This is an old revision of the document!
nss gets the user lists from ldap (not passwords though)
sudo apt-get update sudo apt-get install libnss-ldap
LDAP Server Host Address: ldap://amadeus.acm.cs
distinguished name of the search base: DC=acm,DC=cs
Ldap Version: 3
get root ldap access: no
Dos Ldap require login: yes
Unprivileged database user: apacheacm@acm.cs
Password for database login account: (get this from a sysadmin)
The defaults for any values not listed here should be fine
anything listed here needs to be uncommented or changed
/etc/ldap.conf
# RFC 2307 (AD) mappings nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_attribute uid sAMAccountName nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute shadowLastChange pwdLastSet nss_map_objectclass posixGroup group nss_map_attribute uniqueMember member pam_login_attribute sAMAccountName pam_filter objectclass=User pam_password ad # Disable SASL security layers. This is needed for AD. sasl_secprops maxssf=0
add “ldap” after passwd, group and shadow
/etc/nssswitch.conf
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
If you everything works correctly up until this point:
getent passwd
should list all the AD users as well as the system users
kerberos handles authentication of users. (passwords)
apt-get install krb5-user apt-get install krb5-config
/etc/krb5.conf
[libdefaults] default_realm = ACM.CS
/etc/krb5.conf
[realms] ACM.CS = { kdc = amadeus.acm.cs kdc = acm-linux.cs-icl.uic.edu admin_server = amadeus.acm.cs }