Linux + Active Direcotory user mapping

  • iclcz01
  • Born
  • Born
  • iclcz01
  • Posts: 3

Post 3+ Months Ago

Hello,
I need to implement AD authenticating on a SuSe Linux machine, where are some local users and some software binded with them (for example Informix and user informix with UID=1001 gid=1000).
Now I want to create a domain user informix with the same UID and GID as local informix.
But I cannot find how to do it. Does anybody have an idea? The problem is, that I cannot simply chown and chgrp files belonging to the local user, since Informix remembers the original UID used at installation time.
Thank you.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Daemonguy
  • Moderator
  • Web Master
  • User avatar
  • Posts: 2700
  • Loc: Somewhere outside the box in Sarasota, FL.

Post 3+ Months Ago

http://www.windowsnetworking.com/articl ... ctory.html
  • vijayan
  • Beginner
  • Beginner
  • vijayan
  • Posts: 52
  • Loc: india

Post 3+ Months Ago

Hi,

Why u are not trying with ldap
If u want to try with ldap see below is mention procedure

---------------------------------------------------------

Let us assume that your LDAP has the following properties –

Your domain = example.com
Fully Qualified Domain Name (FQDN)= com1.example.com
IP address is 192.68.1.20


Your Linux server must have the following packages installed -

nss_ldap-249-1
openldap-2.3.19-4
openldap-clients-2.3.19-4


Step 1:

Edit the file "/etc/openldap/ldap.conf” and insert following line


TLS_REQCERT allow
host 192.68.1.20
BASE dc=example,dc=com


Step 2:

You can search for the directory tree structure with the help of the ‘ldapsearch’ command.
ldapsearch opens a connection to an LDAP server, binds, and performs a search using specified parameters. The Filter should conform to the string representation for search filters as defined in RFC 2254. If not provided, the Default filter, (objectClass=*), is used

For more information read "man ldapsearch"


Step3:

We will use ldapsearch command with the following parameters and save the output in "search.txt" file.


ldapsearch -b "dc=example,dc=com" –h 192.68.1.20 –p 389 -D "cn=Administrator,cn=Users,dc=example,dc=com" -x -W >> search.txt



Explanation:

a) -b searchbase
Use searchbase as the starting point for the search instead of the default. your base which will "dc=example,dc=com"

b) -D binddn
Use the Distinguished Name binddn to bind to the LDAP directory.
The distinguished name for administrator will be - (cn=Administrator,cn=Users,dc=example,dc=com)

c) -x Use simple authentication instead of SASL.

d) -W Give prompt for the password

e) >> search.txt – Save the output to search.txt


The Directory Tree Structure of the base dn will be saved in the file "search.txt"


Step 4:

Backup of the original ldap.conf file

cp /etc/ldap.conf /etc/ldap.conf.org

Step 5:

Next, edit the "/etc/ldap.conf" file -

vi /etc/ldap.conf

host 192.68.1.20
base dc=example,dc=com
binddn cn=user1,cn=Users,dc=example,dc=com
bindpw password
ldap_version 3
port 389
pam_filter objectclass=User
pam_login_attribute sAMAccountName
pam_password ad
nss_initgroups_ignoreusers root,ldap
ssl no
nss_map_attribute uniqueMember member

Here ‘user1’ is any existing username on the LDAP server, and ‘password’ is user1’s password.


Step 6:

Now edit service-name’s PAM file /etc/pam.d/service-name

vi /etc/pam.d/service-name

#%PAM-1.0

## This enables authentication of the users from a Windows Domain Server or a Samba Server
#auth sufficient /lib/security/pam_smb_auth.so debug nolocal

# This enables authentication of users created in the local system
auth sufficient pam_ldap.so debug

## This is a pretty standard directive and needs to be changed only in a very few special cases
account sufficient pam_permit.so

Step 7:

Now we will check PAM authentication with the help of pamtester package

Download and install pamtester.tar.gz from –
http://puzzle.dl.sourceforge.net/source ... 1.2.tar.gz

Use the following command to test Service-name PAM authentication

pamtester service-name user1 authenticate

Here user1 is an existing username on your LDAP server.
You will be asked for password. Type user1’s password.
The response should be -

pamtester: successfully authenticated
---------------------------------------------------------
  • iclcz01
  • Born
  • Born
  • iclcz01
  • Posts: 3

Post 3+ Months Ago

Thank you both. I will try the LDAP later.
To Daemonguy - I configured Kerberos as described, but I get no ticket when testing with kinit (but the domain password is accepted). Also I do not see my server in the domain when I look on the AD server. Should I see it there?
  • vijayan
  • Beginner
  • Beginner
  • vijayan
  • Posts: 52
  • Loc: india

Post 3+ Months Ago

Hi,

how u r trying to join with ADS server.



*************
Vijayan Linux
*************
  • iclcz01
  • Born
  • Born
  • iclcz01
  • Posts: 3

Post 3+ Months Ago

Hello,
I am using Samba+Winbind which works good. What I want is to have local user informix and DOMAIN\informix with the same UID.
  • vijayan
  • Beginner
  • Beginner
  • vijayan
  • Posts: 52
  • Loc: india

Post 3+ Months Ago

after finished join with ADS server. try this coommand

Code: [ Select ]
getpasswd


U will get list all users in linux machine from ADS server



**********
Vijayan Linux
**********

Post Information

  • Total Posts in this topic: 7 posts
  • Users browsing this forum: No registered users and 49 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.