On 9/24/09, Sandeep Deshmukh sandeepd5@yahoo.co.in wrote:
Presently i am using qmail-ldap on Suse, but i now i want that the qmail should integrate with AD and authenticate the users from there. Please send
Since you are using qmail-ldap you can do the following 3 steps
1. Configure ldap to authenticate against the Active Directory controller by changing ldap.conf appropriately (keep a backup copy of ldap.conf before doing this)
host ip_address_of_ad_server base cn=Users,dc=example,dc=com binddn cn=dirsearch,cn=Users, dc=example,dc=com bindpw Directory scope sub ssl no nss_base_passwd cn=Users,dc=exaple,dc=com?sub nss_base_shadow cn=Users,dc=example,dc=com?sub nss_base_group cn=Users,dc=example,dc=com?sub nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_attribute uid sAMAccountName nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute loginShell msSFU30LoginShell nss_map_attribute gecos name nss_map_attribute userPassword msSFU30Password nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_objectclass posixGroup Group nss_map_attribute uniqueMember msSFU30PosixMember nss_map_attribute cn cn pam_login_attribute sAMAccountName pam_filter objectclass=user pam_member_attribute msSFU30PosixMember pam_groupdn cn=unixusergroup,dc=example,dc=com pam_password ad
2. Install nss_ldap which will provide nss (name service switch). NSS will allow extending users to be in ldap transparently to application. So if your application authenticates agains /etc/passwd, /etc/shadow, you will now be able to authenticate against ldap. There are many checkpassword programs available which authenticates againts /etc/passwd, /etc/shadow. After configuring nss_ldap the same checkpassword will now be able to authenticate agains ldap. Since ldap has been configured to authenticate against ADS, your authentication against ADS should work.
3. On the windows box Authenticate to the domain controller as a user that has schema admin rights. Extract the files from Microsoft's Services for Unix 3.5 to a location such as c:\temp\sfu Create basic user for LDAP bind. The password should be set not to not expire, and that the user not be allowed to change the password. This account should be used only for binding the Linux device to the Active Directory.
me the procedure & the installables for the same. It's urgent.
If it is urgent, why don't you put a test box and try it out.