SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Recently Changed Pages:

View All Pages


View All Tags


LinkedIn




WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Pages with comments

View All Comments

adinstallidmforunix

AD Identity Management for Unix

When connecting Solaris, Linux, AIX or whatever unix based service to Active Directory you'll have to install Identity Management for Unix on each domain controller that will be used for UNIX based authentication. The reason you need to do this on each domain controller is that the service is actually a role service, and role services need to be installed on each server performing that role. Identity Management for Unix is a Role Service and part of the Active Directory Domain Service role, as you can see in Server Manager, which will be used to install the role service:
adinstallidmforunix01.jpg

After clicking the “Add Role Services” the corresponding wizard start allowing you to select the Identity Management for Unix service. Deselect the Password Synchronization options, we won't store passwords locally on the unix servers so we won't need this:
adinstallidmforunix02.jpg
Confirm the selection and click Install to start the installation:
adinstallidmforunix03.jpg
The installation starts:
adinstallidmforunix04.jpg
When done the wizard tells you to reboot, which you must do:
adinstallidmforunix05.jpg
After the reboot the server manager will show you the successful installation of Identity Management for Unix:
adinstallidmforunix06.jpg

Using Identity Management for Unix

When starting to use Identity Management for Unix there are always a few standard steps that has to be done for the service to work. You'll always need a bind user (or use anonymous bind) and you always need a primary group of which every LDAP user needs to be a member of.

Bind User

Creating a bind user is the same as creating an ordinary user. We'll walk you through the steps anyway:

  • Go to start → All Programs → Administrative Tools → Active Directory Users and Computers
  • Navigate to the OU where you want the user to exist and click on Action → New → User
  • When entering a name make sure it's a simple and descriptive name:

adinstallidmforunix07.jpg

  • Enter a password considering your password complexity rules, and make sure you set the password settings correct:
    • uncheck 'User must change password at next logon'
    • check 'User cannot change password'
    • check 'Password never expires':

adinstallidmforunix08.jpg
Finish creating the account and when you're done open the properties of the account and go to the tab 'Member Of' and:

  • Add the group Domain Guests and make it the Primary Group using the 'Set Primary Group' button below
  • Remove the Domain Users group:

adinstallidmforunix09.jpg

You now have a secure bind user created with minimum permissions.

Create Primary Group

You'll need a primary group every unix user will have to be a member of. In case you already have a working environment you'll probably have a group which give permissions to the application or a management environment. There us no problem using an existing group as long as it's a global security group.
To create a new group follow these steps:

  • Go to start → All Programs → Administrative Tools → Active Directory Users and Computers
  • Navigate to the OU where you want the group to exist and click on Action → New → Group
  • Enter a descriptive name for the group and make sure it's a global security group. Click on OK when you're done:

adinstallidmforunix10.jpg

  • After the group has been created open the properties and go to the tab 'UNIX Attributes'.
  • Select the NIS Domain and accept the default GID (10000):

adinstallidmforunix11.jpg

Note that if the GID is not 10000 there are probably already unix enabled groups in the directory. Make sure the GID you enter is unique, although you will get a warning when the GID is not unique.
You could leave a comment if you were logged in.
adinstallidmforunix.txt · Last modified: 2021/09/24 00:24 (external edit)