1

OPSI Server authentication over Windows AD based on LDAP

Purpose:

You can use your Windows user and password to authenticate against the following services:

Configuration steps:

This procedure is tested with Debian 6.0.10 and OPSI 4.0.5

/etc/pam_ldap.conf

#

# The distinguished name of the search base.
base dc=mywin,dc=domain

# Another way to specify your LDAP server is to provide an
uri ldap://dc1.mywin.domain 

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=OpsiAdRead,cn=Users,dc=mywin,dc=domain

# The credentials to bind with.
# Optional: default is no credential.
bindpw secretpw

# The search scope.
scope sub

# Search timelimit
timelimit 5

# Bind/connect timelimit
bind_timelimit 5

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
bind_policy soft

# The user ID attribute (defaults to uid)
pam_login_attribute sAMAccountName

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
pam_password crypt

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
pam_password ad

# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

/etc/samba/smb.conf

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
    workgroup = MYWIN

####### Authentication #######

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
   security = domain

# You may wish to use password encryption.  See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
   encrypt passwords = true

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
#   passdb backend = tdbsam
   password server = dc1 dc2 

   obey pam restrictions = yes
#

http://thejoyofstick.com/blog/2012/03/31/authenticating-linux-users-against-microsoft-active-directory/

Special thanks to Jürgen Judt for writing this paper!