Active Directory

If you do not want to use SSSD or similar software, you can use the “activedirectory” plugin.

Note: may you need to modify a little bit the path, but most of the directories will have the same name.

Warning: The “efnobody” user must be just a local user. If you have those users coming from AD, you will have login issues.

First, we need to enable the plugin as the default authority. Edit the file /opt/nisp/enginframe/conf/enginframe/server.conf and configure:

EF_DEFAULT_AUTHORITY = activedirectory
EF_ADMIN=your_ad_user_that_will_be_admin

Then you need to edit the file /opt/nisp/enginframe/2021.0-r1667/enginframe/plugins/activedirectory/conf/ef.auth.conf and fill with all of your AD credentials, like this:

AD_SERVER="myserver"
AD_PORT="myport"
AD_BASE="OU=myOU,DC=myDC,DC=my_dc"
AD_LDAPSEARCH="/usr/bin/ldapsearch"
AD_BINDAS="readonly reader,OU=SpecialAccounts,OU=Users"
AD_BINDPWD="mypassword"
AD_TSL="false"
EFAUTH_USERMAPPING="true"

Important: Never repeat the AD_BASE info in another variable, like AD_BINDAS. EF will do that for you. If you have duplicated AD base, you will get wrong login credentials error.

Now we need to create the ef.auth.mapping script. This script will be responsible to create local users for remote users, allowing ACL translation between AD and EF. For your info, Windows does exactly the same.

Please create the file /opt/nisp/enginframe/2021.0-r1667/enginframe/plugins/activedirectory/bin/ef.user.mapping with +x permission and with this content:

#!/bin/bash

# Check if a username was provided
if [ $# -eq 0 ]; then
    exit 1
fi

username="$1"

# Check if the user exists
if ! id "$username" > /dev/null 2>&1
    sudo useradd -m "$username" > /dev/null 2>&1
fi

# Generate a random password
password=$(openssl rand -base64 12)

# Set the password for the user
echo "$username:$password" | sudo chpasswd > /dev/null 2>&1

# Set password expiration to 1 month (30 days)
sudo chage -M 30 "$username" > /dev/null 2>&1

# map the user to EF
echo $username

You need to provide sudo capability to the user “efnobody” without password. You need to edit the /etc/sudoers file and add:

efnobody ALL=(ALL) NOPASSWD: ALL

Now you need to stop and start EF service:

systemctl stop enginframe.service
systemctl start enginframe.service

Now you can try to login using an AD user.

If you get invalid credentials or user not authorized, there is two items to check:

  • Invalid AD configuration
  • The ef.auth.mapping script is not returning just the username, as expected (last echo). Probably is returning something more. This can happen if you system is customized to show texts when you are using sudo.

For both cases you can add a debug line in the script /opt/nisp/enginframe/2021.0-r1667/enginframe/plugins/activedirectory/bin/ef.auth (before any code execution) like this:

exec 2>"/tmp/ef.auth.debug.log.$$";set -x

Then you do one more login (remember to open a new page instead of use the same page that returned the error), and after that check the /tmp/ef.auth.debug file (the last one created) and check the command ldapsearch executed. You can check if it was executed right or not (check _result variable), and the same thing or ef.user.mapping (check _mapping variable).

EF is a very flexible software that use bash script language to do most of the operations, so you can easily customize or change or add features. This is one of our best advantages. You can check what is happening, then change to what you want.