian Repos]]
# Escalate to root
{{{
sudo su –
}}}
# Install `sssd`
{{{
apt-get install sssd libnss-sss libpam-sss
}}}
# Configure `/etc/sssd/sssd.conf`, make it look similar to the below (Note `ldap_default_bind_dn` and `ldap_default_authtok` should match your bind user credentials)
{{{
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = DOMAIN.DOMAIN.NET

[nss]
reconnection_retries = 3

[pam]
reconnection_retries = 3

# Local LAN AD
[domain/DOMAIN.DOMAIN.NET]
description = AD DC
enumerate = true
min_id = 1000
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5

ldap_uri = ldap://192.168.69.100

# Uncomment below if you are using TLS
#ldap_id_use_start_tls = true
#ldap_tls_cacert = /etc/ssl/certs/addc.pem

ldap_schema = rfc2307bis
ldap_default_bind_dn = CN=Bind User,CN=Users,DC=domain,DC=domain,DC=net
ldap_default_authtok_type = password
ldap_default_authtok = SuperSecretPassword
ldap_user_search_base = CN=Users,DC=domain,DC=domain,DC=net
ldap_group_search_base = CN=Users,DC=domain,DC=domain,DC=net
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_gid_number = gidNumber
ldap_force_upper_case_realm = True

krb5_server = DOMAIN.DOMAIN.NET
krb5_realm = DOMAIN.DOMAIN.NET
}}}
# Set the permissions for `sssd.conf`
{{{
sudo chmod 0600 /etc/sssd/sssd.conf
sudo chown root.root /etc/sssd/sssd.conf
}}}
# Now we need to modify `/etc/nsswitch.conf` to tell it to search `sss` for passwd, shadow, and group info. Find the appropriate lines and modify them to include `sss`
{{{
passwd: compat sss
group: compat sss
shadow: compat sss
}}}
# Add the AD DC as the primary nameserver into `/etc/resolv.conf`. You can leave other nameservers, just make sure that the following is the first line:
{{{
nameserver 192.168.69.100
}}}
# Add AD admin group to sudoers file (`/etc/sudoers`)
{{{
# Members of the LinuxAdmins group may gain root privileges
%LinuxAdmins ALL=(ALL) ALL
}}}
# Start `sssd`
{{{
service sssd restart
}}}
# Verify that the machine can see AD accounts
{{{
getent passwd $ACTIVE_DIRECTORY_USER
# Should see something similar to
dlasley:*:2000:3000::/home/dlasley:/bin/bash
}}}
{{{
id $ACTIVE_DIRECTORY_USER
# Should output something similar to
uid=2000(dlasley) gid=3000(LinuxAdmins) groups=3000(LinuxAdmins)
}}}
# To allow the user into the WebUI, we need to create a node for them in the system configuration (replace $NEW_USER_NAME with your username)
{{{
mkdir -p /opt/vyatta/config/active/system/login/user/$NEW_USER_NAME/level/
}}}
# Now we need to set a permission level for this user. Valid permissions are `admin` and `operator`. This should be the only text in the following file:
{{{
/opt/vyatta/config/active/system/login/user/dlasley/level/node.val
}}}


Posted

in

by

Comments

8 responses to “Active Directory Auth – Ubiquiti EdgeRouter”

  1. Lucas Jans Avatar
    Lucas Jans

    Will this persist through firmware upgrades? If I setup an OpenVPN server can I have it authenticate against this Active Directory integration?

    1. Dave Lasley Avatar

      Unfortunately, the changes will not persist past an upgrade. During an upgrade, basically everything other than the contents of `/config/*` are wiped.

      In regards to OpenVPN, I haven’t gone that in depth with its configuration yet. I would say that if you are able to get it to authenticate against system users, then this would work. If you do try this – please let me know the results, and feel free to send me an email if I can be of assistance.

  2. Jack Avatar
    Jack

    Very interesting, what is actually being authenticated the administration or traffic flowing through the router?

    Thanks
    Jack

    1. Dave Lasley Avatar

      This will allow you to sign in to your Edge Router (SSH/WebUI) using your AD accounts. Apologies if I was unclear, I have updated the article to point this out.

  3. Jack Avatar
    Jack

    Thanks very much great tutorial!

  4. Zach Avatar
    Zach

    Is there / will there be an update to this entry?

    This solution doesn’t cleanly work with the 1.9.0 firmware

    1. Ted Salmon Avatar

      Hey Zach,

      We haven’t had a chance to play with the 1.9.0 firmware just yet. Could you let me know what issue you ran into when trying to set this up on the EdgeRouter?

      Thanks!
      -Ted

  5. Troels Foss Avatar
    Troels Foss

    Hey, Thanks for the great article

    I set this up and have it working fine, but have some small issues that seem to be related and i thought you might have encountered them as well, and maybe have an idea how to fix ? :)

    1. After succesfull login with LDAP.. I am no longer able to use “?” to get the next available command options.. It seems like it has disabled alot of the EdgeOS features..

    2. To enter configuration-mode I have to go into “root” (sudo su) and from their enter configuration-mode, with the limitations as mentioned above..

    Please let me know if you have any ideas :)

    Thanks

Leave a Reply to Lucas Jans Cancel reply

Your email address will not be published. Required fields are marked *