Revision as of 23:10, 26 August 2013 by Mmuehlfeld (talk | contribs) (Changed information about nested groups)

Advantages / Disadvantages

Because people may find that some of the disadvantages are advantages or vice versa in their environment, we won't classify here.

  • Fast and easy to configure.
  • Requires central storage of posix data (UID/GID, home directory, shell, etc.) in AD. Your domain have to be provisioned/upgraded with --use-rfc2307 to store this data. Accounts/groups can be administrated e. g. via ADUC on Windows then.
  • UIDs/GIDs are the same on every server.
  • Doesn't require the machine to be joined to the domain. A simple LDAP connection to the DC (389/tcp for LDAP or 646/tcp for LDAPs) is enough.
  • Requires nslcd and pam_ldap to be installed on your system.
  • The resolving of nested groups is only supported in newer version of nslcd (check the manpage).


Most distributions already ship nslcd in their default installation. In RHEL6 the package is named nss-pam-ldapd.

If you want to authenticate local *nix services on your server against AD, additionaly you require pam_ldap.

Configuring nslcd

The following basic example let nslcd retrieve it's information from AD through an separate account. nslcd is also capable to use Kerberos. This would not be part of this HowTo.

  • Create a new user account in your AD, nslcd uses to bind via LDAP and retrieve it's information. Make sure, that you configure this account with the „password never expires“ option! Remember the DN (distinguished name) of the new user. The following example uses the DN „cn=ldap-connect,cn=Users,dc=SAMDOM,dc=example,dc=com“.
  • Currently not all required posix information could be retrieved via LDAP (Bug report #9788), because of incorrect directory ACLs. As a workaround, simply add the following to your smb.conf on the DC, nslcd is connecting to and restart Samba:
acl:search = no
  • Use the following content in your /etc/nslcd.conf:
#Mappings for Active Directory
pagesize 1000
referrals off

# Passwd
filter  passwd  (&(objectClass=user)(!(objectClass=computer))(uidNumber=*))
map     passwd  uid                sAMAccountName
map     passwd  homeDirectory      unixHomeDirectory
map     passwd  gecos              displayName
map     passwd  gidNumber          primaryGroupID

# Groups
filter  group   (&(objectClass=group)(gidNumber=*))
map     group   uniqueMember       member

# User/group with which the daemon should run (must be a local account!)
uid nslcd
gid ldap

# LDAP server settings
uri ldap://
base dc=SAMDOM,dc=example,dc=com

# Account in AD that is used from nslcd to bind to the directory
binddn cn=ldap-connect,cn=Users,dc=SAMDOM,dc=example,dc=com
bindpw xxxxx
  • Start the nslcd daemon.
  • Append ldap to the passwd and group entry of your /etc/nsswitch.conf, to let the system query LDAP for this this databases.
passwd:     files ldap
group:      files ldap
  • All accounts/groups are now available to the local system.


  • Test 1: Retrieving accounts via getent. This should show local and domain accounts (which have the required posix attributes).
# getent passwd
demo1:*:10002:513:Demo User1:/home/demo1:/bin/false
  • Test 2: Retrieving groups via getent. This should show local and domain groups (which have the required posix attributes).
# getent group
Domain Users:*:10000:demo1
  • Test 3: Change owner/group of of a file to a domain user/group:
# touch /tmp/testfile
# chown Administrator:"Domain Users" /tmp/testfile
# ls -l /tmp/testfile 
-rw-r--r-- 1   Administrator   Domain Users   0   26. Aug 22:35 /tmp/testfile

Configuring PAM (pam_ldap)

To authenticate local services (SSH, FTP, etc.) which uses PAM, you can setup pam_ldap to authenticate against AD via LDAP.

  • Edit /etc/pam_ldap.conf:
base dc=SAMDOM,dc=example,dc=com
binddn cn=ldap-connect,cn=Users,dc=SAMDOM,dc=example,dc=com
bindpw xxxxx
bind_policy soft
pam_login_attribute sAMAccountName
uri ldap://
ssl no
  • Edit your PAM configuration file(s) corresponding to the services you want to hook up. The following is an example for a PAM configuration, that can be used e. g. for ssh (/etc/pam.d/sshd). But be carefull: Change take effect immediately!
auth     required      pam_nologin.so
auth     sufficient    pam_ldap.so
auth     required      pam_unix.so      use_first_pass # set_secrpc

account  required      pam_unix.so

password required      pam_pwcheck.so
password required      pam_ldap.so      use_authtok
password required      pam_unix.so      use_first_pass use_authtok

session  required      pam_unix.so
session  required      pam_limits.so
session  required      pam_env.so


  • Test 1: Try accessing a service or log into a service, you have configured to use pam_ldap. Example for ssh:
# ssh demo1@DC1
demo1@dc1's password: 
Last login: Mon Aug 26 22:59:40 2013 from pc01.samdom.example.com
[demo1@DC1 ~]$