ldap:ad_rfc2307
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
|
ldap:ad_rfc2307 [2021/01/01 21:25] 127.0.0.1 external edit |
ldap:ad_rfc2307 [2022/03/28 21:11] (current) manu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Authentification for UNIX users in Active Directory (AD) ====== | ====== Authentification for UNIX users in Active Directory (AD) ====== | ||
| + | |||
| + | <code> | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | </code> | ||
| + | ===== get Active Directory (AD) certificate ===== | ||
| + | |||
| + | <cli prompt='#'> | ||
| + | # echo | openssl s_client -showcerts -servername gnupg.org -connect server.mycompany.local:636 2>/dev/null | openssl x509 -inform pem -noout -text | grep "Subject:" | ||
| + | </cli> | ||
| + | |||
| + | Or | ||
| + | |||
| + | <cli prompt='#'> | ||
| + | # openssl s_client -connect server.mycompany.local:636 | ||
| + | </cli> | ||
| + | Copy out the Server certificate section, between (and including) —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—— and put the copied text into a text editor. | ||
| + | |||
| + | |||
| + | https://www.altaro.com/hyper-v/request-ssl-windows-certificate-server/ | ||
| + | |||
| **Windows** | **Windows** | ||
| Line 41: | Line 67: | ||
| Set-ADUser | Set-ADUser | ||
| + | If Powershell modules are missing, install them | ||
| + | Get-WindowsCapability -Name RSAT.ActiveDirectory* -Online | Add-WindowsCapability -Online | ||
| + | | ||
| Here is an example to create a AD group “linux_user” with a GID of 20000 and a NisDomain “emc”: | Here is an example to create a AD group “linux_user” with a GID of 20000 and a NisDomain “emc”: | ||
| - | <cli prompt='$'> | ||
| - | $ New-ADGroup -name linux_user -GroupScope 1 -OtherAttributes @{msSFU30NisDomain='emc';gidNumber=20000} | ||
| - | </cli> | ||
| - | |||
| <cli prompt='$'> | <cli prompt='$'> | ||
| $ New-ADGroup -name linux_user -GroupScope 1 -OtherAttributes @{msSFU30NisDomain='emc';gidNumber=20000} | $ New-ADGroup -name linux_user -GroupScope 1 -OtherAttributes @{msSFU30NisDomain='emc';gidNumber=20000} | ||
| Line 51: | Line 76: | ||
| If you have an existing group you can use following cmdlet to add the attributes: | If you have an existing group you can use following cmdlet to add the attributes: | ||
| - | <cli prompt='$'> | ||
| - | $ Set-ADGroup -Instance linux_user -Add @{msSFU30NisDomain='emc';gidNumber=20000} | ||
| - | </cli> | ||
| - | |||
| <cli prompt='$'> | <cli prompt='$'> | ||
| $ Set-ADGroup -Instance linux_user -Add @{msSFU30NisDomain='emc';gidNumber=20000} | $ Set-ADGroup -Instance linux_user -Add @{msSFU30NisDomain='emc';gidNumber=20000} | ||
| Line 60: | Line 81: | ||
| Next we are creating an user “user1” with a UID of 10000, being member of group 20000 and NisDomain ’emc’. Furthermore the user will use “/bin/bash” as login shell and a home directory located in “/home/EMC/user1”. | Next we are creating an user “user1” with a UID of 10000, being member of group 20000 and NisDomain ’emc’. Furthermore the user will use “/bin/bash” as login shell and a home directory located in “/home/EMC/user1”. | ||
| - | <cli prompt='$'> | ||
| - | $ New-ADUser -name user1 -OtherAttributes @{uidNumber=(10000+$i);gidNumber=20000;unixHomeDirectory=('/home/EMC/user'+$i);loginShell='/bin/bash';msSFU30NisDomain='emc'} | ||
| - | </cli> | ||
| - | |||
| <cli prompt='$'> | <cli prompt='$'> | ||
| $ New-ADUser -name user1 -OtherAttributes @{uidNumber=(10000+$i);gidNumber=20000;unixHomeDirectory=('/home/EMC/user'+$i);loginShell='/bin/bash';msSFU30NisDomain='emc'} | $ New-ADUser -name user1 -OtherAttributes @{uidNumber=(10000+$i);gidNumber=20000;unixHomeDirectory=('/home/EMC/user'+$i);loginShell='/bin/bash';msSFU30NisDomain='emc'} | ||
| Line 73: | Line 90: | ||
| </cli> | </cli> | ||
| - | <cli prompt='$'> | ||
| - | $ Set-ADUser -Instance user1 -Add @{uidNumber=(10000+$i);gidNumber=20000;unixHomeDirectory=('/home/EMC/user'+$i);loginShell='/bin/bash';msSFU30NisDomain='emc'} | ||
| - | </cli> | ||
| - | |||
| Now you are able to query the active directory by LDAP from you linux client system to resolve user and group attributes. Furthermore you have a mapping between windows and linux users which is necessary for a multiprotocol access to NAS! | Now you are able to query the active directory by LDAP from you linux client system to resolve user and group attributes. Furthermore you have a mapping between windows and linux users which is necessary for a multiprotocol access to NAS! | ||
| Line 84: | Line 97: | ||
| </cli> | </cli> | ||
| - | for ($i=1; $i -le 5; $i++){New-ADUser -name ('user' + $i) -PasswordNeverExpires:$true -AccountPassword (ConvertTo-SecureString "Passw0rd" -AsPlainText -Force) -Enabled:$true -OtherAttributes @{uidNumber=(10000+$i);gidNumber=20000;unixHomeDirectory=('/home/EMC/user'+$i);loginShell='/bin/bash';msSFU30NisDomain='emc'}; Add-ADGroupMember -Identity linux_user -Members ('user'+$i)} | ||
| - | |||
| The last steps are configuring and joining the linux host to our active directory. This will be covered in one of the next posts. | The last steps are configuring and joining the linux host to our active directory. This will be covered in one of the next posts. | ||
ldap/ad_rfc2307.1609532702.txt.gz · Last modified: 2021/01/01 21:25 by 127.0.0.1
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
