User Tools

Site Tools


Arch AD Auth


pacman -S nss-pam-ldapd krb5 pam-krb5




        default_realm = ACM.CS
        dns_lookup_realm = false
        dns_lookup_kdc = true


        acm.cs = ACM.CS
        .acm.cs = ACM.CS

#       kdc = CONSOLE

To test run

kinit username


LDAP lookups and auth use nslcd as opposed to the old nss-ldap/pam-ldap packages. Nslcd is faster and more reliable than the old libs.

Make sure nslcd.conf can only be read by root


uid nslcd
gid nslcd

uri ldaps://ad1.acm.cs/
uri ldaps://ad2.acm.cs/

ldap_version 3

base dc=acm,dc=cs

binddn apacheacm@acm.cs
bindpw <ask admin>

rootpwmoddn acmpwadmin@acm.cs
rootpwmodpw <ask admin>

base group ou=ACMGroups,dc=acm,dc=cs
base passwd ou=ACMUsers,dc=acm,dc=cs
base shadow ou=ACMUsers,dc=acm,dc=cs

bind_timelimit 30
timelimit 30

ssl on
tls_reqcert allow

**Uncomment the 'Mappings for Active Directory' section**
pagesize 1000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet
filter group (objectClass=group)


Edit the passwd, shadow, and group lines to this


passwd: files ldap [NOTFOUND=return]
shadow: files ldap [NOTFOUND=return]
group: files ldap [NOTFOUND=return]


getent passwd

The LDAP user list should show up

getent group

The LDAP group list should show up


To give admins sudo


%AcmLanAdmins ALL=(ALL) ALL


auth      sufficient
auth      required     try_first_pass nullok
auth      optional
auth      required

account   sufficient
account   required
account   optional
account   required

password  sufficient
password  required     try_first_pass nullok sha512 shadow
password  optional

session   required
session   required
session   optional
session   optional

linux/arch_ad_backend.txt · Last modified: 2021/05/02 21:36 (external edit)