Active Directory Integration Index

To help make it easier to find the various Active Directory integration articles I’ve written, I’m including links below to the latest version of each article. As new versions of an article are published, I can simply update this link to point to the new version.

I’ve grouped the integration articles according to product below.

Linux

Latest version for Windows Server 2008 (“Longhorn”)

Latest version for Windows Server 2003 R2

Latest version for Windows 2000 Server and Windows Server 2003 (pre-R2)

SuSE Linux Enterprise Desktop (SLED)-specific version

Solaris 10

Latest version for Solaris 10 x86

Firewalls

Latest version for Cisco PIX VPN

Latest version for WatchGuard Firebox VPN

VMware ESX Server

Latest version for ESX Server 2.5.x

Latest version for ESX Server 3.0.x

OpenBSD

Latest version for OpenBSD 3.9

Networking Equipment and Protocols

Latest version for 802.1x

Latest version for Cisco IOS

As new articles are published or existing articles are revised with new versions, I’ll update this post accordingly.

Tags: , , , , , , , , , , , , , ,

14 comments

  1. Clif Smith’s avatar

    Haver you ever tried AD with AIX?

    Thanks, Clif

  2. slowe’s avatar

    Clif,

    Unfortunately, I haven’t had the opportunity to do any AIX-AD integration, though I would certainly love to give it a try.

    Scott

  3. Vadim Pushkin’s avatar

    Scott;

    I currently use NIS and I need to get my Solaris 8, 9 &10 machines to use AD for at least passwd, netgroup, group and my various automounter maps. At some point I would like to integrate my entire set of NIS maps, but the ones mentioned above are the most important.

    I’ve seen, but have not tested, articles on setting up Solaris 9 and 10, but none for 8. My understanding of how PAM works is very limited, and I understand that PAM would play a major role here.

    Can you, or someone else reading this, recommend what steps and software I would need to do this? Ideally, I would be talking to my AD server in using either SSL or like crypto solution.

    Many thanks,

    .vp

    PS: I’ve looked at winbind and found that it would not work for ssh auth.

  4. Rob Batey’s avatar

    Wondering if anyone has run across either articles on integrating AD with a java app server (such as BEA’s WebLogic Server) via SPNEGO, or articles troubleshooting AD to non-MS application servers. I’ve got most of it worked out, but having issues with certain user IDs in AD not authenticating properly, even from the same client machine.

    Thanks!
    Rob

  5. Suresh’s avatar

    I am looking for a setup as follow:

    DNS – Runs on Linux
    ADS – Windows 2000 or Windows 2003 – Pointing to Linux DNS (BIND 9)
    Radius Authentication for Admins to access PIX and other network resources including Servers

    - Could you please, guide me, if you have any resources.

    Many thanks,

    Suresh

  6. slowe’s avatar

    Suresh,

    A quick Google search should give you plenty of information on using BIND as your DNS for Active Directory. I personally haven’t had the opportunity to do it, so I can’t share any information with you. Likewise, a perusal of the Cisco web site or a Google search should turn up plenty of information on using RADIUS to handle PIX authentication. You can also refer to my article on PIX VPN integration with Active Directory (link above).

  7. msb’s avatar

    We’re having some real goofy experiences with the Unix Identity Management components of R2 within our network…

    Situation: we’re running an SBS 2003 R2 domain with a member server (also a DC) that is Server 2003 x64 R2. The member server has Unix Id Management installed on it. Also installed on the primary DC (ie: SBS server) is the IDMU.EXE as described in ( http://support.microsoft.com/kb/921913 ) to ensure all the properties tabs are there (they are).

    When we query the 2003 ldap database for unix attributes, they can only be seen if the user whose attributes we want to access is the one accessing LDAP, for example on the “Unix Attributes” tab we have setup information for home directories, uid, etc… on a user called test. If we use a LDAP browser and bind using the test user we can see the attributes, but if we bind using a generic user (as anticipated in just about every how-to we’ve come across), the unix attributes cannot be seen.

    All of the recommendations for accessing unix attributes through LDAP, create a proxy user to access the attributes for authorization purposes, but if this proxy user cannot see the attributes, then obviously something is not working.

    Any insight on how the permissions are supposed to be setup within AD to ensure LDAP bindings are successful??

    Thanks!

  8. slowe’s avatar

    MSB,

    I haven’t run into any situations in which an ordinary user (UNIX-enabled or not) can’t be used as the proxy account for nss_ldap to lookup attributes. Then again, I haven’t done any testing on SBS, so it’s entirely possible that the permissions on the attributes is different. You might try granting the permission to read the UNIX attributes to your proxy account to see if that helps at all. Good luck, and keep us posted!

  9. Mark’s avatar

    I previously had an apache server configured to authenticate against AD using a service account. Everything worked fine, until the primary DC tanked one day. The failover did not work and when the primary DC was brought up, the ldap auth did not work any more. Upon investigation, the SPN (as viewed in adsiedit.msc had duplicate entries, so I deleted them, thinking that ktpass would regenerate the mapping. HOWEVER:

    ktpass.exe -princ [email protected] -mapus
    er service.svc -crypto des-cbc-md5 +DesOnly -pass password -kvno 19 -ptype KRB5_NT_PRINCIPAL -out keytab.keytab
    Targeting domain controller: domaincontroller.domain.com
    Failed to set property “servicePrincipalName” to “boxname.domain.com” on Dn “CN=service.svc,OU=ServiceAccounts,D
    C=Domain1,DC=Domain2,DC=com”: 0×13.
    WARNING: Unable to set SPN mapping data.
    If service.svc already has an SPN mapping installed for boxname.domain.com, this is no cause for concern.
    Key created.
    Output keytab to keytab.keytab:
    Keytab version: 0×502
    keysize 75 [email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 19 etype 0×3 (DES-CBC-MD5)
    keylength 8 (0x19624394c2434fb5)
    Account service.svc has been set for DES-only encryption.

    so, question: what is my best course of action from this point?

    thanks

  10. juna’s avatar

    hi i need setup activity directory via pam aix 5.2 any idea? tks

  11. kathy’s avatar

    1. Hi
    I have server running Red Hat Enterprise Linux ES release 4 (Nahant Update 6). we have ldap configured on it, here is several problems that we have encountered and i’m wondering if anyone else has seen them:
    1. doing the following causes segmentation fault.
    #getent -s ‘dns ldap’ passwd
    Segmentation fault
    2. using sudo gets the followign error:
    #sudo getent passwd
    Password:
    sudo: ../../../libraries/liblber/sockbuf.c:90: ber_sockbuf_ctrl: Assertion `sb != ((void *)0)’ failed.
    Aborted
    any comments is appreciated.
    regards,
    Kathy

  12. Jesse’s avatar

    Have you tried AD auth with OSX? What I am specifically looking for is auto-binding a mac system to AD like you can a windows system via a script.

    Thoughts?

  13. slowe’s avatar

    Jesse, I have not. In fact, I haven’t messed with AD integration in a couple of years—it’s just not a focus area for me any longer. Sorry!

Comments are now closed.