Quick Configuration for OpenLDAP and Keberos and Steps for Authenicating Linux to Active Directory
Overview
This work consists from three sections,
Section 1: OpenLDAP Configuration
Section 2: Kerberos Configuration
Section 3: Authenicating Linux Machine to Active Directory
Here presented part of my report, which is about authenicating linux machine to active directory (section 3)
Section 3: Authenicating Linux Machine to Active Directory
1. This work is done with the help of important article in the net talking about
Active directory and Linux Integration 2. I downloaded the AD4Unix
3. Using the "Configure Your Server" wizard, I set up Active Directory. In this case, since it was a new installation in an isolated environment, I created a new domain, new tree, new forest of trees, and created a new DNS zone. My domain allah.msft. And my server name hedaya1.allah.msft. Also I created secondary slave zone (localdomain.msft), same as the domain name for my linux machine.
4. Allow schema updates on the domain controller.
5. Now it is possible to install the ADS4Unix plugin. To do this, find the location where the .MSI installer file was downloaded to, and double click on it in file manager. Say Yes to the questions about schema updates.
6. On the Start menu under "Programs" there should now be an extra menu titled "AD4Unix". This contains the AD4Unix configuration program (MKSADPluginSettings). Run this configuration program, and set up an NIS name (linux1.localdomain.msft (my linux machine name)).
7. To add a new user, run the program "Active Directory Users and Computers" from the "Administrative Tools" menu. Note that you need to run this program from the same computer on which the ADS4Unix plugins were installed
8. After creating a new user, the user editor window (obtained by double clicking a user in the user list) will contain an extra tab, titled "Unix settings". This contains the following extra fields
9. On the Linux side, the most important components are nss_ldap and pam_ldap. If you want to obtain the modules from source code, then you will need to download them from the "Software" page at the PADL web site, above. You will need both pam_ldap (available as pam_ldap.tgz) and nss_ldap (nss_ldap.tgz).
10. If you recompile from source, get the latest (183 or thereabouts as of the current writing) version of nss_ldap, and make sure you use the following two options on the ./configure line when compiling:. #./configure --enable-schema-mapping --enable-rfc2307bi
The --enable-rfc2307bis flag is required for any nss_ldap version after 172 (Red Hat
7.2 uses 172 so this flag is not needed).
11. The configuration file for nss_ldap is the file /etc/ldap.conf. Once you have installed nss_ldap and pam_ldap, you will need to edit the /etc/ldap.conf file, as follows.
On the first screen, select "Use LDAP". Enter the IP address of the LDAP server (which is your Windows 2000 Active Directory) and the base DN that you entered when you set up Active Directory (e.g.: dc=allah,dc=msft). Also make sure that "Use LDAP Authentication" is checked .
12. Authenication graphical tool is intended to set up a system to authenticate to an OpenLDAP server, and therefore doesn't perform all of the functions needed to set up your system to authenticate against Active Directory. To complete the configuration, you will need to edit your /etc/ldap.conf file, which is the primary configuration file for OpenLDAP.
13. At this stage, everything should nearly be working. You should be able to log in as a user in your Active Directory domain, using the Active Directory password, and mostly get logged in. You ill see some error messages, however, including:
id: cannot find name for user ID 1001
id: cannot find name for group ID 1000
This is because your Active Directory cannot be searched anonymously. There are two solutions for this problem:
Enable anonymous searches on your Active Directory
Insert an administrator DN and password into /etc/ldap.conf
To enable anonymous searches on your Active Directory, follow these steps:
On your Wndows 2000 Active Directory server, run the Active Directory Users and Groups administration tool.
Select the top level of the directory from the tree view in the left hand panel, and right click. A menu will appear. Select the first item, which should be "Delegate Control..."
Click "Next"
In the next window, titled "Users or Groups", click "Add ..."
In the next list, select "ANONYMOUS LOGON" and click "Add". You may also need to select "Everyone" and the "Guests" group, depending on how you have Active Directory configured. Click OK when this is done.
Click "Next"
Select "Create a custom task to delegate" and click "Next".
Click "Next"
In the next list, select "Read". "Read All Properties" will be selected at the same time. Click "Next" when this is done.
Click "Finish".
Finally, I created new linux accounts in the active directory, and things worked properly, finger in the linux machine see the account..
You can find my whole book in http://www.lulu.com/content/347327
My Email Address: [email protected] 