User Tools

Site Tools


Ubuntu AD Backend

ldap to AD/nss

nss gets the user lists from ldap (not passwords though)

install stuff

sudo apt-get update
sudo apt-get install nslcd


LDAP Server Host Address:


distinguished name of the search base: DC=acm,DC=cs

Ldap Version: 3

get root ldap access: no

Does Ldap require login: yes

Unprivileged database user: apacheacm@acm.cs

Password for database login account: (get this from a sysadmin) (syadmin hint: look in /etc/apache2/sites-enabled/ on acm)

getting the settings

The defaults for any values not listed here should be fine

anything listed here needs to be uncommented or changed


# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

# Disable SASL security layers. This is needed for AD.
sasl_secprops maxssf=0


add “ldap” after passwd, group and shadow


# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

restart service

sudo service nslcd restart

first test

If you everything works correctly up until this point:

getent passwd 

should list all the AD users as well as the system users


kerberos handles authentication of users. (passwords)

install stuff

apt-get install krb5-user
apt-get install krb5-config
apt-get install libpam-krb5


make changes to the following 2 sections of /etc/krb5.conf


        default_realm = ACM.CS
        dns_lookup_realm = false
        dns_lookup_kdc = true


        acm.cs = ACM.CS
        .acm.cs = ACM.CS

#       kdc = CONSOLE

linux/ad_backend.txt · Last modified: 2021/05/02 21:36 (external edit)