Professional Documents
Culture Documents
1 Contents
1 Lab Environment ..................................................................................................................... 2
1.1 Active Directory ............................................................................................................... 2
1.2 Linux OS .......................................................................................................................... 2
2 Configurations on Active Directory ........................................................................................ 3
2.1 Install Active Directory Certificate Service on AD host to enable LDAPS .................... 3
2.2 Download CA certificate from AD host .......................................................................... 5
2.3 Create LDAP bind user and test user on AD host ............................................................ 6
3 Configurations on Linux .......................................................................................................... 7
3.1 Common Steps ................................................................................................................. 7
3.2 Setup on Ubuntu 1604.2 x64 Desktop ............................................................................. 9
3.3 Setup on CentOS 6.9/7.3 x64 ......................................................................................... 10
3.4 Setup on SLED 12 SP2 x64 ........................................................................................... 11
4 References ............................................................................................................................. 12
1 Lab Environment
1.1 Active Directory
OS: Windows 2012 R2
IP: 10.117.45.99
FQDN: test-ad-host.testad.org
Domain Name: testad.org
Hostname: test-ad-host
1.2 Linux OS
CentOS 6.9 x64
CentOS 7.3 x64
Ubuntu 1604.2 x64 Desktop
SLED 12 SP2 x64
2 Configurations on Active Directory
2.1 Install Active Directory Certificate Service on AD host to enable LDAPS
Install Active Directory Certificate Service role
Configure Certification Authority role with default setting, and set Common Name to
TestAD-CA
2.2 Download CA certificate from AD host
Run mmc and add Snap-ins Certificates with Computer account selected
Select Base-64 encoded X.509 (.CER) for file format and ca_cert.cer for file name
Install CA cert
Copy ca-cert.pem to Linux machine to /etc/ldap-ca/ca-cert.pem
sudo mkdir /etc/ldap-ca
sudo cp ca-cert.pem /etc/ldap-ca/ca-cert.pem
Test ldap to AD
Install ldap tool
Ubuntu: sudo apt install ldap-utils
CentOS: yum install openldap-clients
Run below ldapsearch command, which is using ldap protocol to do the search:
ldapsearch -v -x -H ldap://test-ad-host.testad.org/ -b dc=testad,dc=org -D
'CN=ldapsearch,OU=TestOU,dc=testad,dc=org' -W -s sub 'cn=Test User' cn
distinguishedName
When asked, type Password1 for password, and should get the search result
Test ldaps to AD
Before test ldaps to AD, need set ldap.conf to specify the CA cert file for ldap. Edit
configuration file ldap.conf (Ubuntu: /etc/ldap/ldap.conf, SUSE/CentOS:
/etc/openldap/ldap.conf) to set below line:
TLS_CACERT /etc/ldap-ca/ca-cert.pem
Run below ldapsearch command, which is using ldaps protocol to do the search:
ldapsearch -v -ZZ -H ldap://test-ad-host.testad.org/ -b dc=testad,dc=org -D
'CN=ldapsearch,OU=TestOU,dc=testad,dc=org' -W -s sub 'cn=Test User' cn
distinguishedName
When asked, type Password1 for password, and should get the search result
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 3
entry_cache_nowait_percentage = 75
debug_level = 8
account_cache_expiration = 1
[domain/testad.org]
debug_level = 8
id_provider = ldap
auth_provider = ldap
access_provider = simple
cache_credentials = false
min_id = 1000
ldap_uri = ldaps://test-ad-host.testad.org
ldap_schema = ad
# for SID-UID mapping
ldap_id_mapping = true
# caching credentials
cache_credentials = false
entry_cache_timeout = 3
# performance
ldap_referrals = false
ldap_default_bind_dn = CN=ldapsearch,OU=TestOU,DC=testad,DC=org
ldap_default_authtok_type = password
ldap_default_authtok = Password1
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ldap-ca/ca-cert.pem
fallback_homedir = /home/%u
ldap_user_home_directory = sAMAccountName
override_homedir = /home/%u
default_shell = /bin/bash
3.2 Setup on Ubuntu 1604.2 x64 Desktop
Install sssd packages
sudo apt-get install sssd libpam-sss libnss-sss
Edit /etc/pam.d/common-session
Edit /etc/pam.d/common-session to insert below line after line of pam_sss.so
session optional pam_mkhomedir.so skel=/etc/skel/ mask=0077
Test Configuration
Run blow command:
getent passwd tuser
You should get result like below:
tuser:*:567801106:567800513:Test User:/home/tuser:/bin/bash
Run below command:
id tuser
You should get result like below:
uid=567801106(tuser) gid=567800513(Domain Users)
groups=567800513(Domain Users)
Install oddjob-mkhomedir
yum install oddjob-mkhomedir
Start Services
sudo service sssd start
sudo service oddjobd start
Test Configuration
Run below command:
getent passwd tuser
You should get result like below:
tuser:*:567801106:567800513:Test User:/home/tuser:/bin/bash
Update PAM
sudo pam-config --add --sss
sudo pam-config --add --mkhomedir --mkhomedir-umask=0077
Update /etc/nsswitch.conf
Update /etc/nsswitch.conf to set:
passwd: files sss
shadow: files sss
group: files sss
Test Configuration
Run below command:
getent passwd tuser
You should get result like below:
tuser:*:567801106:567800513:Test User:/home/tuser:/bin/bash