Re: [nssldap] some questions regarding Active Directory <--> NSS Ldap

[Илья Шипицин <chipitsine [at] gmail.com>]

thank you, that was what I was looking for! I can map all users to
uid=1000, gid=1000, thank a lot.
also, how do you manage pam-ldap in case of Active Directory ?

I used to work with OpenLDAP and figured out two ways pam-ldap work

1) it can bind using "proxy-user", find the required user and compare
userPassword field, in such case it doesn't matter where user resides,
but userPassword field must be readable by proxy-user

2) it can bind to certain context, say ou=Users,blah-blah-blah using
supplied password, in such case userPassword must not be readable, but
all users should reside within certain container (OU).

neither will work with AD. in case of AD two-step scheme would work:

a) bind to AD using some proxy-like user and find where user actually resides

b) bind to found user using supplied password

is it possible to implement such algorithm using pam-ldap ? in my case
users are split across many sites and I cannot move them to single OU.

2010/2/23 Jeffrey Watts <jeffrey.w.watts@gmail.com>:
> There are five attributes that need adding (or otherwise dealt with) to a
> standard AD user to make them work with nss_ldap:
> gecos
> gidNumber
> loginShell
> uidNumber
> unixHomeDirectory
>
> Note that AD groups need the gidNumber set as well.
>
> I map gecos to displayName, and the other four get set for our AD users that
> need access to Unix systems.  Since we use the same shell and gidNumber for
> all AD users, technically only two attributes need set (I believe there is
> an option, nss_default_attribute_value, that will work to set defaults for
> attributes not set).
>
> Here are my mappings:
>
> nss_map_objectclass posixAccount user
> nss_map_objectclass shadowAccount user
> nss_map_objectclass posixGroup group
> nss_map_attribute gecos displayName
> nss_map_attribute homeDirectory unixHomeDirectory
> nss_map_attribute shadowExpire accountExpires
> nss_map_attribute shadowLastChange pwdLastSet
> nss_map_attribute uid sAMAccountName
> nss_map_attribute uniqueMember member
>
> Don't forget to set the PAM attributes as well.  I'm using a Windows2008R2
> schema on Win2008R2 and Win2003 servers.  Clients are RHEL3,4,5 and HP-UX
> 11.11,23,31.  Make sure that your users and groups are in a container that
> falls within the nss_base_* variables.
>
> Jeffrey.
>
>
> On Tue, Feb 23, 2010 at 8:53 AM, Илья Шипицин <chipitsine@gmail.com> wrote:
>>
>> Hello!
>>
>> first, I found that readme.sfu is outdated, how should I request it to be
>> excluded ? via BugZilla ?
>>
>> secondly, I uncommented the following section in libnss_ldap.conf (on
>> Debian)
>>
>> # RFC 2307 (AD) mappings
>> nss_map_objectclass posixAccount user
>> nss_map_objectclass shadowAccount user
>> nss_map_attribute uid sAMAccountName
>> nss_map_attribute homeDirectory unixHomeDirectory
>> nss_map_attribute shadowLastChange pwdLastSet
>> nss_map_objectclass posixGroup group
>> nss_map_attribute uniqueMember member
>>
>> on the wire (by using wireshark) I see the following attributes being
>> requested:  sAMAccountname, userPassword, uidNumber,gidNumber, cn,
>> unixHomeDirectory,loginShell,gecos,description,objectClass (10 attributes)
>>
>> however, AD only provides 4 attributes:
>> sAMAccountname,cn,objectClass,description
>>
>> thus, id command (id 'someuser') doesn't show anything. yes, query is made
>> and 4 attributes are returned, but user is not found, probably because
>> nss_ldap expects more than 4 attributes. where can I read about it ? what
>> attributes are mandatory and what are optional ?
>>
>> is there good article on Active Directory <--> NSS (all the articles on
>> the site are related to win2000 or just links are broken)< I mean some
>> article on win2008
>>
>>
>> Cheers,
>> Ilya Shipitsin
>>
>
>
> --
>
> "He that would make his own liberty secure must guard even his enemy from
> oppression; for if he violates this duty he establishes a precedent that
> will reach to himself." -- Thomas Paine
>