This shows you the differences between two versions of the page.
linux:ad_backend [2010/04/20 17:41] hef changing from amadaeus to dvorak |
linux:ad_backend [2021/05/02 21:36] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== ldap to AD/nss ====== | ||
- | nss gets the user lists from ldap (not passwords though) | ||
- | ===== install stuff ===== | ||
- | |||
- | sudo apt-get update | ||
- | sudo apt-get install libnss-ldap | ||
- | |||
- | ===== configuring ===== | ||
- | |||
- | |||
- | LDAP Server Host Address: | ||
- | ldap://dvorak.acm.cs | ||
- | |||
- | distinguished name of the search base: | ||
- | DC=acm,DC=cs | ||
- | |||
- | Ldap Version: | ||
- | 3 | ||
- | |||
- | get root ldap access: no | ||
- | |||
- | Does Ldap require login: yes | ||
- | |||
- | Unprivileged database user: apacheacm@acm.cs | ||
- | |||
- | Password for database login account: (get this from a sysadmin) (syadmin hint: look in /etc/apache2/sites-enabled/acm.cs.uic.edu-secure on acm) | ||
- | |||
- | ===== getting the settings ===== | ||
- | The defaults for any values not listed here should be fine | ||
- | |||
- | anything listed here needs to be uncommented or changed | ||
- | |||
- | <file|/etc/ldap.conf> | ||
- | # RFC 2307 (AD) mappings | ||
- | nss_map_objectclass posixAccount user | ||
- | nss_map_objectclass shadowAccount user | ||
- | nss_map_attribute uid sAMAccountName | ||
- | nss_map_attribute homeDirectory unixHomeDirectory | ||
- | nss_map_attribute shadowLastChange pwdLastSet | ||
- | nss_map_objectclass posixGroup group | ||
- | nss_map_attribute uniqueMember member | ||
- | pam_login_attribute sAMAccountName | ||
- | pam_filter objectclass=User | ||
- | pam_password ad | ||
- | |||
- | |||
- | # Disable SASL security layers. This is needed for AD. | ||
- | sasl_secprops maxssf=0 | ||
- | </file> | ||
- | ===== nssswitch ===== | ||
- | add "ldap" after passwd, group and shadow | ||
- | <file|/etc/nssswitch.conf> | ||
- | # /etc/nsswitch.conf | ||
- | # | ||
- | # Example configuration of GNU Name Service Switch functionality. | ||
- | # If you have the `glibc-doc-reference' and `info' packages installed, try: | ||
- | # `info libc "Name Service Switch"' for information about this file. | ||
- | |||
- | passwd: compat ldap | ||
- | group: compat ldap | ||
- | shadow: compat ldap | ||
- | |||
- | hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 | ||
- | networks: files | ||
- | |||
- | protocols: db files | ||
- | services: db files | ||
- | ethers: db files | ||
- | rpc: db files | ||
- | |||
- | netgroup: nis | ||
- | |||
- | </file> | ||
- | |||
- | ===== first test ===== | ||
- | |||
- | If you everything works correctly up until this point: | ||
- | |||
- | getent passwd | ||
- | should list all the AD users as well as the system users | ||
- | ====== kerberos ====== | ||
- | kerberos handles authentication of users. (passwords) | ||
- | ===== install stuff ===== | ||
- | apt-get install krb5-user | ||
- | apt-get install krb5-config | ||
- | |||
- | ===== krb5.conf ===== | ||
- | make changes to the following 2 sections of /etc/krb5.conf | ||
- | <file|/etc/krb5.conf> | ||
- | [libdefaults] | ||
- | default_realm = ACM.CS | ||
- | </file> | ||
- | <file|/etc/krb5.conf> | ||
- | [realms] | ||
- | ACM.CS = { | ||
- | kdc = dvorak.acm.cs | ||
- | kdc = acm-linux.cs-icl.uic.edu | ||
- | admin_server = dvorak.acm.cs | ||
- | } | ||
- | |||
- | </file> |