These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

LDAP01/Setting Up Linux

Classnotes | LDAP01 | RecentChanges | Preferences

In our example, we will have a single Active Directory domain with the same name we've been using all along, odyssey.com, or dc=odyssey,dc=com.

PADL's pam_ldap module utilizes a configuration file in /etc/ldap.conf. There is generally an example file for pam_ldap which can be found in /usr/share/libpam-ldap. Let's take a look at this example configuration for a moment.

The following excerpt from /etc/ldap.conf provides the module with the information in needs to contact the Active Directroy server. For those unfamilier with the Active Directory namespace, by default all users and groups are stored in the cn=Users container directly below the top-level entry in the domain.

Therefore, if the default container is used, a one-level search beginning at cn=Users,dc=odyssey,dc=com should be sufficient to locate any user or group in an Active Directory domain:

 host  windc.odyssey.com

 # AD does support LDAPv2, but let's force v3 to be default
 ldap_version 3

 base cn=users,dc=odyssey,dc=com
 scope one

With a default installation, the PAM libary searches the directory using the filter

 (&(objectclass=posixAccount)(uid=%s))

where %s is the login user name. By default, Active Directory does not support the posixAccount object class or the uid attribute. To work around this, you need to develop a different search filter that can successfully locate users in an Active Directory domain.

User accounts in Active Directory are represented by the user object class; the login name is stored with the sAMAccountName attribute. Therefore, an appropriate filter for this application would be

 (&(objectclass=user)(sAMAccount=%s))

which we can set in ldap.conf with the following parameters:

 pam_filter (objectClass=user)
 pam_login_attribute sAMAccountName

Finally, you must tell pam_ldap how to change the user's password in Active Directory. The pam_ldap library provides support for changing passwords in a variety of directory servers. The pam_password parameter decides which mechanism is selected. By specifying "ad" as the password change mechanism, you allow users to update their Windows password using a PAM-aware application (such as Linux's passwd command):

 pam_password  ad

To summarize, pam_ldap performs these steps:

  1. It requests an entry matching the search filter from the directory server.
  2. It attempts to bind to the directory server using the DN of the return entry and the clear text of the password.

The first step is a problem because Active Directory does not allow LDAP clients to make anonymous searches for user or group information.



Classnotes | LDAP01 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited October 1, 2003 11:03 pm (diff)
Search:
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.