On Wednesday, 1 September 2010 17:05:36 Edsall, William (WJ) wrote:
Hello, Just a few questions regarding authenticating OpenLDAP (centos 5.4) to windows active directory.
Could you list what you have actually configured? There are multiple solutions, which will work under different conditions for different goals.
I'm able to bind,
How are you checking this? What software are you using?
I've confirmed this by changing the bind password, and then the bind attempt fails. However I'm unable to authenticate.
My attempt is always as follows: su: user blabla does not exist
So, NSS is unable to find information about the user 'blabla'. I note that trying 'getent passwd blabla', or 'getent passwd' may be more informative.
However: 1)Is nss_ldap installed? 2)Is 'ldap' listed in the passwd line of /etc/nsswitch.conf (it should be, probably for 'group' as well, but IMHO best not in 'shadow'). 3)Have you configured /etc/ldap.conf appropriately? Can you supply a sanitised minimal version of your /etc/ldap.conf ?
No errors end up in the messages log.
My question is .. could this be because the active directory I'm trying to authenticate against doesn't have any windows services for unix installed?
It could be because your directory server doesn't hold the unix attributes for the user blabla. SFU had non-standard attributes for these, so you would need to configure attribute mapping on the "client" side. In Windows 2003R2 and later, I believe rfc2307bis is available, but may need to be enabled.
You could provide a sanitised version of the LDIF for the user in question (e.g. from querying AD) if you aren't able to tell for yourself.
Should that even matter if I can bind?
Yes it should (at least to 'su'). What should the user's uid and gid (number) be? What shell should be started for the user?
Regards, Buchan