Oracle Enterprise Linux 5 LDAP authentication against Windows 2008 Active Directory

When asked to setup an authentication mechanism for our Oracle Enterprise Linux 5.5 servers to authenticate against a Windows 2008 Active Directory.
I did not find a complete instruction on How To accomplish this. Here are the steps i took to make this work.

Prepair your Windows Active Directory
The Windows 2008 R2 Active Directory needs to contain the Identity Management for Unix Role

Now setup an user with for example these setting

Link also the Group “yenlo_sudo_beheer” to an Group ID ( GID )

Setup Oracle Enterprise Linux 5.5

Install missing packages

[root@ysgw03 ~]# yum install nss_ldap krb5-libs openldap-clients openldap ntp
Loaded plugins: security
Setting up Install Process
Package nss_ldap-253-25.el5.x86_64 already installed and latest version
Package nss_ldap-253-25.el5.i386 already installed and latest version
Package krb5-libs-1.6.1-36.el5_4.1.x86_64 already installed and latest version
Package krb5-libs-1.6.1-36.el5_4.1.i386 already installed and latest version
Package openldap-clients-2.3.43-12.el5.x86_64 already installed and latest version
Package openldap-2.3.43-12.el5.x86_64 already installed and latest version
Package openldap-2.3.43-12.el5.i386 already installed and latest version
Package ntp-4.2.2p1-9.el5_4.1.x86_64 already installed and latest version
Nothing to do
[root@ysgw03 ~]#


base dc=hosting,dc=yenlo,dc=nl
bindpw password
scope sub
ssl no
timelimit 10
bind_timelimit 10
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
nss_base_passwd dc=hosting,dc=yenlo,dc=nl?sub
nss_base_shadow dc=hosting,dc=yenlo,dc=nl?sub
nss_base_group dc=hosting,dc=yenlo,dc=nl?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member


uri ldap://
base dc=hosting,dc=yenlo,dc=nl


# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required
auth sufficient nullok try_first_pass
auth requisite uid >= 500 quiet
auth sufficient use_first_pass
auth required

account required
account required broken_shadow
account sufficient
account sufficient uid < 500 quiet account [default=bad success=ok user_unknown=ignore] account required password requisite try_first_pass retry=3 password sufficient md5 shadow nullok try_first_pass use_authtok password sufficient use_authtok password required session optional revoke session required session optional session [success=1 default=ignore] service in crond quiet use_uid session required session optional

Now login and test

Division:~ jhelvoort$ ssh -l jhelvoort
jhelvoort@'s password:
Last login: Wed Mar 2 19:30:17 2011 from
[jhelvoort@ysgw03 ~]$ id
uid=10000(jhelvoort) gid=10001(yenlo_sudo_beheer) groups=10001(yenlo_sudo_beheer)
[jhelvoort@ysgw03 ~]$

Now if you want to give SuDo privledges

[jhelvoort@ysgw03 ~]$ sudo su -
[sudo] password for jhelvoort:
jhelvoort is not in the sudoers file. This incident will be reported.

Add the following line to your sudoers file.


%yenlo_sudo_beheer ALL=(ALL) ALL

And try again

[jhelvoort@ysgw03 ~]$ sudo su -
[sudo] password for jhelvoort:
[root@ysgw03 ~]#