--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools



Recently Changed Pages:

View All Pages

View All Tags

WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.

Pages with comments

2019/11/18 13:52 1 Comment

View All Comments


AD LDAP For Linux

The goal in this article is to enable Linux (SLES 11 SP1) boxes to use the Active Directory (2008) as the central directory for authentication.

Windows Server 2008

Identity Management For Unix

After installing the Windows Server 2008 and installing Active Directory on it you have to add Identity Management for Unix to the server:

  • Start the control panel (in classic view) and go to 'Programs and Features'.
  • Click on 'Turn Windows features on or off'.
  • Under 'Server manager', expand the 'Roles' section and rightclick the 'Active Directory Domain Services'.
  • Click on 'Add Role Services'.
  • Check the 'Identity Management for UNIX' checkbox.
  • Click Next and then Install. Be aware you have to restart the server afterwards.
  • After the reboot the configuration resumes, finishing with the message that the installation was succeeded.

Primary Group

Inside AD you have to create a group which will function as a primary group for users which will be logging into the linux systems. To do so, follow these steps:

  • Go to start → All Programs → Administrative Tools → Active Directory Users and Computers
  • Navigate to the OU where you want the group to exist and click on Action → New → Group
  • Enter a name for the group (like LDAP) and make sure it's a global security group. Click on OK when you're done.
  • After the group had been created open the properties and go to the tab 'UNIX Attributes'.
  • Select the NIS Domain and accept the default GID (10000):


If the GID is not 10000 there are probably already unix enabled groups in the directory. Make sure the GID you enter is unique, although you will get a warning when the GID is not unique.

Bind User

Inside AD you have to create a user which will function as the bind user so anonymous login (which does not work by default) is not required. To do so, follow these steps:

  • Go to start → All Programs → Administrative Tools → Active Directory Users and Computers
  • Navigate to the OU where you want the user to exist and click on Action → New → User
  • Enter your preferred naming syntax for service accounts, and when you're done click Next:
    • First name: Service Account
    • Last name: LDAP
    • User login name: sa_ldap
  • Enter a password considering your password complexity rules, and:
    • uncheck 'User must change password at next logon'
    • check 'User cannot change password'
    • check 'Password never expires'
  • Finish creating the account and when you're done open the properties of the account and go to the tab 'Member Of' and:
    • Add the group Domain Guests and make it the Primary Group using the 'Set Primary Group' button below
    • Remove the Domain Users group:


Linux Users

For each Active Directory user that you want to enable for UNIX logins, you will need to configure their UNIX attribute properties. For new users, follow these steps:

  • Go to start → All Programs → Administrative Tools → Active Directory Users and Computers
  • Navigate to the OU where you want the user to exist and click on Action → New → User
  • Just enter names, logon credentials and set their password. When the user is created open the properties and go to the 'UNIX Attributes' tab.
  • Select the NIS Domain, set the Login Shell to /bin/bash and set the Primary group name (GID) to the group you created two steps before.
  • Accept the other default settings and click OK:




After installing SLES 11 you need to install some additional packages:

  • pam-ldap
  • pam-ldap-32bit
  • nss-ldap
  • nss-ldap-32bit
  • krb-client
  • pam_krb5
  • pam_krb5-32bit

Additionally you need to set these options:

  • Set the DNS server to the AD DNS server
    • Make sure the /etc/resolv.conf file lists the AD server and the AD domain as the search option:
search shift.local
  • Set the ntp source to the AD server
    • rcntp addserver
  • Make sure the /etc/hosts file lists your client as well as your server:     sles.shift.local sles    ad-ldaptest.shift.local ad-ldaptest

LDAP and Kerberos

Now all the requirements are set we can configure LDAP and Kerberos to be used for authentication. To do so, follow these steps:

  • Go to yast → 'Security and Users' → 'User and Group Management' and go to the tab 'Authentication Settings'

Click on LDAP and enter these settings:

  • Use LDAP
  • Addresses of LDAP Servers: The ip-address of the ad server
  • LDAP Base DN: The search base of your AD, for example: DC=shift,DC=local
  • Check 'Create Home Directory on Login'
    • Go to Advanced Configuration and enter these settings:
    • Under Client Settings:
      • Password Change Protocol: ad
      • Group Member Attribute: member
    • Under Administration Settings:
      • Administrator DN: The user principal name (userPrincipalName) of the bind user you've created in AD
  • Click twice on OK

Now, click on Kerberos and enter these settings:

  • Use Kerberos
  • Default Domain: The AD domain, for example: shift.local
  • Default REALM: The AD domain in capitals, for example: shift.local
  • KDC Server Address: The ip-address of the ad server
  • Click OK

Now click OK in the Authentication Settings window. If you haven't installed the required software packages yet you'll be prompted to do so now.


Now, before you go on check the ldap.cfg file. The reason behond this is that SLES is owned by Novell and by default when you configure SLES for LDAP authenticatie it will be done for ldap authentication on eDirectory. See here if you want to know more about that, but now we're configuring for AD. The main problem we're now facing is the attribute mapping. eDirectory has a LDAP Server object which handles the LDAP attribute mapping. AD does not, so the attribute mapping must be done on the linux client. These are my settings, they are all by default included in the file but can be commented out:

sles:~ # cat /etc/ldap.conf | grep ^[a-z]
base    DC=shift,DC=local
uri     ldap://
binddn  sa_ldap@shift.local
bindpw  LD4Paccess
bind_policy     soft
pam_lookup_policy       yes
nss_initgroups_ignoreusers      root,ldap
nss_schema      rfc2307bis
nss_map_objectclass     posixAccount user
nss_map_objectclass     shadowAccount user
nss_map_attribute       uid sAMAccountName
nss_map_attribute       homeDirectory unixHomeDirectory
nss_map_attribute       shadowLastChange pwdLastSet
nss_map_objectclass     posixGroup group
nss_map_attribute       uniqueMember member
pam_login_attribute     sAMAccountName
pam_filter      objectclass=User
pam_password    ad
ssl     no
ldap_version    3
tls_checkpeer   no


Check this file as well:

passwd: files ldap
group:  files ldap
shadow: files ldap
hosts:  files dns
networks:       files dns

services:       files ldap
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       files ldap
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files ldap
passwd_compat:  ldap


Now everything is configured and if everything went well you can login:

login as: sjoerd
Using keyboard-interactive authentication.
Creating directory '/home/sjoerd'.
Creating directory '/home/sjoerd/.mozilla'.
Creating directory '/home/sjoerd/.fonts'.
Creating directory '/home/sjoerd/bin'.
/usr/bin/xauth:  creating new authority file /home/sjoerd/.Xauthority

uid=10000(sjoerd) gid=10000(LDAP) groups=10000(LDAP)


Are your groups not synchronizing properly? Check your cache.



Enter your comment. Wiki syntax is allowed:
adldapforlinux.txt · Last modified: 2019/11/18 12:21 (external edit)