Active Directory does not support anonymous queries. Two accounts are needed to perform the Linux-PAM queries against Active Directory.
| PAM module runs as root and requests sensitive information | PAM module runs as root |
| ldaprootquery | ldapquery |
Other login names are possible but make sure the changes are consistent across Linux/Active Directory settings. One has to create 2 Active Directory accounts.
Note password which is required during Linux installs. Password must not be changed when the first session is opened.
Grant the accounts minimal rights : they are members of Pre-Windows2000 compatible access group
