Ubuntu 20.04
Sponsored Link

OpenLDAP : Configure LDAP Client (AD)2020/05/11

 
Configure LDAP Client for the case LDAP Server is Windows Active Directory.
[1]
[2] Install OpenLDAP Client.
root@node01:~#
apt -y install libnss-ldap libpam-ldap ldap-utils
(1) specify AD server's URI

 +---------------------| Configuring ldap-auth-config |----------------------+
 | Please enter the URI of the LDAP server to use. This is a string in the   |
 | form of ldap://<hostname or IP>:<port>/. ldaps:// or ldapi:// can also    |
 | be used. The port number is optional.                                     |
 |                                                                           |
 | Note: It is usually a good idea to use an IP address because it reduces   |
 | risks of failure in the event name service problems.                      |
 |                                                                           |
 | LDAP server Uniform Resource Identifier:                                  |
 |                                                                           |
 | ldap://fd3s.srv.world/_________________________________________________   |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+

(2) specify suffix
 +---------------------| Configuring ldap-auth-config |----------------------+
 | Please enter the distinguished name of the LDAP search base. Many sites   |
 | use the components of their domain names for this purpose. For example,   |
 | the domain "example.net" would use "dc=example,dc=net" as the             |
 | distinguished name of the search base.                                    |
 |                                                                           |
 | Distinguished name of the search base:                                    |
 |                                                                           |
 | dc=srv,dc=world_______________________________________________________    |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+

(3) specify LDAP version (generally OK to select Version [3])
  +---------------------| Configuring ldap-auth-config |---------------------+
  | Please enter which version of the LDAP protocol should be used by        |
  | ldapns. It is usually a good idea to set this to the highest available   |
  | version.                                                                 |
  |                                                                          |
  | LDAP version to use:                                                     |
  |                                                                          |
  |                                    3                                     |
  |                                    2                                     |
  |                                                                          |
  |                                                                          |
  |                                  <Ok>                                    |
  |                                                                          |
  +--------------------------------------------------------------------------+

(4) select the one you like. (this example selects [Yes])
 +---------------------| Configuring ldap-auth-config |----------------------+
 |                                                                           |
 | This option will allow you to make password utilities that use pam to     |
 | behave like you would be changing local passwords.                        |
 |                                                                           |
 | The password will be stored in a separate file which will be made         |
 | readable to root only.                                                    |
 |                                                                           |
 | If you are using NFS mounted /etc or any other custom setup, you should   |
 | disable this.                                                             |
 |                                                                           |
 | Make local root Database admin:                                           |
 |                                                                           |
 |                    <Yes>                       <No>                       |
 |                                                                           |
 +---------------------------------------------------------------------------+

(5) select the one you like. (this example selects [No])
    +-------------------| Configuring ldap-auth-config |-------------------+
    |                                                                      |
    | Choose this option if you are required to login to the database to   |
    | retrieve entries.                                                    |
    |                                                                      |
    | Note: Under a normal setup, this is not needed.                      |
    |                                                                      |
    | Does the LDAP database require login?                                |
    |                                                                      |
    |                   <Yes>                      <No>                    |
    |                                                                      |
    +----------------------------------------------------------------------+

root@node01:~#
vi /etc/nsswitch.conf
# line 7: add

passwd:         files systemd ldap
group:          files systemd ldap
shadow:         files

root@node01:~#
vi /etc/pam.d/common-password
# line 26: change ( remove [use_authtok] )

password        [success=1 user_unknown=ignore default=die]     pam_ldap.so try_first_pass

root@node01:~#
vi /etc/pam.d/common-session
# add to the end if need (create home directory automatically at initial login)

session optional        pam_mkhomedir.so skel=/etc/skel umask=077
root@node01:~#
vi /etc/ldap.conf
# line 44: add a user's Suffix (the user is for connection user of AD and Linux, you added in [1] section)

binddn cn=ldapusers,cn=Users,dc=srv,dc=world
# line 48: add password of the user above

bindpw password
# line 223-232: uncomment all

# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

root@node01:~#
Ubuntu 20.04 LTS www.srv.world ttyS0

# verisy to login with an AD user that you added UNIX attributes in [1]
node01 login: Serverworld 
Password:
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-26-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon 11 May 2020 05:23:54 PM JST

  System load:  0.41              Processes:               135
  Usage of /:   9.0% of 24.54GB   Users logged in:         0
  Memory usage: 5%                IPv4 address for enp1s0: 10.0.0.31
  Swap usage:   0%

.....
.....

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Creating directory '/home/Serverworld'.
Serverworld@node01:~$   # logined

Serverworld@node01:~$ id
uid=5000(Serverworld) gid=100(users) groups=100(users)
Matched Content