pGina LDAP logon Windows

Using FreeIPA LDAP to log on to Windows servers

Intro

Sometimes you'll need a Windows server. Or, more likely, sometimes a client really really wants a Windows server, but you can't get windows to speak directly to FreeIPA. So instead you install pGina (inherintly funny name) and have it manage your logins and talk to your FreeIPA. Assuming you've configured your FreeIPA server as shown in previous posts, and have a bind user created, the following will work.

The default behavior is that pGina will create local machine users that match the ones on FreeIPA. You can add group based rules to assign Windows group memberships. You can configure pGina to allow offline login (assuming the user has logged on before), or you can explicitly deny it. You can allow login based on group membership, or deny.

Install pGina

I've used 3.1.8.0 stable (its from 2013 :| ) There is a slightly newer unstable version, and there also seems to be a fork that is being actively developed (called pGina Fork) Install the pGina 3.1.8.0 exe as admin.

Configure pGina LDAP settings

Open pGina and check the LDAP/Local Machine checkboxes for Authentication/Authorization/Gateway

Go to plugin order and order plugins to give LDAP priority in all 3

Go to LDAP Plugin Configuration and set IdM connection and Authentication settings as follows:

LDAP Host: freeipa.example.com 
LDAP Port 389 
Timeout 10 
Search DN uid=binduser,cn=users,cn=accounts,dc=example,dc=com 
Search Password: bindpassword 
Group DN Pattern: cn=%g,cn=groups,cn=accounts,dc=example,dc=com 
Member Attribute: member 
User DN Pattern: uid=%u,cn=users,cn=accounts,dc=example,dc=com 

In the LDAP Plugin Configuration, open the Authorization tab and set

Default: Deny 
Deny when LDAP authentication fails: Checked 
Allow when server is unavailable: Unchecked 
Create rule: If member of LDAP group: (hostname of windows host or windows-users group) allow. 

This presumes you only want specific users to log on to specific hosts - create a group in FreeIPA with the hostname of the Windows server as name and add the users you want to be able to access the Windows server. You can also just create a "windows-users" group in FreeIPA and add every user you want to be able to log on to (all) Windows servers.

In the LDAP Plugin Configuration, open the Gateway tab and set

Create rule: Always add to local group Remote Desktop Users 

Valitation of configuration

Go to the Simulation tab and enter credentials and test.