Install Requirements for the AD Bridge Agent

This section lists requirements for installing and running the AD Bridge agent.

Environment Variables

Before you install the AD Bridge agent, make sure that the following environment variables are not set:

  • LD_LIBRARY_PATH
  • LIBPATH
  • SHLIB_PATH
  • LD_PRELOAD

Setting any of these environment variables violates best practices for managing Unix and Linux computers, because it causes AD Bridge to use non-AD Bridge libraries for its services.

If you must set LD_LIBRARY_PATH, LIBPATH, or SHLIB_PATH for another program, put the AD Bridge library path (/opt/pbis/lib or /opt/pbis/lib64) before any other path, but keep in mind that doing so may result in side effects for other programs, as they will now use AD Bridge libraries for their services.

If joining the domain fails with an error message that one of these environment variables is set, stop all the AD Bridge services, clear the environment variable, make sure it is not automatically set when the computer restarts, and then try to join the domain again.

For more information on best practices, see When Should I Set LB_LIBRARY_PATH?.

Uninstall SSSD and Centrify

AD Bridge is not compatible with System Security Services Daemon (SSSD) or Centrify. Uninstall SSSD and Centrify from any Linux computers where you want to deploy the AD Bridge agent.

Patch Requirements

We recommend that the latest patches for an operating system be applied before installing AD Bridge.

Sun Solaris

All Solaris versions require the md5sum utility, which can be found on the companion CD.

Visit the Oracle Technology Network Patching Center to ensure the latest patches are deployed to Solaris targets.

Other Requirements for the Agent

Locale

Configure the locale with UTF-8 encoding for every target computer.

Secure Shell

To properly process logon events with AD Bridge, the SSH server or client must support the UsePam yes option.

For single sign-on, both the SSH server and the SSH client must support GSSAPI authentication.

Other Software

Telnet, rsh, rcp, rlogin, and other programs that use PAM for processing authentication requests are compatible with AD Bridge.

Networking Requirements

Each Linux or Unix computer must have fully routed network connectivity to all the domain controllers that service the computer's Active Directory site. Each computer must be able to resolve A, PTR, and SRV records for the Active Directory domain, including at least the following:

  • A domain.tld
  • SRV _kerberos._tcp.domain.tld
  • SRV _ldap._tcp.domain.tld
  • SRV _kerberos._udp.sitename.Sites._msdcs.domain.tld
  • A domaincontroller.domain.tld

Disk Space Requirements

The AD Bridge agent requires 100MB of disk space in the /opt mount point.

The agent also creates configuration files in /etc/pbis and offline logon information in /var/lib/pbis.

The AD Bridge agent caches Group Policy Objects (GPOs) in /var/lib/pbis.

Memory and CPU Requirements

  • RAM: The agent services and daemons can use between 9MB – 14MB:
    • Authentication service on a 300-user mail server is typically 7MB
    • Other services and daemons require between 500KB and 2MB each
  • CPU: On a 2.0GHz single-core processor under heavy load with authentication requests is about 2 percent.

For a description of the AD Bridge services and daemons, see Install Requirements for the AD Bridge Agent.

Clock Skew Requirements

For the AD Bridge agent to communicate over Kerberos with the domain controller's Kerberos key distribution center, the clock of the client must be within the domain controller's maximum clock skew, which is 300 seconds, or 5 minutes, by default.

For more information, see Synchronize Time Between AD Bridge and the Domain Controller.

Additional Requirements for Specific Operating Systems

AIX

On AIX computers, PAM must be enabled. LAM is supported only on AIX 5.x. PAM must be used exclusively on AIX 6.x.