Earlier I told about how it is possible to use Microsoft Azure AD for authorization of users of Ununtu 14.04. That is, as in Ubuntu to make SSO with Microsoft Azure AD/Office 365. Now I will tell as it is possible to make the same in CentOS 7.
1. Preliminary requirements
- Account Microsoft Azure AD / Office 365 (business)
- CentOS the server with connection to the Internet
- In CentOS the server has to be turned off by "Enforcing" the SElinux mode
2. Microsoft Azure AD setup
For a start it is necessary to create the stand-alone program in Microsoft Azure AD in order that the system permitted authorization request processing. As to make it — I completely described in the item 2 habrahabr.ru/post/274249
3. CentOS 7 setup
We come on the server on SSH (in this case, the user of user123 to whom execution of the sudo commands is authorized), we pass to root and we set epel-release
sudo su - yum install epel-release
We set git, npm, nodejs
yum install git npm nodejs
We clone git-repozitariya of github.com/bureado/aad-login
git clone https://github.com/bureado/aad-login
We enter the sklonirovanny directory, we create directory/opt/aad-login, we copy aad-login.js package.json in / opt/aad-login/, we copy aad-login in / usr/local/bin/
cd aad-login/ mkdir -p /opt/aad-login cp aad-login.js package.json /opt/aad-login/ cp aad-login /usr/local/bin/
We enter directory/opt/aad-login/, we install the required npm components
cd /opt/aad-login/ npm install
We edit the./aad-login.js file
We fill variable value of directory with your domain name which is used in Microsoft Azure AD/Office 365, and clientid — Client ID value ("The client's code"), earlier received on the Microsoft Azure AD portal
We edit file/etc/pam.d/sshd (and/or / etc/pam.d/system-auth if it is necessary)
We add pam_exec challenge that it was the first in the list
auth sufficient pam_exec.so expose_authtok /usr/local/bin/aad-login
We create users to whom the input is resolved (the password does not need to be set). Login of such users has to match email Alias. For example, we create the user of support whose email email@example.com.
Everything is ready!
We try to enter under the created user and the password set in Microsoft Azure AD/Office 365.
This article is a translation of the original post at habrahabr.ru/post/274255/
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here: firstname.lastname@example.org.
We believe that the knowledge, which is available at the most popular Russian IT blog habrahabr.ru, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.