Linux – How to enable group enumeration on a Linux server that is using LDAP to connect to an AD server

active-directorygroupsldaplinux

I've got a set of servers that I need to authenticate against a central Active Directory forest. The AD admins have kindly installed the UNIX AD extensions and the NIS ones as well, so I've got a lot of LDAP attributes to work from.

Authenticated binds are working, as are user logins. The one piece I'm missing is the magic sauce to make group enumerations work correctly.

Does anyone have any particular /etc/ldap.conf or perhaps PAM magic that I could employ to make groups work correctly?

To wit:

[root@hostname ~]# groups username
id: cannot find name for group ID 1768498755
[root@hostname ~]#

(The ID is the default group specified via gidNumber.)

Thanks!

Best Answer

Add to /etc/nsswitch.conf:

(if needed:

passwd: files sss
group:  files sss

)

Have sssd installed and configure it to search the appropriate space (/etc/sssd/sssd.conf):

[sssd]
domains = LDAP

[domains/LDAP]
ldap_schema = rfc2307bis
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://localhost
ldap_search_base = ou=users,o=company
ldap_user_search_base = ou=users,o=company
ldap_group_search_base = ou=groups,o=company
ldap_tls_reqcert = allow
cache_credentials = true
enumerate = true
min_id = 1

Related Solutions

Linux – LDAP query on linux against AD returns groups with no members

It might be the same case I've run onto not a long time ago. If your AD group has too many members, it caused such error in Linux (somewhere on getent level or just before it - ldapsearch worked fine).

More precisely the error is not about a specific number of members, but rather about the number of characters per "group line" (think line from /etc/group) being greater than 1023 characters. I didn't look into why this limit is there and why 1024. I've just created a second group and moved excessive members there.

Linux – How to run a server on port 80 as a normal user on Linux

Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.

The long answer: you can redirect connections on port 80 to some other port you can open as normal user.

Run as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):

# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).

EDIT: as per comment question - to delete the above rule:

# iptables -t nat --line-numbers -n -L

This will output something like:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 redir ports 8088
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

The rule you are interested in is nr. 2, so to delete it:

# iptables -t nat -D PREROUTING 2

Best Answer

Related Solutions

Linux – LDAP query on linux against AD returns groups with no members

Linux – How to run a server on port 80 as a normal user on Linux

Related Topic