Sunday, March 9, 2008

Authenticating Linux to AD using idmap_ldap.

If Active Directory schema is not extended to define linux/unix attributes, the best and hassle free mehtod of authenticating a Linux system to AD is by using idam_rid backend. Since idmap_ldap can also be used for this purpose, where sid-to-uid/gid mapping would be saved in a backend ldap server and retrieved from the ldap database whenever required, and it was dominant before developing idamp_rid plugin, I wish to include details on how to configure this.

The problem with idmap_ldap backend is that it requires an additional ldap server to be running, possibly more than one for redundancy purposes, which makes administration and managing of services a bit complex. If there already is an ldap server in the network, using that ldap server would be fine. Below is step-by-step instructions on how to configure ldap server and samba for this purpose. Openldap is used as the ldap server in this setup.

How to setup the ldap server?

1 - Install openldap-servers package.

#yum install openldap-servers

2 - Below is my slapd.conf after removing comments.

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
allow bind_v2
pidfile /var/run/openldap/
argsfile /var/run/openldap/slapd.args
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
database bdb
suffix "dc=samba,dc=example,dc=com"
rootdn "cn=admin,dc=samba,dc=example,dc=com"
rootpw password
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

3 - Below is details of how I created slapd.pem

# cd /etc/pki/tls/certs
# rm -f slapd.pem
# make slapd.pem

Give details on every prompt as appropriate.

#chown ldap.ldap slapd.pem

4 - Use the simple ldif file given below to initialize the ldap database.

dn: dc=samba,dc=example,dc=com
dc: samba
objectClass: top
objectClass: domain

dn: ou=idmap,dc=samba,dc=example,dc=com
ou: idmap
objectClass: top
objectClass: organizationalUnit

Initialize the database using the below command.

# slapadd -d 3 -l ldif-file

If you already have an ldap server running in your network, Just add an OU named idmap under the ldap name space heirarchy, add a user in the ldap databse and give that user write permission to the OU.

5 - Start ldap server. service ldap start.

How to setup the Samba server.

I only include my smb.conf and some basic details on setting this up.

workgroup =
netbios name =
server string = RHEL4 Idmap Ldap Backend
security = ads
password server =
log file = /var/log/samba/%m.log
max log size = 50
printcap name = /etc/printcap
ldap admin dn = cn=admin,dc=samba,dc=example,dc=com
ldap delete dn = yes
ldap idmap suffix = ou=idmap
ldap suffix = dc=samba,dc=example,dc=com
idmap backend = ldap:"ldaps://ip or hostname of ldap server"
idmap uid = 1500-100000
idmap gid = 1500-100000
winbind separator = +
winbind use default domain = yes
cups options = raw
template shell = /bin/bash
winbind enum users = yes
winbind enum groups = yes

comment = Home Directories
read only = No
browseable = No

comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

Add the password for "ldap admin dn" to samba tdb databse.

# smbpasswd -w password

password is what we defined in the slapd.conf in the earlier step.

Now what happens is, suppose you have 1000 users named user1 to user1000 in AD, when user1 logs in to system1, samba would check whether a sid/uid mapping is already present in the ldap database. If it finds one, it would assign that uid to user1. If it does not find one, it would take the next free uid from the range defined, assign that to user1 and save the sid/uid mapping in the ldap database. Now, after sometime, if user1 tries to log in from machine B, samba in machine B would check whether an sid/uid mapping is there in the ldap database. It should find one and assign that uid to user1.

Below is an example of how sid/uid mapping is represented in ldap database.

dn: sambaSID=S-1-5-21-2913803998-3319354983-1616611311-1001,ou=Idmap,dc=samba,dc=samba,dc=com
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
uidNumber: 1504
sambaSID: S-1-5-21-2913803998-3319354983-1616611311-1001

The above entry implies that the AD user with SID S-1-5-21-2913803998-3319354983-1616611311-1001 should be assigned the uid 1504.

Restart winbind and verify that everything works as expected.


James said...

Great example,this is what i am trying to do currently. However is it possible to manually specify which Unix UID I would like to use for this? I mean in your example the unix uid is 1504. Could I match it to 5602 if i wanted?
I am trying yo use Winbind through ADS and map that AD user to a specific Unix UID. Any idea if thatis possible? I cannot find anything on the web.

Shivlu Jain said...

hi sidique

I am having one windows 2003 domain controller. Now in my company we have linux machines and I want to authenticate those linux machines from the windows domain controller. Can you tell me how to do this for linux.


Sadique Puthen said...


With idmap_tdb, idmap_rid and idmap_ldap, it's not possible to assign a uid or gid of your choice. It's assigned automatically by winbind depending upon the arithmetic calculations explained in my blogs. However you can use idmap_ad where you can assign a uid of your choice in AD. See my blog on how to configure idmap_ad for more details.

There are ways to assign your own uids with idmap_ldap by manually editing ldap entries, but they are rude. If you want details of them, please email me.


Jigar said...

do you have any idea in configuring ldap with sql in linux.. ?