Linux – Active Directory and Linux nslcd binding (bind) without extending the AD schema

Active Directory and Linux nslcd binding (bind) without extending the AD schema… here is a solution to the problem.

Active Directory and Linux nslcd binding (bind) without extending the AD schema

I need to bind a Linux client to Windows Server 2012 Active Directory. I have a test environment where I successfully use samba-winbind-kerberos and nslcd, using users for authentication. However, when using samba-winbind-kerberos, I was able to implement this without extending the AD schema to include UNIX attributes (UID/GID, home directory, shell) because smb.conf has an idmap option that specifies the starting range

idmap config *:range = 11000-20000

This will be responsible for the unix mapping of the AD’s UID/GID.

If I don’t enable the UNIX attribute in AD, I get an error in the nslcd debug log that says

uidNumber: missing

Is there a way to use the same functionality in nslcd/libnss_ldap so I don’t have to extend AD mode on Windows Server 2012? I don’t like using samba in production because of its remote code execution vulnerability.

Solution

Now this is impossible. According to their documentation, nslcd does not have ID mappings available, which requires extending your AD schema to have unix attributes.

Related Problems and Solutions

  1. Is it possible to create symbolic links from scripts?
  2. How do I change the deployment path for Linux?
  3. When can I expect “stdout” to print to the console
  4. Wait queues and semaphores in Linux
  5. Use the latest GCC (4.8.1) on older Linux Svrs (Redhat EL 5.7)
  6. How do I get the version of a program in linux
  7. How do I replace the Ubuntu logo and branding in a custom distribution?
  8. No mremap for Windows?