Thread: Howto: Sled 10 Auth To Windows Server 2003 R2 Ad
View Single Post
  #6 (permalink)  
Old 28-Mar-2007, 18:06
Shannon VanWagner
Guest
  
Posts: n/a
Default
ghys,

Yes, in ldap.conf you put the username and password in cleartext for the
Windows Active Directory user that you create specifically to make queries
to the directory via LDAP.

For security purposes, when you create the windows ldap user, make it a
member only to the "Domain Guests" group (this means you will have to
set "Domain Guests" as the Primary Group and then remove the ldap user
from the "Domain Users" group).

So if I create a special windows user (in the "Users" container in AD) with
the username LDAPQUERY / password mYpaSsword, and my windows
domain is called MYPLACE.COM, and my Windows Server 2003 R2 DC
with AD and Identity Mgmt for Unix enabled server is at IP 10.10.10.1
and has the hostname of DC01, my ldap.conf file would look like this:

################################################## #############
##custom ldap.conf for connecting with Server 2003 R2
################################################## #############
host 10.10.10.1
base dc=myplace,dc=com
uri ldap://dc01.myplace.com/
#cn=Users refers to the "Users" container in AD
binddn cn=LDAPQUERY,cn=Users,dc=myplace,dc=com
bindpw mYpaSsword
scope sub
bind_timelimit 15
timelimit 15
ssl no
referrals no
nss_base_passwd dc=myplace,dc=com?sub
nss_base_shadow dc=myplace,dc=com?sub
nss_base_group dc=myplace,dc=com?sub?&(objectCategory=group)(gidn umber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_initgroups_ignoreusers root,ldap


As for your error msgs, here's my non-expert presumptions:
<got some root user unknown to the underlying authentication module
(client not found in Kerberos database)>
(shannon) This shows that the machine attempted to authenticate "root"
to Active Directory and failed, presumably because "root" doesn't exist
on your AD.. Good sign that krb auth is working for you

<idmap_init: could not load remote backend 'server>
(shannon) this may be related to LDAP not being able to connect to AD
-- presumably because your ldap.conf file has an error.. hopefully an
easy fix. Be sure to stop both /etc/init.d/smb and /etc/init.d/winbind
then start them in same order after making changes to the ldap.conf
file for changes to take effect.


As for using SLES, I've not yet tested this configuration but I'd imagine
it would work the same way. I'm working on getting Red Hat Server 4
working with this so stay tuned if you think that will help.

Hope this helps....
Shannon