I'm trying to configure lib-nss to use OpenLDAP against my Active Directory. But I seem to be having lots of problems even getting it to search properly. I have Samba all properly configured for AD - it's properly joined to the AD domain, and all seems to be working fine. Now I'd like to investigate using OpenLDAP to authenticate against AD.
AD server = 10.0.0.60 AD server name = dim-win2300.dacrib.local AD domain name = DaCrib.local AD Win2003 SP2 (with Services for Unix installed0
Linux server: IP = 10.0.0.20 Ubuntu 9.04 OpenLDAP 2.4.2 (from repository)
Here's the /etc/ldap/ldap.conf:
------------------------ host 10.0.0.60
base dc=DaCrib,dc=local
binddn CN=Administrator,CN=Users,dc=DaCrib,dc=local bindpw XXXXX
# RFC 2307 (AD) mappings # <to> <from> nss_map_attribute userPassword sambaPassword nss_map_attribute gecos name nss_map_attribute uid unixName nss_map_attribute shadowLastChange pwdLastSet nss_map_objectclass posixGroup group pam_filter objectclass=User pam_password crypt
nss_initgroups_ignoreusers avahi,backup,bin,daemon,dhcp,dovecot,festival,games,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,mysql,news,polkituser,postfix,proxy,root,saned,sshd,sync,sys, syslog,uucp,www-data --------------------------
Here's what an "ldapsearch" gives me: (command line will wrap in email)
-------------------------- ldapsearch -v -x -H ldap://10.0.0.60 "(objectClass=posixAccount)" sAMAccountName
ldap_initialize( ldap://10.0.0.60:389/??base ) filter: (objectClass=posixAccount) requesting: sAMAccountName # extended LDIF # # LDAPv3 # base <dc=DaCrib,dc=local> (default) with scope subtree # filter: (objectClass=posixAccount) # requesting: sAMAccountName #
# search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece
# numResponses: 1 ----------------------------
So the question is ... why is it failing to bind?
No firewalls are running on either server (at the moment). It should bind anonymously (I think). I tried turning up the debug level on the ldapsearch, but that told me nothing I could understand. :-) I tried "-W" so it would prompt for a password, but it says "invalid credentials", even thought I have verified the password of the Administrator account.
From Windows, I can run ldp and bind (as administrator) and search with no problems. Similarly, I can use the command line utility "adfind" and search without issues, without binding.
So I've got something screwy in my ldap.conf, but I can't figure out where.
Thoughts?
Mike Leone turgon@mike-leone.com writes:
I'm trying to configure lib-nss to use OpenLDAP against my Active Directory. But I seem to be having lots of problems even getting it to search properly. I have Samba all properly configured for AD - it's properly joined to the AD domain, and all seems to be working fine. Now I'd like to investigate using OpenLDAP to authenticate against AD.
[...]
ldapsearch -v -x -H ldap://10.0.0.60 "(objectClass=posixAccount)" sAMAccountName
[...]
result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece
# numResponses: 1
So the question is ... why is it failing to bind?
[...]
Because you are trying to do an anonymouns bind, while a simple bind with a distingished name is required. man ldapsearch(1)
-Dieter
Dieter Kluenter had this to say:
Mike Leone turgon@mike-leone.com writes:
I'm trying to configure lib-nss to use OpenLDAP against my Active Directory. But I seem to be having lots of problems even getting it to search properly. I have Samba all properly configured for AD - it's properly joined to the AD domain, and all seems to be working fine. Now I'd like to investigate using OpenLDAP to authenticate against AD.
[...]
ldapsearch -v -x -H ldap://10.0.0.60 "(objectClass=posixAccount)" sAMAccountName
[...]
result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece
# numResponses: 1
So the question is ... why is it failing to bind?
[...]
Because you are trying to do an anonymouns bind, while a simple bind with a distingished name is required. man ldapsearch(1)
I did read it. But if I had understood it, I wouldn't have needed to post here. LOL
What I am trying to do, I've since found out, is to get lib_nss working using ldap, as opposed to a full ldap implemtation.
openldap-technical@openldap.org
-
Dieter Kluenter -
Mike Leone