Table of Contents
AD Identity Management for Unix
When connecting Solaris, Linux, AIX or whatever unix based service to Active Directory you'll have to install Identity Management for Unix on each domain controller that will be used for UNIX based authentication. The reason you need to do this on each domain controller is that the service is actually a role service, and role services need to be installed on each server performing that role. Identity Management for Unix is a Role Service and part of the Active Directory Domain Service role, as you can see in Server Manager, which will be used to install the role service:
After clicking the “Add Role Services” the corresponding wizard start allowing you to select the Identity Management for Unix service. Deselect the Password Synchronization options, we won't store passwords locally on the unix servers so we won't need this:
Confirm the selection and click Install to start the installation:
The installation starts:
When done the wizard tells you to reboot, which you must do:
After the reboot the server manager will show you the successful installation of Identity Management for Unix:
Using Identity Management for Unix
When starting to use Identity Management for Unix there are always a few standard steps that has to be done for the service to work. You'll always need a bind user (or use anonymous bind) and you always need a primary group of which every LDAP user needs to be a member of.
Bind User
Creating a bind user is the same as creating an ordinary user. We'll walk you through the steps anyway:
- Go to start → All Programs → Administrative Tools → Active Directory Users and Computers
- Navigate to the OU where you want the user to exist and click on Action → New → User
- When entering a name make sure it's a simple and descriptive name:
- Enter a password considering your password complexity rules, and make sure you set the password settings correct:
- uncheck 'User must change password at next logon'
- check 'User cannot change password'
- check 'Password never expires':
Finish creating the account and when you're done open the properties of the account and go to the tab 'Member Of' and:
- Add the group Domain Guests and make it the Primary Group using the 'Set Primary Group' button below
- Remove the Domain Users group:
You now have a secure bind user created with minimum permissions.
Create Primary Group
You'll need a primary group every unix user will have to be a member of. In case you already have a working environment you'll probably have a group which give permissions to the application or a management environment. There us no problem using an existing group as long as it's a global security group.
To create a new group follow these steps:
- Go to start → All Programs → Administrative Tools → Active Directory Users and Computers
- Navigate to the OU where you want the group to exist and click on Action → New → Group
- Enter a descriptive name for the group and make sure it's a global security group. Click on OK when you're done:
- After the group has been created open the properties and go to the tab 'UNIX Attributes'.
- Select the NIS Domain and accept the default GID (10000):
Note that if the GID is not 10000 there are probably already unix enabled groups in the directory. Make sure the GID you enter is unique, although you will get a warning when the GID is not unique.