Home / server / Questions / 192049
Accepted
sideh
Asked: 2010-10-19 04:21:42 +0800 CST

Using Active Directory as an LDAP server for Linux clients

  • 772

I'm trying to figure out how to use Windows Server 2008 R2 as an LDAP server for Linux clients.

Ideally, users should be able to login to their Linux workstations via pam_ldap authenticating against AD. (winbind is not an option unfortunately)

I've looked at Windows Services for Unix but it seems to be going EOL soon.

Is there any other way to achieve this?

linux active-directory ldap

5 Answers

  1. Best Answer

    Thanks for the suggestions. As I mentioned in the original post, windows services for Unix is going to be EOL soon but I found the replacement for anyone that's interested.

    In Windows Server 2008 R2 you need to install the feature "Subsystem for UNIX-based applications".

    Secondly, under Roles > Active Directory Domain Services you need to install "Identity Management for Unix".

    Once these are installed each user will have have some extra unix attributes :)

    The ldap mapping for /etc/ldap.conf is as follows: 

    # RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

    The joys of interoperability...

    • 5

  2. Likewise Open worked for me - pretty easy to install, and doesn't require any changes to AD. The Free version gives you login functionality. If you pay for the Enterprise version you get Group Policy and a whole host of other things.

    • 4

  3. You might try http://www.quest.com/authentication-services/active-directory-for-unix.aspx (former Vintela).

    I have no experience in setting it up myself, but my previous employer used this and it worked very well on our Linux workstations.

    • 2

  4. You might want to read the Microsoft document using Windows Services for Unix ([W]SfU). This link includes documentation about it apparently. From the link:

    Volume 2: Solutions Using Kerberos Authentication (End States 1 and 2). Describes implementation of End States 1 and 2 using different technology approaches. In End State 1, UNIX clients use Active Directory Kerberos for authentication but continue to use an existing UNIX-based data store for authorization. In End State 2, UNIX clients use Active Directory Kerberos for authentication and Active Directory LDAP for authorization.

    Let us know if it works for you; I am very interested in implementing such a thing for Linux projects.

    • 1

  5. Check out Centrify which provides a native agent for connecting directly to AD on hundreds of different flavors of UNIX or Linux (or OS X). There is a free product (Centrify Express) that includes authentication support for PAM, NSS and Kerberos clients. In addition they have a free windows application for deploying to and managing remotely many servers at once.

    The for-pay suites include group policy, access control, authorization, privileged user management, reporting, user session recording/audit, encryption/authentication of data on the wire and much more.

    Used in production on a big chunk of the Fortune 2000 UNIX and Linux servers.

    Corey - a Centrify product manager

    • 1