These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes
Classnotes | LDAP01 | RecentChanges | Preferences
There is an alternative approach which can be done here. We can use the fact that Active Directory has its own schemas and is technically an LDAPv3 server to extend the AD schemas ourself to support our standard Unix authentication. Basically, we're adding a compatability layer to Windows making it behave it bit more like Unix.
What is AD4Unix?
MKS AD4Unix is a plug-in extension for Microsoft's Active Directory Server, that enables Unix-related authentication and user information to be stored in Active Directory. AD4Unix includes a schema update, and an extension to Microsoft's User & Group manager (part of the Active Directory administration interface, which is in turn part of the Microsoft Management Console).
The primary goal of AD4Unix is to create a unified account database for Windows and Unix servers via Active Directory. This is what specifically enables cross-platform authentication using Active Directory.
AD4Unix was written by Maxim Batourine of the Faculty of Architecture, Landscape, and Design at the University of Toronto.
Obtaining MKS AD4Unix
MKS AD4Unix can be obtained via the AD4Unix download page. We have can get it from a mirror here (since the main site appears to be down): http://raman.physics.arizona.edu/temp/AD4Unix.zip
AD4Unix is delivered as a single .MSI (Microsoft Installer) file that can be installed directly onto a Windows 2000 server.
Installing MKS AD4Unix
The original installation instructions for AD4Unix, and guidelines for its use were written by JJ Streicher-Bremer for AD4Unix 1.1.1. Things have changed somewhat since then, there is now an installation package (MSI format), however there are still a few hairy parts of the installation because the installation package is not perfect.
These instructions are based on Windows 2000 server, service pack 2, and AD4Unix version 1.5. Here follows a log of what is needed to get the product up and running:
- Installed Windows 2000, from the installation CD.
- Installed the Windows 2000 High Encryption Pack.
- Installed Windows 2000 Service Pack 2.
- Using the "Configure Your Server" wizard, set up Active Directory. In this case, since it was a new installation in an isolated environment, you will create a new domain, new tree, new forest of trees, and a new DNS zone. You may wish to configure your server differently, or join it to an existing tree or forest. Beware that we are about to install schema updates, which could wreck havoc with any existing directory tree or forest that you have, unless you install them correctly.
- Allowed schema updates on the domain controller. To do this
- Open a command window (Start->Run->CMD)
- Type the command: regsvr32 c:\winnt\system32\schmmgmt.dll This registers schmmgmt.dll as a MMC (Microsoft Management Console) snap in. **You can now close the command window by typing exit.
- Create a Schema Management MSC, as follows:
- Start -> Run -> MMC
- From the console menu, select "add/remove snapin" and then click the "Add..." button.
- Select Active Directory Schema and click "Add"
- click "Close"
- click "OK"
- Choose the domain controller you want to update the schema on:
- Right click on "Active Directory Schema" and select "Change Domain Controller"
- Select "Specify name" and type in the DNS name or address of your Domain controller
- Allow updates on the domain controller
- Right click on "Active Directory Schema" and select "Operations Master"
- Click the checkbox labelled "The Schema may be modified on this Domain Controller"
- Click OK
- Now it is possible to install the ADS4Unix plugin. To do this, find the location where the .MSI installer file was downloaded to, and double click on it in file manager.
- Say Yes to the questions about schema updates.
- On the Start menu under "Programs" there should now be an extra menu titled "AD4Unix". This contains the AD4Unix configuration program (MKSADPluginSettings?). Run this configuration program, and set up an NIS name. It doesn't matter much what you enter in here, as you will not be using NIS, but something needs to be entered.
Adding User Entries
Now that the AD4Unix plugins are installed, it is possible to use Active Directory Users and Computers to enter new Unix users into the Active Directory system. You could also modify the Unix user and group attributes of your existing Active Directory users to make those users visible on a Unix system.
To add a new user, run the program "Active Directory Users and Computers" from the "Administrative Tools" menu. Note that you need to run this program from the same computer on which the ADS4Unix plugins were installed - if you normally manage your user base from another workstation then you will need to install the plugins there as well, perhaps this time without the schema updates.
After creating a new user, the user editor window (obtained by double clicking a user in the user list) will contain an extra tab, titled "Unix settings". This contains the following extra fields:
- NIS: Set this to the NIS domain you created in the configuration program.
- UID: The numeric UNIX user ID of this user.
- GID: The numeric UNIX group ID of this user.
- Description: This replaces the "comment" field in the /etc/passwd file.
- Home folder: This is the user's Unix home directory.
- Shell: This should be set to the user's shell.
Note that these fields replicate the information in the /etc/passwd file.
For Active Directory groups, there will now also be a "Unix settings" tab in the Active Directory Users and Groups tool. This tab contains two fields:
- group: The symbolic UNIX group name for this group.
- GID: The numeric UNIX group ID for this group.
Adding a user to a UNIX group is again done via the Active Directory Users and Groups tool, simply by the same method that you would use to add an Active Directory user account to an Active Directory group. Group membership on Linux or Unix mirrors the membership on Active Directory.
PAM - LDAP
Now we need to configure pam_ldap's /etc/ldap.conf file with the following lines:
Once we have done this, and configured LDAP as we did previously, we should be able to search the domain. Be sure to remove the sections from /etc/ldap.conf that redefine the search parameters.