Authentication to AD thru PAM (sssd, krb5, and samba) on Ubuntu

borange 2018-10-10 21:35:28 UTC #1

Good afternoon fellows, it been a while.

I have been pondering on the idea of using Active Directory with PostgreSQL and xTuple.

I have reviewed the article found here:
Authenticating through LDAP

This describes loading users and groups into xtuple using psycopg and python-ldap and setting the pg_hba to send authentication requests to ldap. While this seems like a fine approach, I was thinking about sending my authentication request to PAM to be handled by sssd, krb5, and samba and thus AD.

I have had a lot of luck with the sssd, krb5, and samba stack as I plan to use this backend for some aspcore web applications elsewhere in the environment.

Does this sound like something that can work?

When does that ldap python script get used?

jim.wirt 2019-05-08 17:04:31 UTC #2

Just now noticed this post so even if it is a bit old I thought I'd respond.

I've been using ldap to AD authentication for several years now. I've had no issues and didn't have to install a lot of Samba or Pam stuff. All I had to do add some lines to my pg_hba.conf file. This environment allows both local and ldap authentication as appropriate. Here is a snippet of the related config file:

host all admin 172.20.0.0/16 md5
host all admin 172.16.0.0/23 md5
host @memsb_dbs memsb-rw 172.16.1.27/32 md5
host @memsb_dbs memsb-rw 172.16.1.99/32 md5
host all domo_ro 172.16.0.0/23 md5
host all @fpp_local 172.16.0.0/23 md5
host all @fpp_local 172.20.0.0/16 md5
host all @fpp_local 172.16.3.0/24 md5
host all all 172.16.0.0/23 ldap ldapserver=fpp-dc01.ad.osufpp.org ldapprefix="" ldapsuffix="@ad.osufpp.org"
host all all 172.20.0.0/16 ldap ldapserver=fpp-dc01.ad.osufpp.org ldapprefix="" ldapsuffix="@ad.osu

szuke 2019-05-08 17:27:10 UTC #3

This looks like a great post to bookmark for later. Thanks for sharing.

Scott

borange 2019-05-09 16:01:00 UTC #4

Thanks Jim, this looks like a great way to hook in ldap. I haven't explored this completely but I will be happy to turn back with some results when I do.