What configuration steps are needed to fetch authorization data from Active Directory via LDAP?
asked Dec 22 '10 at 20:17
SSH KB ♦
Following are the configuration steps needed in order to fetch authorization data from Active Directory (AD) via LDAP. Note that this is just an example and this information cannot be used as is in your environment. In the example, AD has been configured to allow user "anonymous" to access DN cn=Users,dc=company,dc=com.
Preparing the Active DirectoryActive Directory needs several preparations before it is suitable for storing the usernames, passwords, uid, gid, shell and home directory of Unix users. First, the directory schema must be modified to include the object classes and attributes. To control the schema, install Active Directory Schema MMC Snap-in and extend the schema by installing Microsoft Services for UNIX (SFU) 3.5. Once the schema has been extended, it is possible to set values for the UNIX-specific attributes via Active Directory Users and Computers as with regular AD users. Additional attributes created by the schema extension are named msSFU30XXX where XXX represents the descriptive name of the attribute. Values to these attributes are stored when modifying the fields in the UNIX Attributes tab in the user's properties. Please consult the Microsoft Solution Guide for Windows Security and Directory Services for UNIX document for technical instructions on how to prepare the directory: http://technet.microsoft.com/en-us/library/bb463150.aspx
passwd: files ldap shadow: files ldap group: files ldap bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: nisplus automount: files aliases: files nisplus
host ad.company.com base cn=Users,dc=company,dc=com ldap_version 3 binddn anonymous rootbinddn cn=Administrator,cn=Users,dc=company,dc=com scope sub nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_attribute uid msSFU30Name nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute cn sAMAccountName nss_map_attribute uniqueMember member nss_map_attribute userPassword msSFU30Password nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_attribute loginShell msSFU30LoginShell nss_map_attribute gecos name nss_map_objectclass posixGroup Group nss_base_passwd cn=Users,dc=company,dc=com?sub nss_base_shadow cn=Users,dc=company,dc=com?sub pam_login_attribute msSFU30Name pam_password ad pam_filter objectClass=user
Ensure you get the authorization data from Active Directory# getent passwd testuser testuser:x:30004:1700:testuser:/home/testuser:/bin/bash Note that if this doesn't work there is something wrong in Active Directory configuration or in /etc/ldap.conf and you cannot proceed.
Add a Group for the Active Directory usersAdd for example the following line to /etc/group
That's itThat should be everything you need and you can now test the configuration Note that it is not necessary to touch any PAM configuration. The important step is to get the getent returning the user authorization information when doing the "getent passwd testuser" and when that works then it also fetchs the authorization data correctly when you use GSSAPI authentication.
answered Dec 22 '10 at 20:22
Alan - Tectia Support ♦