Summary: How to use AD 2008 as a central authentication repository for a Suse Linux box.
Date: Around 2015
Refactor: 20 February 2025: Checked links and formatting.

The goal in this article is to enable Linux (SLES 11 SP1) boxes to use the Active Directory (2008) as the central directory for authentication.

After installing the Windows Server 2008 and installing Active Directory on it you have to add Identity Management for Unix to the server:

• Start the control panel (in classic view) and go to 'Programs and Features'.
• Click on 'Turn Windows features on or off'.
• Under 'Server manager', expand the 'Roles' section and rightclick the 'Active Directory Domain Services'.
• Click on 'Add Role Services'.
• Check the 'Identity Management for UNIX' checkbox.
• Click Next and then Install. Be aware you have to restart the server afterwards.
• After the reboot the configuration resumes, finishing with the message that the installation was succeeded.

Inside AD you have to create a group which will function as a primary group for users which will be logging into the linux systems. To do so, follow these steps:

• Go to start → All Programs → Administrative Tools → Active Directory Users and Computers
• Navigate to the OU where you want the group to exist and click on Action → New → Group
• Enter a name for the group (like LDAP) and make sure it's a global security group. Click on OK when you're done.
• After the group had been created open the properties and go to the tab 'UNIX Attributes'.
• Select the NIS Domain and accept the default GID (10000):

If the GID is not 10000 there are probably already unix enabled groups in the directory. Make sure the GID you enter is unique, although you will get a warning when the GID is not unique.

Inside AD you have to create a user which will function as the bind user so anonymous login (which does not work by default) is not required. To do so, follow these steps:

• Go to start → All Programs → Administrative Tools → Active Directory Users and Computers
• Navigate to the OU where you want the user to exist and click on Action → New → User
• Enter your preferred naming syntax for service accounts, and when you're done click Next:
  • First name: Service Account
  • Last name: LDAP
  • User login name: sa_ldap
• Enter a password considering your password complexity rules, and:
  • uncheck 'User must change password at next logon'
  • check 'User cannot change password'
  • check 'Password never expires'
• Finish creating the account and when you're done open the properties of the account and go to the tab 'Member Of' and:
  • Add the group Domain Guests and make it the Primary Group using the 'Set Primary Group' button below
  • Remove the Domain Users group:

For each Active Directory user that you want to enable for UNIX logins, you will need to configure their UNIX attribute properties. For new users, follow these steps:

• Go to start → All Programs → Administrative Tools → Active Directory Users and Computers
• Navigate to the OU where you want the user to exist and click on Action → New → User
• Just enter names, logon credentials and set their password. When the user is created open the properties and go to the 'UNIX Attributes' tab.
• Select the NIS Domain, set the Login Shell to /bin/bash and set the Primary group name (GID) to the group you created two steps before.
• Accept the other default settings and click OK:

After installing SLES 11 you need to install some additional packages:

• pam-ldap
• pam-ldap-32bit
• nss-ldap
• nss-ldap-32bit
• krb-client
• pam_krb5
• pam_krb5-32bit

Additionally you need to set these options:

• Set the DNS server to the AD DNS server
  • Make sure the /etc/resolv.conf file lists the AD server and the AD domain as the search option:

search shift.local
nameserver 10.10.10.101

• Set the ntp source to the AD server
  • rcntp addserver 10.10.10.101
• Make sure the /etc/hosts file lists your client as well as your server:

10.10.10.41     sles.shift.local sles
10.10.10.101    ad-ldaptest.shift.local ad-ldaptest

Now all the requirements are set we can configure LDAP and Kerberos to be used for authentication. To do so, follow these steps:

• Go to yast → 'Security and Users' → 'User and Group Management' and go to the tab 'Authentication Settings'

Click on LDAP and enter these settings:

• Use LDAP
• Addresses of LDAP Servers: The ip-address of the ad server
• LDAP Base DN: The search base of your AD, for example: DC=shift,DC=local
• Check 'Create Home Directory on Login'
  • Go to Advanced Configuration and enter these settings:
  • Under Client Settings:
    • Password Change Protocol: ad
    • Group Member Attribute: member
  • Under Administration Settings:
    • Administrator DN: The user principal name (userPrincipalName) of the bind user you've created in AD
• Click twice on OK

Now, click on Kerberos and enter these settings:

• Use Kerberos
• Default Domain: The AD domain, for example: shift.local
• Default REALM: The AD domain in capitals, for example: shift.local
• KDC Server Address: The ip-address of the ad server
• Click OK

Now click OK in the Authentication Settings window. If you haven't installed the required software packages yet you'll be prompted to do so now.

Now, before you go on check the ldap.cfg file. The reason behond this is that SLES is owned by Novell and by default when you configure SLES for LDAP authenticatie it will be done for ldap authentication on eDirectory. See here if you want to know more about that, but now we're configuring for AD. The main problem we're now facing is the attribute mapping. eDirectory has a LDAP Server object which handles the LDAP attribute mapping. AD does not, so the attribute mapping must be done on the linux client. These are my settings, they are all by default included in the file but can be commented out:

sles:~ # cat /etc/ldap.conf | grep ^[a-z]
host    10.10.10.101
base    DC=shift,DC=local
uri     ldap://10.10.10.101/
binddn  sa_ldap@shift.local
bindpw  LD4Paccess
bind_policy     soft
pam_lookup_policy       yes
nss_initgroups_ignoreusers      root,ldap
nss_schema      rfc2307bis
nss_map_objectclass     posixAccount user
nss_map_objectclass     shadowAccount user
nss_map_attribute       uid sAMAccountName
nss_map_attribute       homeDirectory unixHomeDirectory
nss_map_attribute       shadowLastChange pwdLastSet
nss_map_objectclass     posixGroup group
nss_map_attribute       uniqueMember member
pam_login_attribute     sAMAccountName
pam_filter      objectclass=User
pam_password    ad
ssl     no
ldap_version    3
tls_checkpeer   no

Check this file as well:

passwd: files ldap
group:  files ldap
shadow: files ldap
hosts:  files dns
networks:       files dns

services:       files ldap
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       files ldap
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files ldap
passwd_compat:  ldap

Now everything is configured and if everything went well you can login:

login as: sjoerd
Using keyboard-interactive authentication.
Password:
Creating directory '/home/sjoerd'.
Creating directory '/home/sjoerd/.mozilla'.
Creating directory '/home/sjoerd/.fonts'.
Creating directory '/home/sjoerd/bin'.
/usr/bin/xauth:  creating new authority file /home/sjoerd/.Xauthority

sjoerd@sles:~>
sjoerd@sles:~>id
uid=10000(sjoerd) gid=10000(LDAP) groups=10000(LDAP)

Are your groups not synchronizing properly? Check your cache.

• http://technet.microsoft.com/en-us/library/cc782782%28WS.10%29.aspx
  
• http://www.interopsystems.com/LearningCenter/Intro_to_AD_integration.htm
  
• http://www.interopsystems.com/LearningCenter/Using_Server_for_NIS_IdMU_Kerberos.htm
  
• http://www.interopsystems.com/LearningCenter/Using_Samba_and_Kerberos.htm
  
• http://www.interopsystems.com/LearningCenter/Native_LDAP_native_Kerberos_and_AD_services.htm
  
• http://www.windowsitpro.com/article/active-directory/Q-How-do-I-enable-anonymous-LDAP-binds-to-Windows-Server-2008-Active-Directory-AD-.aspx