Created
December 22, 2014 18:37
-
-
Save skamithi/c37fe8e7e950f7c1b4b3 to your computer and use it in GitHub Desktop.
nslcd.conf confguration for Cumulus Linux KB on LDAP Authentication.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/nslcd.conf | |
| # nslcd configuration file. See nslcd.conf(5) | |
| # for details. | |
| # The user and group nslcd should run as. | |
| uid nslcd | |
| gid nslcd | |
| # The location at which the LDAP server(s) should be reachable. | |
| uri ldaps://myadserver.rtp.example.test | |
| # The search base that will be used for all queries. | |
| base ou=support,dc=rtp,dc=example,dc=test | |
| # The LDAP protocol version to use. | |
| #ldap_version 3 | |
| # The DN to bind with for normal lookups. | |
| # defconf-set-selections doesn't seem to set this. so have to manually set this. | |
| binddn CN=cumulus admin,CN=Users,DC=rtp,DC=example,DC=test | |
| bindpw 1Q2w3e4r! | |
| # The DN used for password modifications by root. | |
| #rootpwmoddn cn=admin,dc=example,dc=com | |
| # SSL options | |
| #ssl off (default) | |
| # Not good does not prevent man in the middle attacks | |
| #tls_reqcert demand(default) | |
| tls_cacertfile /etc/ssl/certs/rtp-example-ca.crt | |
| # The search scope. | |
| #scope sub | |
| # Add nested group support | |
| # Supported in nslcd 0.9 and higher. | |
| # default wheezy install of nslcd supports on 0.8. wheezy-backports has 0.9 | |
| nss_nested_groups yes | |
| # Mappings for Active Directory | |
| # (replace the SIDs in the objectSid mappings with the value for your domain) | |
| # "dsquery * -filter (samaccountname=testuser1) -attr ObjectSID" where cn == 'testuser1' | |
| pagesize 1000 | |
| referrals off | |
| idle_timelimit 1000 | |
| # Do not allow uids lower than 100 to login (aka Administrator) | |
| # not needed as pam already has this support | |
| # nss_min_uid 1000 | |
| # This filter says to get all users who are part of the cumuluslnxadm group. Supports nested groups. | |
| # Example, mary is part of the snrnetworkadm group which is part of cumuluslnxadm group | |
| # Ref: http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx (LDAP_MATCHING_RULE_IN_CHAIN) | |
| filter passwd (&(Objectclass=user)(!(objectClass=computer))(memberOf:1.2.840.113556.1.4.1941:=cn=cumuluslnxadm,ou=groups,ou=support,dc=rtp,dc=example,dc=test)) | |
| map passwd uid sAMAccountName | |
| map passwd uidNumber objectSid:S-1-5-21-1391733952-3059161487-1245441232 | |
| map passwd gidNumber objectSid:S-1-5-21-1391733952-3059161487-1245441232 | |
| map passwd homeDirectory "/home/$sAMAccountName" | |
| map passwd gecos displayName | |
| map passwd loginShell "/bin/bash" | |
| # Filter for any AD group or user in the baseDN. the reason for filtering for the | |
| # user to make sure group listing for user files don't say '<user> <gid>'. instead will say '<user> <user>' | |
| # So for cosmetic reasons..nothing more. | |
| filter group (&(|(objectClass=group)(Objectclass=user))(!(objectClass=computer))) | |
| map group gidNumber objectSid:S-1-5-21-1391733952-3059161487-1245441232 | |
| map group cn sAMAccountName |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hah! at least it works now:
The specified S-1-5-21-... must be the objectSid of the domain!
(The question why this works still remains)