login about faq

What configuration steps are needed to fetch authorization data from Active Directory via LDAP?

asked Dec 22 '10 at 20:17

SSH%20KB's gravatar image


Following are the configuration steps needed in order to fetch authorization data from Active Directory (AD) via LDAP. Note that this is just an example and this information cannot be used as is in your environment. In the example, AD has been configured to allow user "anonymous" to access DN cn=Users,dc=company,dc=com.

Preparing the Active Directory

Active Directory needs several preparations before it is suitable for storing the usernames, passwords, uid, gid, shell and home directory of Unix users. First, the directory schema must be modified to include the object classes and attributes. To control the schema, install Active Directory Schema MMC Snap-in and extend the schema by installing Microsoft Services for UNIX (SFU) 3.5. Once the schema has been extended, it is possible to set values for the UNIX-specific attributes via Active Directory Users and Computers as with regular AD users. Additional attributes created by the schema extension are named msSFU30XXX where XXX represents the descriptive name of the attribute. Values to these attributes are stored when modifying the fields in the UNIX Attributes tab in the user's properties. Please consult the Microsoft Solution Guide for Windows Security and Directory Services for UNIX document for technical instructions on how to prepare the directory: http://technet.microsoft.com/en-us/library/bb463150.aspx

Configure /etc/nsswitch.conf

passwd:     files ldap
shadow:     files ldap
group:      files ldap
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files
publickey:  nisplus
automount:  files
aliases:    files nisplus

Configure /etc/ldap.conf

host ad.company.com
base cn=Users,dc=company,dc=com
ldap_version 3
binddn anonymous
rootbinddn cn=Administrator,cn=Users,dc=company,dc=com
scope sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid msSFU30Name
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute cn sAMAccountName
nss_map_attribute uniqueMember member
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_objectclass posixGroup Group
nss_base_passwd cn=Users,dc=company,dc=com?sub
nss_base_shadow cn=Users,dc=company,dc=com?sub
pam_login_attribute msSFU30Name
pam_password ad
pam_filter objectClass=user

Ensure you get the authorization data from Active Directory

# getent passwd testuser testuser:x:30004:1700:testuser:/home/testuser:/bin/bash Note that if this doesn't work there is something wrong in Active Directory configuration or in /etc/ldap.conf and you cannot proceed.

Add a Group for the Active Directory users

Add for example the following line to /etc/group

That's it

That should be everything you need and you can now test the configuration Note that it is not necessary to touch any PAM configuration. The important step is to get the getent returning the user authorization information when doing the "getent passwd testuser" and when that works then it also fetchs the authorization data correctly when you use GSSAPI authentication.

answered Dec 22 '10 at 20:22

Alan%20-%20Tectia%20Support's gravatar image

Alan - Tectia Support ♦

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: Dec 22 '10 at 20:17

Seen: 4,312 times

Last updated: Mar 03 '11 at 00:22

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.