|
Linux client to authenticate against ADS via pam & LDAP |
|
|
|
|
Written by Paul Matthews
|
|
This setup allows users to log into a Linux client with there Microsoft Active Directory username/password.
Video How-To
Writtern How-To1. Edit the ldap.conf file nano /etc/ldap.conf ldap.conf:
host senior-server.example.com
# The distinguished name of the search base.
base DC=senior-server,DC=example,DC=com
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=Administrator,cn=Users,DC=senior-server,DC=example,DC=com
# The credentials to bind with.
# Optional: default is no credential.
bindpw yourpassword
# The port.
port 389
# The search scope.
scope sub
nss_base_passwd DC=senior-server,DC=example,DC=com
nss_base_shadow DC=senior-server,DC=example,DC=com
nss_base_group DC=senior-server,DC=example,DC=com
nss_map_objectclass posixAccount user
nss_map_attribute uid msSFUName
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute cn msSFUName
nss_map_attribute userPassword msSFUPassword
nss_map_attribute uniqueMember member
pam_filter objectclass=user
pam_login_attribute sAMAccountName
pam_password crypt
ssl no
tls_cacertdir /etc/openldap/cacerts
|
2. Edit the pam module you want to, in this case we will edit the sshd file
nano /etc/pam.d/sshd sshd:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
|
3. Now change the nsswitch.conf
nano /etc/nsswitch.conf
from nsswitch.conf:
passwd: files
shadow: files
group: files
|
to nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap
|
BookMarking:
cell1
|
|
cell3 |
|
cell4
|
|
Trouble Shooting:
Go to the wiki page
Go to the 'Contact Us ' Forum
Go to the how-to's Support Forum
External Links:
http://lists.samba.org/archive/linux/2003-August/007902.html http://www.linuxquestions.org/questions/showthread.php?t=403160 |
|
Last Updated ( Sunday, 03 June 2007 )
|
