Red Hat Authentication to Active Directory

I have a Red Hat 5.x system that I need to authenticate to a Windows 2003 Active Directory domain. Here are the steps I went through to get it to happen.

Files that need to be edited:


The authconfig-tui command will edit these files and restart services if needed, but I have found that it will also mess some of the files up. The command is a good starting point, and then you should go in and edit the files after to get the proper configuration for your site.
So, start with the authconfig-tui command. Under User Information select Use LDAP. Under Authentication select MD5 Passwords, Shadow Passwords, Kerberos (you can also add LDAP Authentication, but Kerberos works great for authentication).

Edit /etc/ldap.conf

Edit the file with the setting you need to connect to your Domain Controller. I use LDAPS, so that is what I have configured.

uri [YOUR LDAP SERVER, like ldaps://]
ldap_version 3

tls_cacertdir /etc/openldap/cacerts



scope sub

timelimit 10
bind_timelimit 10
idle_timelimit 3600

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
referrals no

NSS_BASE_GROUP [YOUR BASE CONTAINER]?sub&(objectCategory=group) (gidnumber=*)

# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute uniqueMember member
#nss_map_attribute gecos cn
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password md5

Edit the file /etc/openldap/ldap.conf
These two files are different, you have to understand that. The system commands like pam, sudo, etc… look at /etc/ldap.conf, while commands like ldapsearch look at /etc/openldap/ldap.conf. The openldap file should be very short.

URI [YOUR LDAP SERVER, like ldaps://]
BASE [YOUR BASE DN, like DC=ad,DC=example,DC=com]
TLS_CACERTDIR /etc/openldap/cacerts

The authconfig-tui command should have edited this file correctly and you shouldn’t have to change it. The example below had the LDAP Authentication selected under Authentication.

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required
auth sufficient nullok try_first_pass
auth requisite uid >= 500 quiet
auth sufficient use_first_pass
auth sufficient use_first_pass
auth required

account required broken_shadow
account sufficient uid < 500 quiet
account [default=bad success=ok user_unknown=ignore]
account [default=bad success=ok user_unknown=ignore]
account required

password requisite try_first_pass retry=3
password sufficient md5 shadow nis nullok try_first_pass use_authtok
password sufficient use_authtok
password sufficient use_authtok
password required

session optional revoke
session required
session [success=1 default=ignore] service in crond quiet use_uid
session required
session optional
session optional

Edit /etc/krb5.conf
The autoconfig-tui command can get this file right also, but you may need to add additional information.

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = AD.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes



pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

Edit /etc/nsswitch.conf
The nsswitch.conf file is where the system determines how to look up user information. The authconfig-tui command will normally edit this file correctly. I’ve taken only the applicable lines for the example below.

passwd: files ldap
shadow: files ldap
group: files ldap

You can test the setup using getent passwd username. If you need to test connectivity to LDAP use ldapsearch and mess around with /etc/openldap/ldap.conf.


4 Responses to “Red Hat Authentication to Active Directory”

  1. This post is actually a pleasant one it assists new web
    users, who are wishing in favor of blogging.

  2. This particular blog post, “Red Hat Authentication to Active Directory
    Data Dyne ” illustrates the fact that you really comprehend exactly what you are talking about!
    I really thoroughly approve. With thanks -Annett

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: