This post will set up the same thing on Raspberry Pi 3. This is a real scenario that my 8 years' old son, Terry, has a Pi3 as his own computer but he used too much time on it. So I thought AD may be a good solution to limit his computer hours, as it has a "logon hours" setup.
1. Settings on AD DC
- Create a user as:
objectClass += posixAccount
uid = terry
uidNumber = 8001
gidNumber = 9000
homeDirectory = /home/smallstrong.org/terry
loginShell = /bin/bash
- Create a group as:
cn = real_group
objectClass += posixGroup
gidNumber = 9000
2. Settings on Raspberry Pi
Most of the settings are similar to Linux user profile and authentication via AD LDAP.- Install packages
- apt install libnss-ldapd
- apt install libpam-ldapd
- apt install nslcd
- Configure /etc/nslcd.conf
- uid nslcd
- gid nslcd
- uri ldap://DC1.smallstrong.org/
- base dc=smallstrong,dc=org
- binddn CN=serviceAccount1,OU=ServiceAccounts,DC=smallstrong,DC=org
- bindpw Password123
- base group ou=RealUsers,dc=smallstrong,dc=org
- base passwd ou=RealUsers,dc=smallstrong,dc=org
- Configure /etc/nsswitch.conf
- passwd: compat ldap
- group: compat ldap
- shadow: compat ldap
- Configure /etc/pam.d
- sudo pam-auth-update
- Enable/Start nslcd
- sudo systemctl enable nslcd
- sudo systemctl start nslcd
- Configure login default
- sudo raspi-config
- create home for "terry"
- sudo cp -r /home/pi /home/smallstrong.org/terry
- sudo chown terry:real_group /home/smallstrong.org/terry
- Reboot Pi
3. To do
AD ldap authentication/bind works well with AD users' "logon hours".
However, the Pi login UI gives the same message "incorrect password" either the password is wrong or the current time is not allowed to login. It's better to have a different alert message for wrong logon hours, like "You are not allowed to login now".
No comments:
Post a Comment