This is an old revision of the document!
krb5.conf
[libdefaults] default_realm = ACM.CS dns_lookup_realm = false dns_lookup_kdc = true [realms] [domain_realm] acm.cs = ACM.CS .acm.cs = ACM.CS [logging] # kdc = CONSOLE
To test run
kinit username
LDAP lookups and auth use nslcd as opposed to the old nss-ldap/pam-ldap packages. Nslcd is faster and more reliable than the old libs.
Make sure nslcd.conf can only be read by root
nslcd.conf
uid nslcd gid nslcd uri ldaps://ad1.acm.cs/ uri ldaps://ad2.acm.cs/ ldap_version 3 base dc=acm,dc=cs binddn apacheacm@acm.cs bindpw <ask admin> rootpwmoddn acmpwadmin@acm.cs rootpwmodpw <ask admin> base group ou=ACMGroups,dc=acm,dc=cs base passwd ou=ACMUsers,dc=acm,dc=cs base shadow ou=ACMUsers,dc=acm,dc=cs bind_timelimit 30 timelimit 30 ssl on tls_reqcert allow **Uncomment the 'Mappings for Active Directory' section** pagesize 1000 referrals off idle_timelimit 800 filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) map shadow uid sAMAccountName map shadow shadowLastChange pwdLastSet filter group (objectClass=group)
Edit the passwd, shadow, and group lines to this
nsswitch.conf
passwd: files ldap [NOTFOUND=return] shadow: files ldap [NOTFOUND=return] group: files ldap [NOTFOUND=return]
Test
getent passwd
The LDAP user list should show up
getent group
The LDAP group list should show up
To give admins sudo
sudoers
%AcmLanAdmins ALL=(ALL) ALL
These files are in /etc/pam.d
Force install acm-pam
pacman -S --force acm-pam
This will install a working PAM stack for auth against the ACM AD domain