Hi technical,
I hit a problem during configure proxy to AD. I can run command: $ldapsearch -x -h localhost -LLL -b dc=mydomain,dc=local -D cn=open,cn=users,dc=mydomain,dc=local -W "(cn=open1)" cn sAMAccountName which return the SAMACCOUNTNAME:open successfully. --- This may mean the proxy works well. But if I run command with out -D -D cn=open,cn=users,dc=mydomain,dc=local. The search will failed. when I try to login my client machine with AD user. It always failed. --- I can login with openldapuser successfully.
I think I need some configuration to force the -D in slapd.con. Is there any problems with my slapd.conf? Or any trouble shooting comments? Appreciate it very much.
Below is my slapd.conf: ####################################################################### # database definitions ####################################################################### database ldap suffix "DC=mydomain,DC=local" uri ldap://dc-ad.mydomain.local/ chase-referrals no rebind-as-user yes idassert-bind bindmethod=simple binddn="CN=open,OU=users,DC=mydomain,DC=local" credentials=open mode=none flags=non-prescriptive idassert-authzFrom "*"
Thanks, Leo
On 06/11/15 23:38 +0000, Leo Xiao wrote:
Hi technical,
I hit a problem during configure proxy to AD. I can run command: $ldapsearch -x -h localhost -LLL -b dc=mydomain,dc=local -D cn=open,cn=users,dc=mydomain,dc=local -W "(cn=open1)" cn sAMAccountName which return the SAMACCOUNTNAME:open successfully. --- This may mean the proxy works well. But if I run command with out -D -D cn=open,cn=users,dc=mydomain,dc=local. The search will failed.
So you are attempting to authenticate anonymously? Or with SASL?
when I try to login my client machine with AD user. It always failed. --- I can login with openldapuser successfully.
You'll need to trouble shoot your nss/pam config, which ever one you're using.
I think I need some configuration to force the -D in slapd.con. Is there any problems with my slapd.conf? Or any trouble shooting comments? Appreciate it very much.
Below is my slapd.conf: ####################################################################### # database definitions ####################################################################### database ldap suffix "DC=mydomain,DC=local" uri ldap://dc-ad.mydomain.local/ chase-referrals no rebind-as-user yes idassert-bind bindmethod=simple binddn="CN=open,OU=users,DC=mydomain,DC=local" credentials=open mode=none flags=non-prescriptive idassert-authzFrom "*"
Thanks, Leo
Hi Dan,
Thanks a lot for the comments. I want to authenticate anonymously, Not with SASL. Is there any pam configuration needed for this scenario? Could you share some link/doc to me? Thanks so much. When I use openldap user login, just run authconfig-gtk(modified the /etc/openldap/ldap.conf) and set the ldapserver/base DN can lead me login success.
Thanks, Leo ________________________________________ From: Dan White dwhite@cafedemocracy.org Sent: Monday, June 15, 2015 9:59 PM To: Leo Xiao Cc: openldap-technical@openldap.org Subject: Re: proxy to AD does not work during login client machine
On 06/11/15 23:38 +0000, Leo Xiao wrote:
Hi technical,
I hit a problem during configure proxy to AD. I can run command: $ldapsearch -x -h localhost -LLL -b dc=mydomain,dc=local -D cn=open,cn=users,dc=mydomain,dc=local -W "(cn=open1)" cn sAMAccountName which return the SAMACCOUNTNAME:open successfully. --- This may mean the proxy works well. But if I run command with out -D -D cn=open,cn=users,dc=mydomain,dc=local. The search will failed.
So you are attempting to authenticate anonymously? Or with SASL?
when I try to login my client machine with AD user. It always failed. --- I can login with openldapuser successfully.
You'll need to trouble shoot your nss/pam config, which ever one you're using.
I think I need some configuration to force the -D in slapd.con. Is there any problems with my slapd.conf? Or any trouble shooting comments? Appreciate it very much.
Below is my slapd.conf: ####################################################################### # database definitions ####################################################################### database ldap suffix "DC=mydomain,DC=local" uri ldap://dc-ad.mydomain.local/ chase-referrals no rebind-as-user yes idassert-bind bindmethod=simple binddn="CN=open,OU=users,DC=mydomain,DC=local" credentials=open mode=none flags=non-prescriptive idassert-authzFrom "*"
Thanks, Leo
-- Dan White
From: Dan White dwhite@cafedemocracy.org
On 06/11/15 23:38 +0000, Leo Xiao wrote: Hi technical,
I hit a problem during configure proxy to AD. I can run command: $ldapsearch -x -h localhost -LLL -b dc=mydomain,dc=local -D cn=open,cn=users,dc=mydomain,dc=local -W "(cn=open1)" cn sAMAccountName which return the SAMACCOUNTNAME:open successfully. --- This may mean the proxy works well. But if I run command with out -D -D cn=open,cn=users,dc=mydomain,dc=local. The search will failed.
So you are attempting to authenticate anonymously? Or with SASL?
On 06/15/15 22:58 +0000, Leo Xiao wrote:
Hi Dan,
Thanks a lot for the comments. I want to authenticate anonymously, Not with SASL.
Is there any pam configuration needed for this scenario? Could you share some link/doc to me? Thanks so much.
When I use openldap user login, just run authconfig-gtk(modified the /etc/openldap/ldap.conf) and set the ldapserver/base DN can lead me login success.
The configuration to do anonymous binds is highly dependent on the ldap pam module you are using. See slapo-nssov(5) if you are using the one distributed by the OpenLDAP project. Otherwise, configuration of your ldap pam module is outside the scope of this project. However, assuming your pam ldap module uses (links against) libldap, consult the ldap.conf(5) manpage as well.
Hi Dan, Appreciate it very much for your help! I'm using rhel6.6 (both ldap server and client machine), and what I want to archive is login rhel with AD users (on rhel login UI). Is it mean that my ldap proxy configuration works well? Because I can run command:
$ldapsearch -x -h localhost -LLL -b dc=mydomain,dc=local -D cn=open,cn=users,dc=mydomain,dc=local -W "(cn=open1)" cn sAMAccountName which return the SAMACCOUNTNAME:open successfully.
So now I should focus on the trouble shooting of rhel client side configuration, right? Could anybody share a successful scenario config files to me? I had searched on google for many times this week and also read the chapter of proxy in book "Mastering Openldap" but still didn't resolve my problem.
Thanks, Leo
-----Original Message----- From: Dan White [mailto:dwhite@cafedemocracy.org] Sent: Tuesday, June 16, 2015 9:33 PM To: Leo Xiao Cc: Dan White; openldap-technical@openldap.org Subject: Re: proxy to AD does not work during login client machine
From: Dan White dwhite@cafedemocracy.org
On 06/11/15 23:38 +0000, Leo Xiao wrote: Hi technical,
I hit a problem during configure proxy to AD. I can run command: $ldapsearch -x -h localhost -LLL -b dc=mydomain,dc=local -D cn=open,cn=users,dc=mydomain,dc=local -W "(cn=open1)" cn sAMAccountName which return the SAMACCOUNTNAME:open successfully. --- This may mean the proxy works well. But if I run command with out -D -D cn=open,cn=users,dc=mydomain,dc=local. The search will failed.
So you are attempting to authenticate anonymously? Or with SASL?
On 06/15/15 22:58 +0000, Leo Xiao wrote:
Hi Dan,
Thanks a lot for the comments. I want to authenticate anonymously, Not with SASL.
Is there any pam configuration needed for this scenario? Could you share some link/doc to me? Thanks so much.
When I use openldap user login, just run authconfig-gtk(modified the /etc/openldap/ldap.conf) and set the ldapserver/base DN can lead me login success.
The configuration to do anonymous binds is highly dependent on the ldap pam module you are using. See slapo-nssov(5) if you are using the one distributed by the OpenLDAP project. Otherwise, configuration of your ldap pam module is outside the scope of this project. However, assuming your pam ldap module uses (links against) libldap, consult the ldap.conf(5) manpage as well.
-- Dan White
openldap-technical@openldap.org