If I run this query I am getting the following response.
ldapsearch -x -H ldap://hera2.research.phg.com.au/ -b dc=internal,dc=phg,dc=com,dc=au "(&(objectClass=user)(uid=nazeerm))"
# extended LDIF # # LDAPv3 # base <dc=internal,dc=phg,dc=com,dc=au> with scope subtree # filter: (&(objectClass=user)(uid=nazeerm)) # requesting: ALL #
# search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece # numResponses: 1
------------------
Instead, if I modify the query to the following, then I am getting the request entry:
ldapsearch -x -H ldap://hera2.research.phg.com.au/ -b dc=internal,dc=phg,dc=com,dc=au "(uid=nazeerm)"
# extended LDIF # # LDAPv3 # base <dc=internal,dc=phg,dc=com,dc=au> with scope subtree # filter: (uid=nazeerm) # requesting: ALL #
dn: cn=Nazeeruddin Mohammad,ou=Da Vinci Coders,ou=Portland givenName: Nazeeruddin
gidNumber: 1000 UNIXHOMEDIRECTORY: /home/research/nazeerm uidNumber: 10009 MSSFU30NISDOMAIN: internal loginShell: /bin/bash MSSFU30NAME: nazeerm
# search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope ration a successful bind must be completed on the connection., data 0, vece
# numResponses: 2 # numEntries: 1
Regards
Nazeer
-----Original Message----- From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net] Sent: Wednesday, 22 October 2008 5:43 PM To: Nazeeruddin Mohammad Cc: openldap-technical@openldap.org Subject: Re: Configuring UNIX clients to retrieve user info from LDAP
On Wednesday 22 October 2008 03:26:13 Nazeeruddin Mohammad wrote:
Thanks for the reply. Here are the messing details.
What OS / Distro ?
I am using CentOS 5.1. The nsswitch.conf is properly configured. If change the uri or host in /etc/ldap.conf to a standard ldap, it works fine. Only if I refer to an ldap server which is proxy to AD server it fails.
Add: debug 1
I did this and here is a sample output. It's connecting to the server (hera2), but not getting any information. Strange!
ldap_create ldap_url_parse_ext(ldap://hera2.research.phg.com.au/) ldap_create ldap_url_parse_ext(ldap://hera2.research.phg.com.au/) ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP hera2.research.phg.com.au:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.100.237:389 ldap_connect_timeout: fd: 3 tm: 15 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush: 14 bytes to sd 3 ldap_result ld 0x4f3b510 msgid 1 ldap_chkResponseList ld 0x4f3b510 msgid 1 all 0 ldap_chkResponseList returns ld 0x4f3b510 NULL wait4msg ld 0x4f3b510 msgid 1 (timeout 15000000 usec) wait4msg continue ld 0x4f3b510 msgid 1 all 0 ** ld 0x4f3b510 Connections:
- host: hera2.research.phg.com.au port: 389 (default) refcnt: 2 status: Connected last used: Wed Oct 22 09:46:44 2008
** ld 0x4f3b510 Outstanding Requests:
- msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0
** ld 0x4f3b510 Response Queue: Empty ldap_chkResponseList ld 0x4f3b510 msgid 1 all 0 ldap_chkResponseList returns ld 0x4f3b510 NULL ldap_int_select read1msg: ld 0x4f3b510 msgid 1 all 0 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x4f3b510 msgid 1 message type bind ber_scanf fmt ({eaa) ber: read1msg: ld 0x4f3b510 0 new referrals read1msg: mark request completed, ld 0x4f3b510 msgid 1 request done: ld 0x4f3b510 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_search put_filter: "(&(objectClass=user)(uid=nazeerm))" put_filter: AND put_filter_list "(objectClass=user)(uid=nazeerm)" put_filter: "(objectClass=user)" put_filter: simple put_simple_filter: "objectClass=user" put_filter: "(uid=nazeerm)" put_filter: simple put_simple_filter: "uid=nazeerm" ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 204 bytes to sd 3 ldap_result ld 0x4f3b510 msgid 2 ldap_chkResponseList ld 0x4f3b510 msgid 2 all 1 ldap_chkResponseList returns ld 0x4f3b510 NULL wait4msg ld 0x4f3b510 msgid 2 (timeout 15000000 usec) wait4msg continue ld 0x4f3b510 msgid 2 all 1 ** ld 0x4f3b510 Connections:
- host: hera2.research.phg.com.au port: 389 (default) refcnt: 2 status: Connected last used: Wed Oct 22 09:46:44 2008
** ld 0x4f3b510 Outstanding Requests:
- msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0
** ld 0x4f3b510 Response Queue: Empty ldap_chkResponseList ld 0x4f3b510 msgid 2 all 1 ldap_chkResponseList returns ld 0x4f3b510 NULL ldap_int_select
So, looking at the exact filter that is sent, what happens if you perform a search as follows:
$ ldapsearch -x -H ldap://ldapserver.research.phg.com.au/ -b dc=internal,dc=phg,dc=com,dc=au "(&(objectClass=user)(uid=nazeerm))"
-----Original Message----- From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net] Sent: Tuesday, 21 October 2008 5:22 PM To: openldap-technical@openldap.org Cc: Nazeeruddin Mohammad Subject: Re: Configuring UNIX clients to retrieve user info from LDAP
On Tuesday 21 October 2008 00:48:20 Nazeeruddin Mohammad wrote:
Hi All,
Sorry for reposting the mail. This is a long term problem for me. I am unable to retrieve user information from LDAP server, which is a proxy to AD. The normal LDAP search (see the command below) gets me the data, but the "getent passwd" only gets me local users from passwd file.
ldapsearch -x -h ldapserver -LLL -b dc=internal,dc=phg,dc=com,dc=au '(uid=nazeerm)'
Is there any problem with my configuration? Thank you very much.
Here is my client configuration.
uri ldap://ldapserver.research.phg.com.au/ base dc=internal,dc=phg,dc=com,dc=au scope sub bind_timelimit 15 timelimit 15 ssl no referrals no nss_base_passwd dc=internal,dc=phg,dc=com,dc=au?sub nss_base_shadow dc=internal,dc=phg,dc=com,dc=au?sub nss_base_group dc=internal,dc=phg,dc=com,dc=au?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group
nss_map_attribute gecos cn nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember member nss_initgroups_ignoreusers root,ldap
pam_filter objectClass=posixAccount pam_login_attribute uid pam_lookup_policy no
*************************************************************************** CAUTION: This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. Thank you. ***************************************************************************