linux:ad_backend
Differences
This shows you the differences between two versions of the page.
|
linux:ad_backend [2016/02/02 04:57] walter ↷ Page moved from ad_backend to linux:ad_backend |
linux:ad_backend [2021/05/02 21:36] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== ldap to AD/nss ====== | ||
| - | nss gets the user lists from ldap (not passwords though) | ||
| - | ===== install stuff ===== | ||
| - | |||
| - | sudo apt-get update | ||
| - | sudo apt-get install nslcd | ||
| - | |||
| - | ===== configuring ===== | ||
| - | |||
| - | |||
| - | LDAP Server Host Address: | ||
| - | <code> | ||
| - | ldaps://ad1.acm.cs | ||
| - | ldaps://ad2.acm.cs | ||
| - | ldaps://ad3.acm.cs | ||
| - | </code> | ||
| - | distinguished name of the search base: | ||
| - | DC=acm,DC=cs | ||
| - | |||
| - | Ldap Version: | ||
| - | 3 | ||
| - | |||
| - | get root ldap access: no | ||
| - | |||
| - | Does Ldap require login: yes | ||
| - | |||
| - | Unprivileged database user: apacheacm@acm.cs | ||
| - | |||
| - | Password for database login account: (get this from a sysadmin) (syadmin hint: look in /etc/apache2/sites-enabled/acm.cs.uic.edu-secure on acm) | ||
| - | |||
| - | ===== getting the settings ===== | ||
| - | The defaults for any values not listed here should be fine | ||
| - | |||
| - | anything listed here needs to be uncommented or changed | ||
| - | |||
| - | <file|/etc/ldap.conf> | ||
| - | # RFC 2307 (AD) mappings | ||
| - | nss_map_objectclass posixAccount user | ||
| - | nss_map_objectclass shadowAccount user | ||
| - | nss_map_attribute uid sAMAccountName | ||
| - | nss_map_attribute homeDirectory unixHomeDirectory | ||
| - | nss_map_attribute shadowLastChange pwdLastSet | ||
| - | nss_map_objectclass posixGroup group | ||
| - | nss_map_attribute uniqueMember member | ||
| - | pam_login_attribute sAMAccountName | ||
| - | pam_filter objectclass=User | ||
| - | pam_password ad | ||
| - | |||
| - | |||
| - | # Disable SASL security layers. This is needed for AD. | ||
| - | sasl_secprops maxssf=0 | ||
| - | </file> | ||
| - | ===== nssswitch ===== | ||
| - | add "ldap" after passwd, group and shadow | ||
| - | <file|/etc/nssswitch.conf> | ||
| - | # /etc/nsswitch.conf | ||
| - | # | ||
| - | # Example configuration of GNU Name Service Switch functionality. | ||
| - | # If you have the `glibc-doc-reference' and `info' packages installed, try: | ||
| - | # `info libc "Name Service Switch"' for information about this file. | ||
| - | |||
| - | passwd: files ldap | ||
| - | group: files ldap | ||
| - | shadow: files ldap | ||
| - | |||
| - | hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 | ||
| - | networks: files | ||
| - | |||
| - | protocols: db files | ||
| - | services: db files | ||
| - | ethers: db files | ||
| - | rpc: db files | ||
| - | |||
| - | netgroup: nis | ||
| - | |||
| - | </file> | ||
| - | |||
| - | ===== first test ===== | ||
| - | |||
| - | If you everything works correctly up until this point: | ||
| - | |||
| - | getent passwd | ||
| - | should list all the AD users as well as the system users | ||
| - | ====== kerberos ====== | ||
| - | kerberos handles authentication of users. (passwords) | ||
| - | ===== install stuff ===== | ||
| - | apt-get install krb5-user | ||
| - | apt-get install krb5-config | ||
| - | apt-get install libpam-krb5 | ||
| - | |||
| - | ===== krb5.conf ===== | ||
| - | make changes to the following 2 sections of /etc/krb5.conf | ||
| - | <file|/etc/krb5.conf> | ||
| - | [libdefaults] | ||
| - | default_realm = ACM.CS | ||
| - | dns_lookup_realm = false | ||
| - | dns_lookup_kdc = true | ||
| - | |||
| - | [realms] | ||
| - | |||
| - | [domain_realm] | ||
| - | acm.cs = ACM.CS | ||
| - | .acm.cs = ACM.CS | ||
| - | |||
| - | [logging] | ||
| - | # kdc = CONSOLE | ||
| - | |||
| - | </file> | ||
linux/ad_backend.txt · Last modified: 2021/05/02 21:36 (external edit)
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
