Hello, Just a few questions regarding authenticating OpenLDAP (centos 5.4) to windows active directory.
I'm able to bind, I've confirmed this by changing the bind password, and then the bind attempt fails. However I'm unable to authenticate.
My attempt is always as follows: su: user blabla does not exist
No errors end up in the messages log.
My question is .. could this be because the active directory I'm trying to authenticate against doesn't have any windows services for unix installed? Should that even matter if I can bind?
_______________________________________ William J. Edsall
On 01/09/10 12:05 -0400, Edsall, William (WJ) wrote:
Hello, Just a few questions regarding authenticating OpenLDAP (centos 5.4) to windows active directory.
I'm able to bind, I've confirmed this by changing the bind password, and then the bind attempt fails. However I'm unable to authenticate.
Could you clarify a few items?
Are you binding directly to an OpenLDAP server or an Active Directory Server?
Which password are you changing, the user's password in Active Directory?
My attempt is always as follows: su: user blabla does not exist
With regards to OpenLDAP, a successful bind is a success authentication.
With something like su, your trouble may be related to a 3rd party PAM or NSS module. How does su authenticate in your environment?
On Wednesday, 1 September 2010 17:05:36 Edsall, William (WJ) wrote:
Hello, Just a few questions regarding authenticating OpenLDAP (centos 5.4) to windows active directory.
Could you list what you have actually configured? There are multiple solutions, which will work under different conditions for different goals.
I'm able to bind,
How are you checking this? What software are you using?
I've confirmed this by changing the bind password, and then the bind attempt fails. However I'm unable to authenticate.
My attempt is always as follows: su: user blabla does not exist
So, NSS is unable to find information about the user 'blabla'. I note that trying 'getent passwd blabla', or 'getent passwd' may be more informative.
However: 1)Is nss_ldap installed? 2)Is 'ldap' listed in the passwd line of /etc/nsswitch.conf (it should be, probably for 'group' as well, but IMHO best not in 'shadow'). 3)Have you configured /etc/ldap.conf appropriately? Can you supply a sanitised minimal version of your /etc/ldap.conf ?
No errors end up in the messages log.
My question is .. could this be because the active directory I'm trying to authenticate against doesn't have any windows services for unix installed?
It could be because your directory server doesn't hold the unix attributes for the user blabla. SFU had non-standard attributes for these, so you would need to configure attribute mapping on the "client" side. In Windows 2003R2 and later, I believe rfc2307bis is available, but may need to be enabled.
You could provide a sanitised version of the LDIF for the user in question (e.g. from querying AD) if you aren't able to tell for yourself.
Should that even matter if I can bind?
Yes it should (at least to 'su'). What should the user's uid and gid (number) be? What shell should be started for the user?
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Dan White -
Edsall, William (WJ)