Hi Dan,
Thanks a lot for the comments. I want to authenticate anonymously, Not with SASL. Is there any pam configuration needed for this scenario? Could you share some link/doc to me? Thanks so much. When I use openldap user login, just run authconfig-gtk(modified the /etc/openldap/ldap.conf) and set the ldapserver/base DN can lead me login success.
Thanks, Leo ________________________________________ From: Dan White dwhite@cafedemocracy.org Sent: Monday, June 15, 2015 9:59 PM To: Leo Xiao Cc: openldap-technical@openldap.org Subject: Re: proxy to AD does not work during login client machine
On 06/11/15 23:38 +0000, Leo Xiao wrote:
Hi technical,
I hit a problem during configure proxy to AD. I can run command: $ldapsearch -x -h localhost -LLL -b dc=mydomain,dc=local -D cn=open,cn=users,dc=mydomain,dc=local -W "(cn=open1)" cn sAMAccountName which return the SAMACCOUNTNAME:open successfully. --- This may mean the proxy works well. But if I run command with out -D -D cn=open,cn=users,dc=mydomain,dc=local. The search will failed.
So you are attempting to authenticate anonymously? Or with SASL?
when I try to login my client machine with AD user. It always failed. --- I can login with openldapuser successfully.
You'll need to trouble shoot your nss/pam config, which ever one you're using.
I think I need some configuration to force the -D in slapd.con. Is there any problems with my slapd.conf? Or any trouble shooting comments? Appreciate it very much.
Below is my slapd.conf: ####################################################################### # database definitions ####################################################################### database ldap suffix "DC=mydomain,DC=local" uri ldap://dc-ad.mydomain.local/ chase-referrals no rebind-as-user yes idassert-bind bindmethod=simple binddn="CN=open,OU=users,DC=mydomain,DC=local" credentials=open mode=none flags=non-prescriptive idassert-authzFrom "*"
Thanks, Leo
-- Dan White