• !!! Не требуется для nss_ldap, удобен для отладки

root@gate:~# apt install ldap-utils

[gate:~] # pkg install openldap-client

gate# ldapsearch -x -b"dc=corpX,dc=un" -H ldap://server "uid=user1"

• Права на чтение атрибутов LDAP (http://support.microsoft.com/kb/976063)
• DNS SRV Records for LDAP

gate# ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -H ldap://server -b "dc=corpX,dc=un" "sAMAccountName=user1"

или через ldaps:

gate# LDAPTLS_REQCERT=never ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -w 'Pa$$w0rd' -H ldaps://server.corpX.un -b "dc=corpX,dc=un" "sAMAccountName=user1"

или с Kerberos GSSAPI аутентификацией

gate# apt install libsasl2-modules-gssapi-mit
gate# kinit Administrator
gate# ldapsearch -h server -b "dc=corpX,dc=un" "sAMAccountName=user1"

...
msSFU30NisDomain: corpX
uidNumber: 10001
gidNumber: 10001
unixHomeDirectory: /home/user1
loginShell: /bin/sh
...

# ldapsearch -x -D "cn=Administrator,cn=Users,dc=corpX,dc=un" -W -H ldap://server -b "dc=corpX,dc=un" "sAMAccountName=guser1"

...
msSFU30NisDomain: corpX
gidNumber: 10001
...

root@gate:~# DEBIAN_FRONTEND=noninteractive apt install libnss-ldap

...
Ответы по умолчанию, все равно все сотрем;)
...

ubuntu# cat /etc/ldap.conf

debian# cat /etc/libnss-ldap.conf

[gate:~] # pkg install nss_ldap

[gate:~] # cat /usr/local/etc/nss_ldap.conf

uri ldap://server
base dc=corpX,dc=un
nss_base_passwd ou=People,
nss_base_group ou=Group,

Настройка Active Directory сервера (Сервис NIS)

host server
base dc=corpX,dc=un
binddn cn=user1,cn=Users,dc=corpX,dc=un
bindpw Pa$$w0rd1
scope sub
nss_base_passwd         cn=Users,dc=corpX,dc=un?one
nss_base_group          cn=Users,dc=corpX,dc=un?one
nss_map_objectClass posixAccount User
nss_map_attribute uid msSFU30Name
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_objectClass posixGroup Group
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute loginShell msSFU30LoginShell

host server

base dc=corpX,dc=un
binddn cn=Administrator,cn=Users,dc=corpX,dc=un
bindpw Pa$$w0rd
scope sub
nss_base_passwd         cn=Users,dc=corpX,dc=un?one
nss_base_group          cn=Users,dc=corpX,dc=un?one
nss_map_objectClass posixAccount User
nss_map_objectClass posixGroup Group
nss_map_attribute uid msSFU30Name
nss_map_attribute uniqueMember msSFU30PosixMemberOf
nss_map_attribute homeDirectory unixHomeDirectory

host server

# uri ldaps://server.corpX.un/
# tls_checkpeer no

base dc=corpX,dc=un
binddn cn=Administrator,cn=Users,dc=corpX,dc=un
bindpw Pa$$w0rd
scope sub
nss_base_passwd         cn=Users,dc=corpX,dc=un?one
nss_base_group          cn=Users,dc=corpX,dc=un?one
nss_map_objectClass posixAccount User
nss_map_objectClass posixGroup Group
nss_map_attribute uid SamAccountName
nss_map_attribute homeDirectory unixHomeDirectory

root@gate:~# cat /etc/nsswitch.conf

...
passwd:         files systemd ldap
group:          files systemd ldap
shadow:         files ldap
...

debian# service nscd restart && service nscd reload

# getent passwd user1

# id user1

• Импорт сертификата центра сертификации

# export LDAPTLS_REQCERT=never

debian12# apt install libnss-ldapd

debian12# grep "^[^#]"  /etc/nslcd.conf
uid nslcd
gid nslcd
uri ldap://server/
base dc=corp20,dc=un
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

service nslcd restart

gate# chown -R user1:user1 /home/user1
gate# chown -R user2:user2 /home/user2