The Active Directory authentication is configured almost the same way as slapd, but with a few additions.

By default, the PAM LDAP module binds anonymously and looks for login attributes of type "uid". The previously described ldap.conf configuration may work for Active Directory servers if the AD server allows anonymous binds and that the authentication accounts of interest are of type "posixAccount", or at least an object with a "uid" attribute.

Often, Active Directory servers do not allow anonymous binding, and the object classes of the user database do not include "posixAccount". So, the ldap.conf file must include a user name and password for binding purposes and a directive to look for an attribute other than "uid".

Adding these entries allows ingvalidpam to authenticate against the Active Directory, assuming they have the login attribute sAMAccountName:

Since the bind domain and password are presented in cleartext in a world-readable file, the user "proxySearch" is created to perform the Active Directory lookup. The permissions on "proxySearch" can be set so that the "proxySearch" user can only search the Active Directory. You can use your own user name and password for testing purposes.