From: Ariz Jacinto
X-Mailer: SquirrelMail (version 1.0.6)
Subject: Re: [plug] BIND/DNS & DHCP Assistance
Date: Fri, 24 Oct 2003 11:17:59 +0800 (PHT)

> Now our client PCs are all running win2k pro and some win98. How do I
> implement and integrate or use Active Directory for our network? I
> want ADS to make use of the BIND/DNS & DHCP service provided by the
> RHL9, Is this possible?
> Actually I tried to join a client using its Network Wizard. But theres
> a problem. ADS cannot recognize and update the domain?
> Another one. Is ADS and LDAP/OpenLDAP compatible or can they work
> together as peer domain controller?

This document is intended to assist you in integrating authentication
between LINUX and Microsoft Active Directory. Using the pam_ldap and
nss_ldap modules from one can use Active Directory as a central
authentication source for both Windows and LINUX systems.

Ariz C. Jacinto, ECE
Systems Operations
SPI Technologies-PS

Linux-AD Integration

[Mirrored from]

Updated 2/26/2002

Written and maintained by JJ Streicher-Bremer


This document is intended to assist you in integrating authentication between LINUX and Microsoft Active Directory.  Using the pam_ldap and nss_ldap modules from one can use Active Directory as a central authentication source for both Windows and LINUX systems.

What you need:

Win2K Domain controller.  This can be virtually any DC on your network.   You will need enterprise administrator rights. (or at least schema admin rights).   You will need to install the resource kit from the server CD.  There are several utilities used from this.  You will also need  the schema file to add the appropriate attributes to your AD schema.   Download the latest nss_ldap source from  As of this writing the latest version is 163.


Set up Win2K

1) Install the high-encryption pack.   I got bit by this one, the high encryption pack is needed to enable SSL over ldap (more on that later).


2) Allow schema updates on your DC.   You will need to use schema management MMC snapin to do this.   The snapin DLL is copied to the system when the Admin Pack is installed on a workstation.  I believe the files are also installed when you upgrade a member server to a DC.


If this is the first time you are running this tool, you will need to register the schema management DLL with windows.  I guess the folks at Microsoft don't want one to "accidentally" modify the schema ;-)  To register the dll run this command "regsvr32 c:\winnt\system32\schmmgmt.dll"


Create a Schema Management MSC

console...add/remove snapin...add

Select Active Directory Schema and click add

click close

click OK


Choose the domain controller you want to update the schema on

Right click on "Active Directory Schema" and select "Change Domain Controller"

Select "Specify name" and type in the DNS name or address of your Domain controller


Allow updates on the domain controller

Right click on "Active Directory Schema" and select "Operations Master"

Click the checkbox "The Schema may be modified on this Domain Controller"

Click OK


Update the schema

1) Modify the schema file to reflect your domain

Do a global search and replace on the file replacing "{targetdomain}" with ",dc=yourdomain,dc=[com,net,org....]"

2) Import the schema - "ldifde -i -k -f your_modified_schema_file.ldif"  This is one of the utilities installed with the resource kit.

3)Set up for SSL - install cert services and assign a cert to the server

4)Add your users

Use ldp.exe to add the attributes for gecos, uidNumber, gidNumber, loginShell, msSFUHomeDirectory, msSFUName


Note, I no longer use ldp.exe to edit AD directly.  Maxim Batourine has written a wonderful utility called AD4UNIX that is a snapin for the Active Directory Users and Computers MMC.   It allows one to modify the UNIX related attributes for users directly from the same utility used to modify the NT attributes.  It will even update your AD schema if you have not done so yet.  It is available here.

Set up LINUX

Download the latest version of the nss_ldap source from   As of this writing it is version 184.  This HOW-TO has been written for this version.  Newer versions will probably work, but I have not tested newer versions.  You will need to re-compile nss_ldap with the --enable-schema-mapping and the --enable-rfc2307bis switch. 


So what you type is:

./configure --enable-rfc2307bis --enable-schema-mapping  && make && make install

This will configure the source correctly, build, and install the new library.


Then edit your ldap.conf file.

I've put mine at the end of the message.   I

would recommend initially using administrator to bind to your tree, and just put the password in the ldap.conf file.  Once you know that works, you can

create an anonymous user to bind as and move your admin password to the /etc/ldap.secret file.


I made a couple of changes to the MSSFU schema mapping section.  I used

nss_map_attribute uid sAMAccountName

     instead of

#nss_map_attribute uid msSFUName

--- and ---

nss_map_attribute uniqueMember Member

     instead of

#nss_map_attribute uniqueMember posixMember


These changes make nss_ldap use the native AD userid and group membership attributes respectively.


Also I have two IP addresses in the host line.   This allows one to provide redundancy.


Here is my /etc/ldap.conf file

# @(#)$Id: ldap.conf,v 1.8 2002/02/26 08:50:37 root Exp $
base dc=ratisle,dc=net
ldap_version 3

scope sub
ssl yes

pam_filter objectclass=user
pam_login_attribute sAMAccountName
pam_password ad

nss_base_passwd ou=users,ou=sb consulting,dc=ratisle,dc=net?one
nss_base_shadow ou=users,ou=sb consulting,dc=ratisle,dc=net?one
nss_base_group ou=group,ou=sb consulting,dc=ratisle,dc=net?one

nss_map_objectclass posixAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uniqueMember Member
nss_map_attribute userPassword msSFUPassword
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute cn sAMAccountName