CentOS and Active Directory 2008

This article is intended for those of you, who has read my old post about CentOS and the integration into Microsoft Active Directory. In my old post I referred to Microsoft Active Directory 2003. In cases, when you upgraded to MS AD 2008, you have to update some entries in configuration file /etc/nslcd.conf.

The background is the following:

MS AD 2008 introduced new attributes that should replace old ones, comiing from MS SFU 3.0. The attributes coming from MS SFU 3.0 like msSFU30UidNumber or msSFU30LoginShell are still active for user and group objects that had been created before you upgraded AD from 2003 to 2008. After the upgrade all user and group objects will not get those attributes but some others. During the upgrade procedure values of the old attributes were copied to the new ones. Because of this copy procedure you can start using the new attributes just after the upgrade of AD to 2008. It's a good point to review and update the configuration file under CentOS. Of course you can continue using old configuration files keeping in mind that the configuration will not match new users and groups that will be created after the AD upgrade.

Please look at the configuration file /etc/nslcd.conf below to

# Remove the comment char at the beginning of two lines below for
# debugging purposes
#logdir /var/log
#debug 1
# You can supply as many servers as you want, but only the 
# first one will be asked normally. If the first one doesn't 
# answer, the next one will be asked and so on.
# Additionally enable encryption between the DC and us
uri ldaps://dc1.domain.com/
uri ldaps://dc2.domain.com/
ssl on
tls_reqcert never

# The base DN of your AD domain

base dc=domain,dc=com
# The LDAP version to use
ldap_version 3
# If you do not allow anonymous search in your AD domain, please set the right
# user name and password of a user account you'll use to search with.
binddn domain.com\bind-user-dn
bindpw bind-user-password
# It's safe to leave them untouched 
scope sub
pagesize 1000
referrals off

# The two lines below describes how it should be searched in AD for a user and for a group
filter passwd (&(objectCategory=user)(uidNumber=*)(memberOf=CN=mygroup,OU=Groups,DC=domain,DC=com))
filter group  (&(objectCategory=group)(gidNumber=*))

# The lines below describe the mapping of Posix attributes to their analogs in AD
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
map group  uniqueMember member

You can see, you need much less attributes to configure than earlier in AD 2003. 
After you've changed the configuration file, you have to re-start the service:

# service nslcd start