On 1/09/10 5:12 -0500, Dan White wrote:
On 01/09/10 12:05 -0400, Edsall, William (WJ) wrote:
Hello, Just a few questions regarding authenticating OpenLDAP (centos 5.4) to windows active directory.
I'm able to bind, I've confirmed this by changing the bind password, and then the bind attempt fails. However I'm unable to authenticate.
Could you clarify a few items?
Are you binding directly to an OpenLDAP server or an Active Directory Server?
Which password are you changing, the user's password in Active Directory?
My attempt is always as follows: su: user blabla does not exist
With regards to OpenLDAP, a successful bind is a success authentication.
With something like su, your trouble may be related to a 3rd party PAM or NSS module. How does su authenticate in your environment?
On 02/09/10 10:25 -0400, Edsall, William (WJ) wrote:
Hello, I am binding to an Active Directory server.
When I say I change the password for testing, I'm changing the bind password in the ldap.conf file.
I believe PAM is using the ldap module: passwd: files ldap shadow: files ldap group: files ldap
The reason I used the binddn and bind password is because I know our active directory setup does not allow anonymous binding.
So as I understand it, you are not using the OpenLDAP server, but the OpenLDAP libraries in conjunction with a PAM ldap module. Do you know which PAM module you are using? The PADL one?
If so, you may want to pose this problem on the pamldap@padl.com mailing list, or you could post a sanitized copy of your ldap configuration here to see if someone might recognize a problem.
A general trouble shooting tip would be to find out what query your PAM ldap module is submitting to the Active Directory server, and attempting to reproduce it with an ldapwhoami command, and playing with the base/scope/filter settings until you get the expected response.