Zhang,Jun wrote:
I've configured an ldap database in slapd.conf which serves as an Active Directory proxy, the slapd is running on RHEL 6. My Linux openldap clients can now browse the content of the AD. The purpose of doing this is for user login, which is authenticated against the AD, with the home directory information provided by the bdb database of the openldap server. autofs is functional through the rfc2307bis formatted automount maps. The problem is that "getent passwd username" not always work, so the AD users are not known even though ldapsearch can always find the user information with a proper search base set.
At the slapd server (rhel 6), nslcd (try to avoid ssl at this stage) is being used, while at the Linux openldap clients, I compiled pam_ldap and nss_ldap.
pam_ldap/nss_ldap are long since abandoned/unsupported. You should use nslcd everywhere.
I noticed that the openldap clients use /etc/openldap/ldap.conf as the configuration file, and nss/pam use /etc/ldap.conf. Tried to use different BASE in the two conf files but it didn't work for me.
I know there must be other people who's already done this, some way, and I'll very much appreciate it if somebody can point me to some known to work ways.
Easiest is to use a single database backend with the pbind overlay, if the only thing you need from the remote server is authentication.
Jun