User Tools

Site Tools


Action disabled: resendpwd
linux:ad_backend

Ubuntu AD Backend

ldap to AD/nss

nss gets the user lists from ldap (not passwords though)

install stuff

sudo apt-get update
sudo apt-get install nslcd

configuring

LDAP Server Host Address:

ldaps://ad1.acm.cs
ldaps://ad2.acm.cs
ldaps://ad3.acm.cs

distinguished name of the search base: DC=acm,DC=cs

Ldap Version: 3

get root ldap access: no

Does Ldap require login: yes

Unprivileged database user: apacheacm@acm.cs

Password for database login account: (get this from a sysadmin) (syadmin hint: look in /etc/apache2/sites-enabled/acm.cs.uic.edu-secure on acm)

getting the settings

The defaults for any values not listed here should be fine

anything listed here needs to be uncommented or changed

/etc/ldap.conf

# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad


# Disable SASL security layers. This is needed for AD.
sasl_secprops maxssf=0

nssswitch

add “ldap” after passwd, group and shadow

/etc/nssswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

restart service

sudo service nslcd restart

first test

If you everything works correctly up until this point:

getent passwd 

should list all the AD users as well as the system users

kerberos

kerberos handles authentication of users. (passwords)

install stuff

apt-get install krb5-user
apt-get install krb5-config
apt-get install libpam-krb5

krb5.conf

make changes to the following 2 sections of /etc/krb5.conf

/etc/krb5.conf

[libdefaults]
        default_realm = ACM.CS
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]

[domain_realm]
        acm.cs = ACM.CS
        .acm.cs = ACM.CS

[logging]
#       kdc = CONSOLE

linux/ad_backend.txt · Last modified: 2021/05/02 21:36 (external edit)