LEDE Authentication using Active Directory or LDAP

Hi all,

I have a LINKSYS WRT3200ACM with LEDE 17.x. I'd like to be able to log in using domain users from an Active Directory or generic LDAP.

Is this even possible, or it's only possible to log in using the 'hardcoded' root user

Many thanks!

You certainly can add users and credentials to an OpenWRT system, though the "standard" Linux utilities for user management generally aren't present. I SSH in with a non-root user.

There is a libpam package available and it looks like at least OpenSSH can take advantage of it. I don't know how extensive its implementation is, or what pluggable modules you might need for your application.

https://openwrt.org/packages/table/start?dataflt[Name_pkg-dependencies*~]=pam

Great! Many thanks. So everything passes through replacing Dropbear for OpenSSH, right? At least I couldn't many info related to Dropbear PAM support.

I've seen that LEDE / OpenWRT goes along well with Kerberos, and then on a Server with Kerberos / LDAP things should be easier.

What is not much clear is how to connect with OpenSSH and libpam to a generic LDAP without Kerberos

Just remember to make sure that you can still log in! By default, the sshd_config prevents root login and password-less login. If you're clean-flashing, you'll either need to have a different sshd_config in your build (and then update it), or a preconfigured user in passwd, shadow, and group as well as the user's home directory. Edit: As I just found out, remember sudoers too!

If you're flashing over a configured router, sysupgrade.conf should be modified to include the user's home directory.