Multiple solutions exist to integrate Linux with Active Directory (AD) and Horizon 7 for Linux Desktop has no dependency on which solution is used.

The following solutions are known to work in a Horizon 7 for Linux Desktop environment:

  • OpenLDAP Server Pass-through Authentication

  • System Security Services Daemon (SSSD) LDAP Authentication against the Microsoft Active Directory

  • Winbind Domain Join

At a high level, the OpenLDAP Pass-through authentication solution involves the following steps:

  1. Install Certificate Services on the Active Directory to enable LDAPS (Lightweight Directory Access Protocol over SSL).

  2. Setup an OpenLDAP server.

  3. Synchronize user information (except password) from the Active Directory to the OpenLDAP server.

  4. Configure the OpenLDAP server to delegate password verification to a separate process such as saslauthd, which can perform password verification against the Active Directory.

  5. Configure the Linux desktops to use a LDAP client to authenticate users with the OpenLDAP server.

The SSSD LDAP authentication against the Microsoft Active Directory solution involves the following steps:

  1. Install the Certificate Services on the Active Directory to enable LDAPS.

  2. Configure the SSSD in the Linux desktop to directly use LDAP authentication against the Microsoft Active Directory.

The Winbind Domain Join solution involves the following steps:

  1. Install the Winbind, Samba, and Kerberos packages on the Linux desktop.

  2. Join the Linux desktop to the Microsoft Active Directory.

If you use the LDAP-based solutions, you need to do the configuration in a template virtual machine and no additional steps are required in the cloned virtual machines.

If you use the Winbind Domain Join solution or other Keberos authentication-based solution, you need join the template virtual machine to the Active Directory, and re-join the cloned virtual machine to the Active Directory. For example, use the following command:

sudo /usr/bin/net ads join -U <domain
user>%<domain password>

Use the following options to run the domain re-join command on a cloned virtual machine for the Winbind solution:

Note:

For ease of deployment, use the SSSD LDAP authentication against the Microsoft Active Directory solution.