OpenLdap Pass-thru Auth for Linux VDI in Horizon View 7 Enviroment.

OpenLdap Pass-thru Auth to AD

 

Last year I rolled out Centos 6.7 VDI  in my lab environment. To use AD credentials in the Linux environment, Openldap has to be configured to authenticate windows users through client VMs. Once, the parent image is joined to the Openldap domain, every clone that is provisioned will need no configuration. It just works. This is the method that VMware recommends (VMware Horizon 7). The only problem is that VMware does not provide the configuration.

The Linux distro I used for this document is Debian (jesse) based ‘Turnkey’ which is already Openldap reconfigured so it saves a lot of steps and time.

  1.  SSH into your openldap server
  2. apt-get update
  3. apt-get install  libsasl2-2  sasl2-bin  libsasl2-modules
  4. vi  /etc/default/saslauthd and change START=yes, MECHANISMS=”ldap”
  5. Save and quit (ctrl+x)
  6. mkdir /var/run/saslauthd/mux
  7. Change permission for /var/run/saslauthd and /var/run/saslauthd/mux to 755  
  8. if saslauthd.conf does not exist – touch it (/etc/saslauthd.conf) and add 755 permissions.

9. Configure the file (/etc/saslauthd.conf) as follows

ldap_servers: ldap://ad1.oslab.com:389

ldap_search_base: DC=oslab,DC=com

ldap_filter: (sAMAccountName=%U)

ldap_bind_dn: CN=openldap,CN=Users,DC=oslab,DC=com  < do not use a domain admin account

ldap_password: Password1

ldap_auth_method: bind

ldap_version: 3

ldap_use_sasl: no

ldap_restart: yes

ldap_deref: no

ldap_start_tls: no

 

  1. To determine the account under which SLAPD is running check SLAPD_USER parameter in /etc/default/slapd.

slapd

  1. # adduser openldap sasl

 

  1. Edit the following file “/etc/ldap/sasl2/slapd.conf” and if it does not exist, create it.

slapd

  1. Testing pass-through authentication

I will use an AD user account to test and make sure that we can authenticate through openldap.

aduser

root@openldap ~# testsaslauthd -u user1 -p Password1

test

 

 

Leave a Reply

Close Menu