Joining a Windows Server to a FreeIPA Domain

I’ve been looking for a moment for a specific tutorial to make Windows Server part of a freeipa domain and had a lot of difficulty to get all the necessary informations to get it work.

First of all, please be sure to create a new ldap user.

This tutorial will be in 2 parts : one that specifically targets the authentication process and an another one to identify the user’s group to permit its connection or block it.

PGina is love, PGina is life

  1. The first thing you have to do is to download pGina : It allows for alternate methods of interactive user authentication because Windows cannot authenticate itself natively against a ldap server.
  2. When you selected the LDAP line, click the Configuration button
  3. Launch it and go to the Plugin Selection tab and make sure that only the Authentication Column is checked.
  4. Just install it but keep in mind that pGina requires a server GUI ; I still don’t know if it is possible to configure the whole thing without a GUI.
  5. When you selected the LDAP line, click the Configuration button
  6. Now fill these textboxes like this under the LDAP Server section:
    1. LDAP Host : the fqdn of your server
    2. LDAP Port : the port of your ldap server (389 or 636, it depends if you want a secured connection or not)
    3. Use SSL : check if you want a secured connection
    4. Search DN : “uid=your_ldap_user,cn=users,cn=accounts,dc=your,dc=freeipa,dc=domain” ; do not put the host name into the dc,just the domain name
    5. Group DN Pattern : keep it blank but fill the Member Attribute with “member”
  7. Go the the Authentication Section, under the LDAP Server section :
    1. Check Search for DN
    2. Search Filter : “uid=%u”
    3. Search Context(s) : “dc=your,dc=freeipa,dc=domain”
    4. This should look like this :

      pGina LDAP Configuration
      pGina LDAP Configuration
  8. Save and go the the Simulation Tab where you will try a bunch of credentials.

If you have any problem, just post a link to your log file in the comment section.

Leave a Reply

Your email address will not be published. Required fields are marked *