This is a draft document that was built and uploaded automatically. It may document beta software and be incomplete or even incorrect. Use this document at your own risk.

Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
ContentsContents
Security and Hardening Guide
  1. Preface
  2. 1 Security and confidentiality
  3. I Authentication
    1. 2 Authentication with PAM
    2. 3 Using NIS
    3. 4 Setting up authentication clients using YaST
    4. 5 LDAP with 389 Directory Server
    5. 6 Network authentication with Kerberos
    6. 7 Authenticating with Microsoft Entra ID using Himmelblau
    7. 8 Active Directory support
    8. 9 Setting up a freeRADIUS server
  4. II Local security
    1. 10 Physical security
    2. 11 Software management
    3. 12 File management
    4. 13 Encrypting partitions and files
    5. 14 Storage encryption for hosted applications with cryptctl
    6. 15 User management
    7. 16 Restricting cron and at
    8. 17 Spectre/Meltdown checker
    9. 18 Configuring security settings with YaST
    10. 19 The Polkit authentication framework
    11. 20 Access control lists in Linux
    12. 21 Intrusion detection with AIDE
  5. III Network security
    1. 22 X Window System and X authentication
    2. 23 Securing network operations with OpenSSH
    3. 24 Masquerading and firewalls
    4. 25 Configuring a VPN server
    5. 26 Managing a PKI with XCA, X certificate and key manager
    6. 27 Improving network security with sysctl variables
  6. IV Confining privileges with AppArmor
    1. 28 Introducing AppArmor
    2. 29 Getting started
    3. 30 Immunizing programs
    4. 31 Profile components and syntax
    5. 32 AppArmor profile repositories
    6. 33 Building and managing profiles with YaST
    7. 34 Building profiles from the command line
    8. 35 Profiling your Web applications using ChangeHat
    9. 36 Confining users with pam_apparmor
    10. 37 Managing profiled applications
    11. 38 Support
    12. 39 AppArmor glossary
  7. V SELinux
    1. 40 Configuring SELinux
  8. VI The Linux Audit Framework
    1. 41 Understanding Linux audit
    2. 42 Setting up the Linux audit framework
    3. 43 Introducing an audit rule set
    4. 44 Useful resources
  9. A GNU licenses
Navigation
Applies to openSUSE Leap 15.7

7 Authenticating with Microsoft Entra ID using Himmelblau Edit source

  • File Name: security_himmelblau.xml
  • ID: cha-security-himmelblau
Revision History
2026-06-23
Abstract

Himmelblau integrates Microsoft Entra ID authentication with Linux authentication services. This chapter describes the system configuration needed on openSUSE Leap: installing the required packages, enabling the PAM module, enabling NSS lookups, configuring the Entra ID domain and starting the Himmelblau services.

7.1 Installing Himmelblau Edit source

  • File Name: security_himmelblau.xml
  • ID: sec-security-himmelblau-install

Install the Himmelblau daemon, PAM module and NSS module:

> sudo zypper install himmelblau pam-himmelblau libnss_himmelblau2

To allow Entra ID users to sign in over SSH, also install the SSH configuration package:

> sudo zypper install himmelblau-sshd-config

7.2 Configuring Himmelblau authentication Edit source

  • File Name: security_himmelblau.xml
  • ID: sec-security-himmelblau-config

The following procedure configures openSUSE Leap to resolve and authenticate Entra ID users through Himmelblau.

  1. Edit /etc/himmelblau/himmelblau.conf and set the primary Entra ID domain in the [global] section:

    [global]
    domain = example.com
  2. Add Himmelblau to the system PAM configuration:

    > sudo pam-config --add --himmelblau
  3. Edit /etc/nsswitch.conf and add himmelblau to the passwd, group and shadow databases. Keep the existing sources for your system and append himmelblau. For example:

    passwd: files systemd himmelblau
    group:  files systemd himmelblau
    shadow: files systemd himmelblau
  4. Enable and start the Himmelblau services:

    > sudo systemctl enable --now himmelblaud himmelblaud-tasks
  5. If you installed himmelblau-sshd-config, restart the SSH daemon:

    > sudo systemctl restart sshd.service

After the system is configured, an Entra ID user can sign in locally or, when SSH support is installed, over SSH. The first successful sign-in may register the device with Entra ID and prompt for the authentication factors required by your tenant policy.

7.3 Verifying the configuration Edit source

  • File Name: security_himmelblau.xml
  • ID: sec-security-himmelblau-verify

Check that the daemons are running:

> sudo systemctl status himmelblaud himmelblaud-tasks

Check that the Himmelblau daemon is reachable:

> sudo aad-tool status

Verify that NSS can resolve an Entra ID user:

> getent passwd USER
> id USER

For troubleshooting, inspect the system journal:

> sudo journalctl -u himmelblaud -u himmelblaud-tasks

7.4 Restricting who can sign in Edit source

  • File Name: security_himmelblau.xml
  • ID: sec-security-himmelblau-access

If pam_allow_groups is not configured, all users from the configured Entra ID domain can authenticate. To restrict access, add a comma-separated list of allowed user principal names and Entra ID group object IDs to /etc/himmelblau/himmelblau.conf:

[global]
pam_allow_groups = user@example.com,00000000-1111-2222-3333-444444444444

Restart both Himmelblau services after changing the configuration:

> sudo systemctl restart himmelblaud himmelblaud-tasks

7.5 Enabling Intune policy enforcement Edit source

  • File Name: security_himmelblau.xml
  • ID: sec-security-himmelblau-intune

To allow Himmelblau to evaluate Intune compliance policy locally, enable policy processing in /etc/himmelblau/himmelblau.conf:

[global]
apply_policy = true

Restart both Himmelblau services after changing the configuration:

> sudo systemctl restart himmelblaud himmelblaud-tasks
Print this page