From: Ariz Jacinto acjacinto@freetxt.com.ph
To: plug@lists.q-linux.com
X-Mailer: SquirrelMail (version 1.0.6)
Subject: Re: [plug] BIND/DNS & DHCP Assistance
Date: Fri, 24 Oct 2003 11:17:59 +0800 (PHT)
...
> Now our client PCs are all running win2k pro and some win98.
How do I
> implement and integrate or use Active Directory for our
network? I
> want ADS to make use of the BIND/DNS & DHCP service
provided by the
> RHL9, Is this possible?
>
> Actually I tried to join a client using its Network Wizard.
But theres
> a problem. ADS cannot recognize and update the domain?
>
> Another one. Is ADS and LDAP/OpenLDAP compatible or can they
work
> together as peer domain controller?
This document is intended to assist you in integrating
authentication
between LINUX and Microsoft Active Directory. Using the pam_ldap
and
nss_ldap modules from padl.com one can use Active Directory as a
central
authentication source for both Windows and LINUX systems.
http://jaxen.ratisle.net/~jj/nss_ldap-AD_Integration_how-to.html
--
Ariz C. Jacinto, ECE
Systems Operations
SPI Technologies-PS
Linux-AD Integration
[Mirrored from http://jaxen.ratisle.net/~jj/nss_ldap-AD_Integration_how-to.html.]
Updated 2/26/2002
Written and maintained by JJ Streicher-Bremer
Introduction
This document is intended to assist you in integrating authentication between LINUX and Microsoft Active Directory. Using the pam_ldap and nss_ldap modules from padl.com one can use Active Directory as a central authentication source for both Windows and LINUX systems.
What you need:
Win2K Domain controller. This can be virtually any DC on your network. You will need enterprise administrator rights. (or at least schema admin rights). You will need to install the resource kit from the server CD. There are several utilities used from this. You will also need the schema file to add the appropriate attributes to your AD schema. Download the latest nss_ldap source from padl.com. As of this writing the latest version is 163.
Set up Win2K
1) Install the high-encryption pack. I got bit by this one, the high encryption pack is needed to enable SSL over ldap (more on that later).
2) Allow schema updates on your DC. You will need to use schema management MMC snapin to do this. The snapin DLL is copied to the system when the Admin Pack is installed on a workstation. I believe the files are also installed when you upgrade a member server to a DC.
If this is the first time you are running this tool, you will need to register the schema management DLL with windows. I guess the folks at Microsoft don't want one to "accidentally" modify the schema ;-) To register the dll run this command "regsvr32 c:\winnt\system32\schmmgmt.dll"
Create a Schema Management MSC
start...run...mmc
console...add/remove snapin...add
Select Active Directory Schema and click add
click close
click OK
Choose the domain controller you want to update the schema on
Right click on "Active Directory Schema" and select "Change Domain Controller"
Select "Specify name" and type in the DNS name or address of your Domain controller
Allow updates on the domain controller
Right click on "Active Directory Schema" and select "Operations Master"
Click the checkbox "The Schema may be modified on this Domain Controller"
Click OK
Update the schema
1) Modify the schema file to reflect your domain
Do a global search and replace on the file replacing "{targetdomain}" with ",dc=yourdomain,dc=[com,net,org....]"
2) Import the schema - "ldifde -i -k -f your_modified_schema_file.ldif" This is one of the utilities installed with the resource kit.
3)Set up for SSL - install cert services and assign a cert to the server
4)Add your users
Use ldp.exe to add the attributes for gecos, uidNumber, gidNumber, loginShell, msSFUHomeDirectory, msSFUName
Note, I no longer use ldp.exe to edit AD directly. Maxim Batourine has written a wonderful utility called AD4UNIX that is a snapin for the Active Directory Users and Computers MMC. It allows one to modify the UNIX related attributes for users directly from the same utility used to modify the NT attributes. It will even update your AD schema if you have not done so yet. It is available here.
Set up LINUX
Download the latest version of the nss_ldap source from ftp.padl.com As of this writing it is version 184. This HOW-TO has been written for this version. Newer versions will probably work, but I have not tested newer versions. You will need to re-compile nss_ldap with the --enable-schema-mapping and the --enable-rfc2307bis switch.
So what you type is:
./configure --enable-rfc2307bis --enable-schema-mapping && make && make install
This will configure the source correctly, build, and install the new library.
Then edit your ldap.conf file.
I've put mine at the end of the message. I
would recommend initially using administrator to bind to your tree, and just put the password in the ldap.conf file. Once you know that works, you can
create an anonymous user to bind as and move your admin password to the /etc/ldap.secret file.
I made a couple of changes to the MSSFU schema mapping section. I used
nss_map_attribute uid sAMAccountName
instead of
#nss_map_attribute uid msSFUName
--- and ---
nss_map_attribute uniqueMember Member
instead of
#nss_map_attribute uniqueMember posixMember
These changes make nss_ldap use the native AD userid and group membership attributes respectively.
Also I have two IP addresses in the host line. This allows one to provide redundancy.
Here is my /etc/ldap.conf file
# @(#)$Id: ldap.conf,v 1.8 2002/02/26 08:50:37 root Exp $ host 172.19.1.4 172.19.1.3 base dc=ratisle,dc=net ldap_version 3 binddn anonymous@ratisle.net scope sub ssl yes pam_filter objectclass=user pam_login_attribute sAMAccountName pam_password ad nss_base_passwd ou=users,ou=sb consulting,dc=ratisle,dc=net?one nss_base_shadow ou=users,ou=sb consulting,dc=ratisle,dc=net?one nss_base_group ou=group,ou=sb consulting,dc=ratisle,dc=net?one nss_map_objectclass posixAccount User nss_map_attribute uid sAMAccountName nss_map_attribute uniqueMember Member nss_map_attribute userPassword msSFUPassword nss_map_attribute homeDirectory msSFUHomeDirectory nss_map_objectclass posixGroup Group nss_map_attribute cn sAMAccountName