Active directory and linux nslcd bind without AD schema extension
I have a requirement to bind linux clients to Active Directory for Windows Server 2012. I have a test environment where I have successfully done this with both samba-winbind-kerberos and nslcd using a user for authentication. However, when using samba-winbind-kerberos I was able to achieve this without extending the AD schema to include UNIX attributes (UID / GID, Home directory, shell) as smb.conf has the idmap capability by specifying the starting range
idmap config *:range = 11000-20000
and that will take care of the unix mapping of the UID / GID of the AD users.
If I do not enable UNIX attributes in AD, I get an error in the nslcd debug log that says
uidNumber: missing
Is it possible to use the same function in nslcd / libnss_ldap so that I don't need to extend AD schema on Windows 2012 server? I do not prefer using samba in production due to the remote code execution vulnerability.
source to share
Using CentOS Linux 7.4.1708 (Core) with nslcd version 0.8.13 for Windows 2016 AD without schema extension, I was able to configure this and get it working today.
I mainly used the Serverfault article " Checking LDAP on CentOS 7 " and had to use it in the /etc/nslcd.conf
section Alternative mappings for Active Directory
and replace the SIDs in the objectSid mappings with the value for your domain
,
To " Get SID by your objectSID using ldapsearch " I used the linked script ,
Other mappings were set to
filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
map passwd uid sAMAccountName
map passwd uidNumber objectSid:<yourValue>
map passwd gidNumber primaryGroupID
map passwd homeDirectory "/home/$sAMAccountName"
map passwd gecos displayName
map passwd loginShell "/bin/bash"
map group gidNumber primaryGroupID
source to share