====== Ubuntu AD Backend ======

====== ldap to AD/nss ======

nss gets the user lists from ldap (not passwords though)
===== install stuff =====

  sudo apt-get update
  sudo apt-get install nslcd

===== configuring =====


LDAP Server Host Address:
<code>
ldaps://ad1.acm.cs
ldaps://ad2.acm.cs
ldaps://ad3.acm.cs
</code>
distinguished name of the search base:
DC=acm,DC=cs

Ldap Version:
3

get root ldap access: no

Does Ldap require login: yes

Unprivileged database user: apacheacm@acm.cs

Password for database login account: (get this from a sysadmin) (syadmin hint: look in /etc/apache2/sites-enabled/acm.cs.uic.edu-secure on acm)

===== getting the settings =====
The defaults for any values not listed here should be fine

anything listed here needs to be uncommented or changed

<file|/etc/ldap.conf>
# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad


# Disable SASL security layers. This is needed for AD.
sasl_secprops maxssf=0
</file>
===== nssswitch =====
add "ldap" after passwd, group and shadow
<file|/etc/nssswitch.conf>
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

</file>

===== restart service =====

<code>
sudo service nslcd restart
</code>

===== first test =====

If you everything works correctly up until this point:

  getent passwd 
should list all the AD users as well as the system users
====== kerberos ======
kerberos handles authentication of users. (passwords)
===== install stuff =====
  apt-get install krb5-user
  apt-get install krb5-config
  apt-get install libpam-krb5

===== krb5.conf =====
make changes to the following 2 sections of /etc/krb5.conf
<file|/etc/krb5.conf>
[libdefaults]
        default_realm = ACM.CS
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]

[domain_realm]
        acm.cs = ACM.CS
        .acm.cs = ACM.CS

[logging]
#       kdc = CONSOLE

</file>