This article describes how to achieve single sign on with Active Directory using Identity Management for Unix (available in Windows 2003 R2 and above) or Services for Unix 3.5.
Before starting, you need to setup Identity Management for UNIX. If you are using Windows Server prior to 2003 R2, you can use Services for Unix 3.5 which can be downloaded from here.
Setup and Configure LDAP User Information
It is recommended to an Active Directory enabled DNS server, this will ensure that the LDAP lookups and Kerberos authentication will work properly. Also, provide a user account dedicated for the LDAP authentication.
1. Click System, select Administration and click Authentication. This will launch the Authentication Configuration window.
2. Check Enable LDAP Support and click the Configure LDAP button.
3. Fill in the LDAP Search Base DN and LDAP Server fields. Click Ok when you are done.
4. Click the Options tab and check Local authorization is sufficient for local users and Create home directories on the first login. Click Ok when you are done.
4. Edit the file /etc/ldap.conf and add the following lines below.
binddn user account bindpw password for binddn nss_map_objectclass posixAccount User nss_map_objectclass posixGroup Group nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uid msSFU30Name nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_attribute loginShell msSFU30LoginShell
If you are not using an Active Directory enabled DNS server, you need to add the line referrals no to make this work.
5. Type in getent passwd in a terminal window. You should see your Active Directory user accounts.
6. Type in getent group in a terminal window. You should see your Active Directory groups.Setup and Configure Kerberos Authentication
The Kerberos network authentication protocol requires the clocks of the involved machines to be synchronized or at least the difference is less than 5 minutes.
1. Launch the Authentication Configuration window. Click the Authentication tab and check the Enable Kerberos Support. Next, click the Configure Kerberos button.
2. In the Kerberos Settings window, fill in the Realm, clear out KDC and Admin Servers and check the Use DNS to locate KDCs for realms. Realm is usually your domain name capitalized, capitalization is important. KDC is your Active Directory server. Click Ok when you’re done.To make sure that your KDC can be automatically located, type in the command host -t any _kerberos._tcp.acme.local in a terminal window. Replace acme.local with your own realm. If it replies “_kerberos._tcp.acme.local has SRV record …” then it works. This should work if you are using an Active Directory enabled DNS server. Otherwise, you need to manually fill in the KDC field above. You can specify more than one KDC by separating each server with a comma or space.
3. Test Kerberos by typing in kinit username in a terminal window. If you need help in making sense of the kinit error messages, check out Test the Kerberos Authentication.That’s it, you should now be able to login using Active Directory user accounts.
The version of sudo that comes with RHEL/CentOS 5 does not work with non local user accounts. While this is not yet fixed, use the sudo rpm package for Fedora 8.