Active Directory Configuration
The Active Directory authentication is configured almost the same way as slapd, but with a few additions.
By default, the PAM LDAP module binds anonymously and looks for login attributes of type "uid". The previously described ldap.conf configuration may work for Active Directory servers if the AD server allows anonymous binds and that the authentication accounts of interest are of type "posixAccount", or at least an object with a "uid" attribute.
Often, Active Directory servers do not allow anonymous binding, and the object classes of the user database do not include "posixAccount". So, the ldap.conf file must include a user name and password for binding purposes and a directive to look for an attribute other than "uid".
Adding these entries allows ingvalidpam to authenticate against the Active Directory, assuming they have the login attribute sAMAccountName:
binddn CN=proxySearch,OU=myCity,OU=USA,OU=Americas,DC=myDomain,DC=com
bindpw mySecretPassword
pam_login_attribute sAMAccountName
Since the bind domain and password are presented in cleartext in a world-readable file, the user "proxySearch" is created to perform the Active Directory lookup. The permissions on "proxySearch" can be set so that the "proxySearch" user can only search the Active Directory. You can use your own user name and password for testing purposes.
Browse Active Directory Database
To find the format of Distinguished Names, you may have to browse the Active Directory database.
The ldapsearch command lists all of the contents of the Active Directory database.
To browse the Active Directory database
1. Issue the following command:
ldapsearch -V -Y DIGEST-MD5 -H ldap://myHost.myDomain.com:389 '(objectclass=*)'
You can use the objectclass filter without wildcards to limit the search.
You are prompted for a password.
2. Enter the password of your own Active Directory account.
Example—The following ldapsearch command browses the Active Directory for user "johnDoe@myDomain.com" with a sAMAccountName of "johnDoe" and can serve as a test of the ldap.conf configuration:
ldapsearch -x -W -D "johnDoe@myDomain.com" -LLL "(sAMAccountName=johnDoe)"
Last modified date: 01/30/2023