Hello,
I have been attempting to use openldap as a proxy to AD with no success. I have attempted multiple different ways that I found online. I am able to get the proxy server to connect to AD, but I cannot get a client server to connect through the proxy to the AD server. Can anyone suggest anything?
-Lynn
Lynn York wrote:
I have been attempting to use openldap as a proxy to AD with no success. I have attempted multiple different ways that I found online. I am able to get the proxy server to connect to AD, but I cannot get a client server to connect through the proxy to the AD server. Can anyone suggest anything?
Well, it already worked for me.
Actually you didn't provide any useful information. Send relevant excerpts of your config and especially try to gather log information at the client and the proxy.
Ciao, Michael.
When I issue "id user" from the client machine I can see the connection to the proxy server, but I do not see the connection from the proxy to the AD server. It also binds anonymously through the proxy and I need it to bind with a certain user.
[ SNIPPET FROM slapd.conf ]
database ldap suffix "dc=ldaptest,dc=local" uri "ldap://2008vm1.inetu.net"
acl-bind bindmethod=simple binddn="CN=Bind User,CN=Users,DC=ldaptest,DC=local" credentials="testing"
idassert-bind bindmethod=simple authzID="u:bind" mode=self binddn="CN=Bind User,CN=Users,DC=ldaptest,DC=local" credentials="testing"
[ END SNIPPET ]
-----Original Message----- From: Michael Ströder [mailto:michael@stroeder.com] Sent: Wednesday, September 10, 2008 6:07 AM To: Lynn York Cc: openldap-technical@openldap.org Subject: Re: LDAP proxy for AD
Lynn York wrote:
I have been attempting to use openldap as a proxy to AD with no success. I have attempted multiple different ways that I found online. I am able to get the proxy server to connect to AD, but I cannot get a client server to connect through the proxy to the AD server. Can anyone suggest anything?
Well, it already worked for me.
Actually you didn't provide any useful information. Send relevant excerpts of your config and especially try to gather log information at the client and the proxy.
Ciao, Michael.
Lynn York wrote:
When I issue "id user" from the client machine I can see the connection to the proxy server, but I do not see the connection from the proxy to the AD server. It also binds anonymously through the proxy and I need it to bind with a certain user.
[ SNIPPET FROM slapd.conf ]
database ldap suffix "dc=ldaptest,dc=local" uri "ldap://2008vm1.inetu.net"
acl-bind bindmethod=simple binddn="CN=Bind User,CN=Users,DC=ldaptest,DC=local" credentials="testing"
idassert-bind bindmethod=simple authzID="u:bind" mode=self binddn="CN=Bind User,CN=Users,DC=ldaptest,DC=local" credentials="testing"
First of all, authzID is only useful if "mode" is not given, as specified in the man page; it's ignored in your case.
Second, the idassert-bind directive is only honored if the user authenticates, while your application is probably binding anonymously to the proxy.
If you want idassert to work also for anonymous operations (not recommended, as this defeats the security model of the remote server, by letting it believe that the proxy authenticated users while it didn't), you need to explicitly enable it using an idassert-authzFrom rule that includes anonymous, like
idassert-authzFrom "dn.regex:.*"
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
I am not worried about the client machine binding to the proxy server as long as the proxy server binds with a user to the AD server.
Right now what is happening is:
Issue " id user " on the client server, the connect then makes it to proxy server as anonymous, but the proxy never attempts to bind to the AD server to verify if "user" exists in AD. If I issues the same command " id user " from the proxy server, it binds to AD and give me information about the user. I can't figure out how to get the client server to bind to the AD server "through" the proxy?
-Lynn
-----Original Message----- From: Pierangelo Masarati [mailto:ando@sys-net.it] Sent: Wednesday, September 10, 2008 9:12 AM To: Lynn York Cc: openldap-technical@openldap.org Subject: Re: LDAP proxy for AD
Lynn York wrote:
When I issue "id user" from the client machine I can see the connection to the proxy server, but I do not see the connection from the proxy to the AD server. It also binds anonymously through the proxy and I need it to bind with a certain user.
[ SNIPPET FROM slapd.conf ]
database ldap suffix "dc=ldaptest,dc=local" uri "ldap://2008vm1.inetu.net"
acl-bind bindmethod=simple binddn="CN=Bind User,CN=Users,DC=ldaptest,DC=local" credentials="testing"
idassert-bind bindmethod=simple authzID="u:bind" mode=self binddn="CN=Bind User,CN=Users,DC=ldaptest,DC=local" credentials="testing"
First of all, authzID is only useful if "mode" is not given, as specified in the man page; it's ignored in your case.
Second, the idassert-bind directive is only honored if the user authenticates, while your application is probably binding anonymously to the proxy.
If you want idassert to work also for anonymous operations (not recommended, as this defeats the security model of the remote server, by letting it believe that the proxy authenticated users while it didn't), you need to explicitly enable it using an idassert-authzFrom rule that includes anonymous, like
idassert-authzFrom "dn.regex:.*"
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
I am still running into issue when attempting to use openldap as a proxy to AD. When I do a TCP dump on the proxy server, it doesn't appear to be actually communicating with the AD server when I issue "id user" from a client server. When I issue the same command from the "proxy" it connects to the AD as the correct user and pulls the correct information. Any help or suggestions would be greatly appreciated. Below is a snippet of my slapd.conf from the proxy and also my ldap.conf from the client machine.
[slapd.conf]
database ldap suffix "cn=Users,dc=ldaptest,dc=local" #subordinate rebind-as-user uri "ldap://2008vm1.inetu.net"
acl-bind bindmethod=simple binddn="CN=Bind User,CN=Users,DC=ldaptest,DC=local" credentials="testing"
chase-referrals yes
idassert-bind bindmethod=simple authzID="u:bind" mode=self idassert-authzFrom "dn.regex:.*" binddn="CN=Bind User,CN=Users,DC=ldaptest,DC=local" credentials="testing"
idassert-authzFrom "dn.regex:.*"
[slapd.conf end]
[ldap.conf] host 10.100.223.63 port 389
base cn=Users,dc=ldaptest,dc=local ldap_version 3
scope sub
timelimit 10 bind_timelimit 5
idle_timeout 90
bind_policy soft
pam_filter objectClass=posixAccount pam_login_attribute uid pam_lookup_policy no
[ldap.conf end]
I can provide logs if needed.
Thanks in advance....
-----Original Message----- From: openldap-technical-bounces+lyork=inetu.net@openldap.org [mailto:openldap-technical-bounces+lyork=inetu.net@openldap.org] On Behalf Of Lynn York Sent: Wednesday, September 10, 2008 10:14 AM To: Pierangelo Masarati Cc: openldap-technical@openldap.org Subject: RE: LDAP proxy for AD
I am not worried about the client machine binding to the proxy server as long as the proxy server binds with a user to the AD server.
Right now what is happening is:
Issue " id user " on the client server, the connect then makes it to proxy server as anonymous, but the proxy never attempts to bind to the AD server to verify if "user" exists in AD. If I issues the same command " id user " from the proxy server, it binds to AD and give me information about the user. I can't figure out how to get the client server to bind to the AD server "through" the proxy?
-Lynn
-----Original Message----- From: Pierangelo Masarati [mailto:ando@sys-net.it] Sent: Wednesday, September 10, 2008 9:12 AM To: Lynn York Cc: openldap-technical@openldap.org Subject: Re: LDAP proxy for AD
Lynn York wrote:
When I issue "id user" from the client machine I can see the connection to the proxy server, but I do not see the connection from the proxy to the AD server. It also binds anonymously through the proxy and I need it to bind with a certain user.
[ SNIPPET FROM slapd.conf ]
database ldap suffix "dc=ldaptest,dc=local" uri "ldap://2008vm1.inetu.net"
acl-bind bindmethod=simple binddn="CN=Bind User,CN=Users,DC=ldaptest,DC=local" credentials="testing"
idassert-bind bindmethod=simple authzID="u:bind" mode=self binddn="CN=Bind User,CN=Users,DC=ldaptest,DC=local" credentials="testing"
First of all, authzID is only useful if "mode" is not given, as specified in the man page; it's ignored in your case.
Second, the idassert-bind directive is only honored if the user authenticates, while your application is probably binding anonymously to the proxy.
If you want idassert to work also for anonymous operations (not recommended, as this defeats the security model of the remote server, by letting it believe that the proxy authenticated users while it didn't), you need to explicitly enable it using an idassert-authzFrom rule that includes anonymous, like
idassert-authzFrom "dn.regex:.*"
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Hi,
I could able to successfully use proxy functionality to connect to an AD server using the slapd configuration below.
[SNIPPET from slap.conf] database ldap suffix "OU=Da Vinci Coders,OU=Portland House,OU=Sites,DC=internal,DC=phg,DC=com,DC=au" subordinate rebind-as-user uri "ldap://192.168.100.100/"
acl-bind bindmethod=simple binddn="CN=Ldap Authentication,OU=Linux,OU=InformationTechnology,OU=Portland House,OU=Sites,DC=internal,DC=phg,DC=com,DC=au" credentials="test"
chase-referrals yes
idassert-bind bindmethod=simple authzID="u:bind" mode=self binddn="CN=Ldap Authentication,OU=Linux,OU=InformationTechnology,OU=Portland House,OU=Sites,DC=internal,DC=phg,DC=com,DC=au" credentials="test "
idassert-authzFrom "dn.regex:.*"
I want to use the users under the above suffix (OU=Da Vinci Coders) as users for Linux clients.
At present I cannot see them (e.g command, su - nazeerm fails) as they NOT are under " cn=users,dc=internal,dc=phg,dc=com,dc=au" or " cn=people,dc=internal,dc=phg,dc=com,dc=au".
Is there any easy of mapping "OU=Da Vinci Coders,OU=Portland House,OU=Sites,DC=internal,DC=phg,DC=com,DC=au" to " cn=users,dc=internal,dc=phg,dc=com,dc=au ".
Thank you.
Regards Nazeer
*************************************************************************** CAUTION: This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. Thank you. ***************************************************************************
Hi All,
I progressed further, but still haven't reached stage where I can use AD account.
Through, the proxy setup I could able to query ldap, but unable to use it for authentication. For example,
ldapsearch -x -h ldapserver -LLL -b dc=internal,dc=phg,dc=com,dc=au '(uid=nazeerm)'
is Successful, but id nazeerm fails (returns id: nazeerm: No such user).
Here is ldap.conf file on client machine.
uri ldap://ldapserver.research.phg.com.au/ base dc=internal,dc=phg,dc=com,dc=au scope sub bind_timelimit 15 timelimit 15 ssl no referrals no nss_base_passwd dc=internal,dc=phg,dc=com,dc=au?sub #nss_base_passwd OU=Da Vinci Coders,OU=Portland House,OU=Sites,dc=internal,dc=phg,dc=com,dc=au?one #nss_base_passwd cn=users,dc=internal,dc=phg,dc=com,dc=au?one nss_base_shadow dc=internal,dc=phg,dc=com,dc=au?sub nss_base_group dc=internal,dc=phg,dc=com,dc=au?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group
nss_map_attribute gecos cn nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember member nss_initgroups_ignoreusers root,ldap
Any help is appreciated. Thanks in advance.
Regards Nazeer
-----Original Message----- From: Nazeeruddin Mohammad Sent: Thursday, 11 September 2008 3:10 PM To: openldap-technical@openldap.org Subject: Rewrite: LDAP proxy for AD
Hi,
I could able to successfully use proxy functionality to connect to an AD server using the slapd configuration below.
[SNIPPET from slap.conf] database ldap suffix "OU=Da Vinci Coders,OU=Portland House,OU=Sites,DC=internal,DC=phg,DC=com,DC=au" subordinate rebind-as-user uri "ldap://192.168.100.100/"
acl-bind bindmethod=simple binddn="CN=Ldap Authentication,OU=Linux,OU=InformationTechnology,OU=Portland House,OU=Sites,DC=internal,DC=phg,DC=com,DC=au" credentials="test"
chase-referrals yes
idassert-bind bindmethod=simple authzID="u:bind" mode=self binddn="CN=Ldap Authentication,OU=Linux,OU=InformationTechnology,OU=Portland House,OU=Sites,DC=internal,DC=phg,DC=com,DC=au" credentials="test "
idassert-authzFrom "dn.regex:.*"
I want to use the users under the above suffix (OU=Da Vinci Coders) as users for Linux clients.
At present I cannot see them (e.g command, su - nazeerm fails) as they NOT are under " cn=users,dc=internal,dc=phg,dc=com,dc=au" or " cn=people,dc=internal,dc=phg,dc=com,dc=au".
Is there any easy of mapping "OU=Da Vinci Coders,OU=Portland House,OU=Sites,DC=internal,DC=phg,DC=com,DC=au" to " cn=users,dc=internal,dc=phg,dc=com,dc=au ".
Thank you.
Regards Nazeer
*************************************************************************** CAUTION: This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. Thank you. ***************************************************************************
Hello Nazeer,
Hi All, I progressed further, but still haven't reached stage where I can use
AD account.
Through, the proxy setup I could able to query ldap, but unable to use
it for authentication. For example,
ldapsearch -x -h ldapserver -LLL -b dc=internal,dc=phg,dc=com,dc=au
'(uid=nazeerm)'
is Successful, but id nazeerm fails (returns id: nazeerm: No such
user).
Here is ldap.conf file on client machine.
We had a similar problem (on Solaris though), the problem was that the ACLs for slapd were too tight.
Bear in mind that we use OpenLDAP as internal user management tool (in a DMZ), so security isnt too much an issue.
We now use:
access to * by * read
access to attrs=userpassword by self write by * read by anonymous auth access to dn.subtree="<subtree for the group mapping>" by * read by * write
(I know this is partly redundant, never got to change it on the production system since we do not have downtimes very often).
Access to userpassword was necessary for "su" commands to succeed. Access to the group subtree was necessary for getting the proper user-to-group mapping via the "id" or "getent" commands.
I would suggest to start with widely opened gates and then gradually closing them as far as you can.
Hope this helps you a bit.
Claus
On Monday 15 September 2008 11:19:01 Kick, Claus wrote:
Hello Nazeer,
Hi All, I progressed further, but still haven't reached stage where I can use
AD account.
Through, the proxy setup I could able to query ldap, but unable to use
it for authentication. For example,
ldapsearch -x -h ldapserver -LLL -b dc=internal,dc=phg,dc=com,dc=au
'(uid=nazeerm)'
is Successful, but id nazeerm fails (returns id: nazeerm: No such
user).
Here is ldap.conf file on client machine.
We had a similar problem (on Solaris though), the problem was that the ACLs for slapd were too tight.
Bear in mind that we use OpenLDAP as internal user management tool (in a DMZ), so security isnt too much an issue.
We now use:
access to * by * read
access to attrs=userpassword by self write by * read by anonymous auth access to dn.subtree="<subtree for the group mapping>" by * read by * write
This ACL set provides absolutely no security in the order they are above ...
(I know this is partly redundant, never got to change it on the production system since we do not have downtimes very often).
Access to userpassword was necessary for "su" commands to succeed.
Only if you didn't have PAM configured correctly on the LDAP clients.
Access to the group subtree was necessary for getting the proper user-to-group mapping via the "id" or "getent" commands.
If you don't use a proxy user ...
I would suggest to start with widely opened gates and then gradually closing them as far as you can.
I would suggest the other approach (open access as necessary, and definitely don't use 'access to * by * read' as the first rule.
Regards, Buchan
Thank you Claus and Buchan for your comments.
I tried your suggestions today. Even with the full access, I still cannot see any ldap users. The basic search like the following command works; only id and getent fails.
ldapsearch -x -h ldapserver -LLL -b dc=internal,dc=phg,dc=com,dc=au '(uid=nazeerm)'
Thanks again.
Regards Nazeer
-----Original Message----- From: openldap-technical-bounces+nazeerm=phg.com.au@OpenLDAP.org [mailto:openldap-technical-bounces+nazeerm=phg.com.au@OpenLDAP.org] On Behalf Of Buchan Milne Sent: Monday, 15 September 2008 9:44 PM To: openldap-technical@openldap.org Cc: Kick, Claus Subject: Re: AW: LDAP proxy for AD -- still no solution
On Monday 15 September 2008 11:19:01 Kick, Claus wrote:
Hello Nazeer,
Hi All, I progressed further, but still haven't reached stage where I can use
AD account.
Through, the proxy setup I could able to query ldap, but unable to use
it for authentication. For example,
ldapsearch -x -h ldapserver -LLL -b dc=internal,dc=phg,dc=com,dc=au
'(uid=nazeerm)'
is Successful, but id nazeerm fails (returns id: nazeerm: No such
user).
Here is ldap.conf file on client machine.
We had a similar problem (on Solaris though), the problem was that the ACLs for slapd were too tight.
Bear in mind that we use OpenLDAP as internal user management tool (in a DMZ), so security isnt too much an issue.
We now use:
access to * by * read
access to attrs=userpassword by self write by * read by anonymous auth access to dn.subtree="<subtree for the group mapping>" by * read by * write
This ACL set provides absolutely no security in the order they are above ...
(I know this is partly redundant, never got to change it on the production system since we do not have downtimes very often).
Access to userpassword was necessary for "su" commands to succeed.
Only if you didn't have PAM configured correctly on the LDAP clients.
Access to the group subtree was necessary for getting the proper user-to-group mapping via the "id" or "getent" commands.
If you don't use a proxy user ...
I would suggest to start with widely opened gates and then gradually closing them as far as you can.
I would suggest the other approach (open access as necessary, and definitely don't use 'access to * by * read' as the first rule.
Regards, Buchan
*************************************************************************** CAUTION: This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. Thank you. ***************************************************************************
Hello,
(I do not have the thread beginning anymore, so I don't know your config anymore).
Do you have something like this:
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,o=xxxx NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,o=xxxx NS_LDAP_OBJECTCLASSMAP= group:posixGroup=posixGroup
In your ldap_client_file?
Sorry if this is a redundant question.
Other than that, does su to an ldap user work?
Cheers, CLaus
-----Ursprüngliche Nachricht----- Von: Nazeeruddin Mohammad [mailto:nazeerm@phg.com.au] Gesendet: Mittwoch, 17. September 2008 07:40 An: openldap-technical@openldap.org Cc: Kick, Claus; Buchan Milne Betreff: RE: AW: LDAP proxy for AD -- still no solution
Thank you Claus and Buchan for your comments.
I tried your suggestions today. Even with the full access, I still cannot see any ldap users. The basic search like the following command works; only id and getent fails.
ldapsearch -x -h ldapserver -LLL -b dc=internal,dc=phg,dc=com,dc=au '(uid=nazeerm)'
Thanks again.
Regards Nazeer
-----Original Message----- From: openldap-technical-bounces+nazeerm=phg.com.au@OpenLDAP.org [mailto:openldap-technical-bounces+nazeerm=phg.com.au@OpenLDAP.org] On Behalf Of Buchan Milne Sent: Monday, 15 September 2008 9:44 PM To: openldap-technical@openldap.org Cc: Kick, Claus Subject: Re: AW: LDAP proxy for AD -- still no solution
On Monday 15 September 2008 11:19:01 Kick, Claus wrote:
Hello Nazeer,
Hi All, I progressed further, but still haven't reached stage where I can use
AD account.
Through, the proxy setup I could able to query ldap, but unable to use
it for authentication. For example,
ldapsearch -x -h ldapserver -LLL -b dc=internal,dc=phg,dc=com,dc=au
'(uid=nazeerm)'
is Successful, but id nazeerm fails (returns id: nazeerm: No such
user).
Here is ldap.conf file on client machine.
We had a similar problem (on Solaris though), the problem was that the ACLs for slapd were too tight.
Bear in mind that we use OpenLDAP as internal user management tool (in a DMZ), so security isnt too much an issue.
We now use:
access to * by * read
access to attrs=userpassword by self write by * read by anonymous auth access to dn.subtree="<subtree for the group mapping>" by * read by * write
This ACL set provides absolutely no security in the order they are above ...
(I know this is partly redundant, never got to change it on the production system since we do not have downtimes very often).
Access to userpassword was necessary for "su" commands to succeed.
Only if you didn't have PAM configured correctly on the LDAP clients.
Access to the group subtree was necessary for getting the proper user-to-group mapping via the "id" or "getent" commands.
If you don't use a proxy user ...
I would suggest to start with widely opened gates and then gradually closing them as far as you can.
I would suggest the other approach (open access as necessary, and definitely don't use 'access to * by * read' as the first rule.
Regards, Buchan
*************************************************************************** CAUTION: This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. Thank you. ***************************************************************************
Hi,
I am using nss_base_passwd to tell ldap client about the location of user account.
I cannot see any user (getent password returns only the local users) and hence su also fails.
Here is my ldap.conf
uri ldap://hera2.research.phg.com.au/ base dc=internal,dc=phg,dc=com,dc=au scope sub bind_timelimit 15 timelimit 15 ssl no referrals no nss_base_passwd dc=internal,dc=phg,dc=com,dc=au?sub nss_base_shadow dc=internal,dc=phg,dc=com,dc=au?sub nss_base_group dc=internal,dc=phg,dc=com,dc=au?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group
nss_map_attribute gecos cn nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember member nss_initgroups_ignoreusers root,ldap
pam_filter objectClass=posixAccount pam_login_attribute uid pam_lookup_policy no
Regards Nazeer
-----Original Message----- From: openldap-technical-bounces+nazeerm=phg.com.au@OpenLDAP.org [mailto:openldap-technical-bounces+nazeerm=phg.com.au@OpenLDAP.org] On Behalf Of Kick, Claus Sent: Wednesday, 17 September 2008 5:54 PM To: openldap-technical@openldap.org Subject: AW: AW: LDAP proxy for AD -- still no solution
Hello,
(I do not have the thread beginning anymore, so I don't know your config anymore).
Do you have something like this:
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,o=xxxx NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,o=xxxx NS_LDAP_OBJECTCLASSMAP= group:posixGroup=posixGroup
In your ldap_client_file?
Sorry if this is a redundant question.
Other than that, does su to an ldap user work?
Cheers, CLaus
-----Ursprüngliche Nachricht----- Von: Nazeeruddin Mohammad [mailto:nazeerm@phg.com.au] Gesendet: Mittwoch, 17. September 2008 07:40 An: openldap-technical@openldap.org Cc: Kick, Claus; Buchan Milne Betreff: RE: AW: LDAP proxy for AD -- still no solution
Thank you Claus and Buchan for your comments.
I tried your suggestions today. Even with the full access, I still cannot see any ldap users. The basic search like the following command works; only id and getent fails.
ldapsearch -x -h ldapserver -LLL -b dc=internal,dc=phg,dc=com,dc=au '(uid=nazeerm)'
Thanks again.
Regards Nazeer
-----Original Message----- From: openldap-technical-bounces+nazeerm=phg.com.au@OpenLDAP.org [mailto:openldap-technical-bounces+nazeerm=phg.com.au@OpenLDAP.org] On Behalf Of Buchan Milne Sent: Monday, 15 September 2008 9:44 PM To: openldap-technical@openldap.org Cc: Kick, Claus Subject: Re: AW: LDAP proxy for AD -- still no solution
On Monday 15 September 2008 11:19:01 Kick, Claus wrote:
Hello Nazeer,
Hi All, I progressed further, but still haven't reached stage where I can use
AD account.
Through, the proxy setup I could able to query ldap, but unable to use
it for authentication. For example,
ldapsearch -x -h ldapserver -LLL -b dc=internal,dc=phg,dc=com,dc=au
'(uid=nazeerm)'
is Successful, but id nazeerm fails (returns id: nazeerm: No such
user).
Here is ldap.conf file on client machine.
We had a similar problem (on Solaris though), the problem was that the ACLs for slapd were too tight.
Bear in mind that we use OpenLDAP as internal user management tool (in a DMZ), so security isnt too much an issue.
We now use:
access to * by * read
access to attrs=userpassword by self write by * read by anonymous auth access to dn.subtree="<subtree for the group mapping>" by * read by * write
This ACL set provides absolutely no security in the order they are above ...
(I know this is partly redundant, never got to change it on the production system since we do not have downtimes very often).
Access to userpassword was necessary for "su" commands to succeed.
Only if you didn't have PAM configured correctly on the LDAP clients.
Access to the group subtree was necessary for getting the proper user-to-group mapping via the "id" or "getent" commands.
If you don't use a proxy user ...
I would suggest to start with widely opened gates and then gradually closing them as far as you can.
I would suggest the other approach (open access as necessary, and definitely don't use 'access to * by * read' as the first rule.
Regards, Buchan
*************************************************************************** CAUTION: This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. Thank you. ***************************************************************************
On Wednesday 17 September 2008 07:39:37 Nazeeruddin Mohammad wrote:
Thank you Claus and Buchan for your comments.
I tried your suggestions today. Even with the full access, I still cannot see any ldap users. The basic search like the following command works; only id and getent fails.
ldapsearch -x -h ldapserver -LLL -b dc=internal,dc=phg,dc=com,dc=au '(uid=nazeerm)'
Right, so your proxy server is working correctly, but you have a different problem now.
Please start a new thread about your problems in configuring Unix clients to retrieve the user information from LDAP (the fact that it is a proxy is irrelevant, as long as the searches succeed, the proxy is no longer the issue), and include sufficient detail about these clients.
This thread is now no longer about an LDAP proxy ...
Regards, Buchan
Hi All,
This is a long term problem for me. I am unable to retrieve user information from LDAP server, which is a proxy to AD. The normal LDAP search (see the command below) gets me the data, but the "getent passwd" fails.
ldapsearch -x -h ldapserver -LLL -b dc=internal,dc=phg,dc=com,dc=au '(uid=nazeerm)'
Is there any problem with my configuration? Thank you very much.
Here is my client configuration.
--------------------------------------
uri ldap://ldapserver.research.phg.com.au/ base dc=internal,dc=phg,dc=com,dc=au scope sub bind_timelimit 15 timelimit 15 ssl no referrals no nss_base_passwd dc=internal,dc=phg,dc=com,dc=au?sub nss_base_shadow dc=internal,dc=phg,dc=com,dc=au?sub nss_base_group dc=internal,dc=phg,dc=com,dc=au?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group
nss_map_attribute gecos cn nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember member nss_initgroups_ignoreusers root,ldap
pam_filter objectClass=posixAccount pam_login_attribute uid pam_lookup_policy no
---------------------------------------------------
Regards Nazeer
*************************************************************************** CAUTION: This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. Thank you. ***************************************************************************
Hi All,
Sorry for reposting the mail. This is a long term problem for me. I am unable to retrieve user information from LDAP server, which is a proxy to AD. The normal LDAP search (see the command below) gets me the data, but the "getent passwd" only gets me local users from passwd file.
ldapsearch -x -h ldapserver -LLL -b dc=internal,dc=phg,dc=com,dc=au '(uid=nazeerm)'
Is there any problem with my configuration? Thank you very much.
Here is my client configuration.
--------------------------------------
uri ldap://ldapserver.research.phg.com.au/ base dc=internal,dc=phg,dc=com,dc=au scope sub bind_timelimit 15 timelimit 15 ssl no referrals no nss_base_passwd dc=internal,dc=phg,dc=com,dc=au?sub nss_base_shadow dc=internal,dc=phg,dc=com,dc=au?sub nss_base_group dc=internal,dc=phg,dc=com,dc=au?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group
nss_map_attribute gecos cn nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember member nss_initgroups_ignoreusers root,ldap
pam_filter objectClass=posixAccount pam_login_attribute uid pam_lookup_policy no
---------------------------------------------------
Regards Nazeer
*************************************************************************** CAUTION: This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. Thank you. ***************************************************************************
On Tuesday 21 October 2008 00:48:20 Nazeeruddin Mohammad wrote:
Hi All,
Sorry for reposting the mail. This is a long term problem for me. I am unable to retrieve user information from LDAP server, which is a proxy to AD. The normal LDAP search (see the command below) gets me the data, but the "getent passwd" only gets me local users from passwd file.
ldapsearch -x -h ldapserver -LLL -b dc=internal,dc=phg,dc=com,dc=au '(uid=nazeerm)'
Is there any problem with my configuration? Thank you very much.
Here is my client configuration.
What OS / Distro ?
Did you make any changes to /etc/nsswitch.conf ?
uri ldap://ldapserver.research.phg.com.au/ base dc=internal,dc=phg,dc=com,dc=au scope sub bind_timelimit 15 timelimit 15 ssl no referrals no nss_base_passwd dc=internal,dc=phg,dc=com,dc=au?sub nss_base_shadow dc=internal,dc=phg,dc=com,dc=au?sub nss_base_group dc=internal,dc=phg,dc=com,dc=au?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group
nss_map_attribute gecos cn nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember member nss_initgroups_ignoreusers root,ldap
pam_filter objectClass=posixAccount pam_login_attribute uid pam_lookup_policy no
Add: debug 1
to this file, then, having ensured that nscd is not running, run 'getent passwd ldapuser', and you should see quite a bit of debugging output, e.g.:
# getent passwd bgmilne ldap_create ldap_url_parse_ext(ldap://tiger.ranger.dnsalias.com) ldap_create ldap_url_parse_ext(ldap://tiger.ranger.dnsalias.com) ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP tiger.ranger.dnsalias.com:389
[...]
ldap_get_values ber_scanf fmt ({x{{a) ber: ber_scanf fmt (x}{a) ber: ber_scanf fmt ([v]) ber: ldap_msgfree bgmilne:x:501:501:Buchan Milne:/home/bgmilne:/bin/bash
Add: debug 1
to this file, then, having ensured that nscd is not running, run 'getent passwd ldapuser', and you should see quite a bit of debugging output,
Just Curious to which file one should add the above line "debug 1" to see the debugging output. And is the format same as "debug 1". Thank you, Amit
On Tuesday 21 October 2008 15:17:59 Kumar, Amit H. wrote:
Add: debug 1
to this file, then, having ensured that nscd is not running, run 'getent passwd ldapuser', and you should see quite a bit of debugging output,
Just Curious to which file one should add the above line "debug 1" to see the debugging output.
Assuming (since this was not provided) the use of PADL's nss_ldap, nss_ldap's configuration file. Depending on where the nss_ldap package was obtained, this is either /etc/ldap.conf (upstream, Red Hat-style distributions, recent Ubuntu versions I think) or /etc/libnss_ldap.conf (I think, on Debian).
And is the format same as "debug 1".
Yes. Or, if you have a recent enough version of nss_ldap, consult the nss_ldap(5) man page.
Regards, Buchan
Thanks for the reply. Here are the messing details.
What OS / Distro ?
I am using CentOS 5.1. The nsswitch.conf is properly configured. If change the uri or host in /etc/ldap.conf to a standard ldap, it works fine. Only if I refer to an ldap server which is proxy to AD server it fails.
Add: debug 1
I did this and here is a sample output. It's connecting to the server (hera2), but not getting any information. Strange!
ldap_create ldap_url_parse_ext(ldap://hera2.research.phg.com.au/) ldap_create ldap_url_parse_ext(ldap://hera2.research.phg.com.au/) ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP hera2.research.phg.com.au:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.100.237:389 ldap_connect_timeout: fd: 3 tm: 15 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush: 14 bytes to sd 3 ldap_result ld 0x4f3b510 msgid 1 ldap_chkResponseList ld 0x4f3b510 msgid 1 all 0 ldap_chkResponseList returns ld 0x4f3b510 NULL wait4msg ld 0x4f3b510 msgid 1 (timeout 15000000 usec) wait4msg continue ld 0x4f3b510 msgid 1 all 0 ** ld 0x4f3b510 Connections: * host: hera2.research.phg.com.au port: 389 (default) refcnt: 2 status: Connected last used: Wed Oct 22 09:46:44 2008
** ld 0x4f3b510 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x4f3b510 Response Queue: Empty ldap_chkResponseList ld 0x4f3b510 msgid 1 all 0 ldap_chkResponseList returns ld 0x4f3b510 NULL ldap_int_select read1msg: ld 0x4f3b510 msgid 1 all 0 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x4f3b510 msgid 1 message type bind ber_scanf fmt ({eaa) ber: read1msg: ld 0x4f3b510 0 new referrals read1msg: mark request completed, ld 0x4f3b510 msgid 1 request done: ld 0x4f3b510 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_search put_filter: "(&(objectClass=user)(uid=nazeerm))" put_filter: AND put_filter_list "(objectClass=user)(uid=nazeerm)" put_filter: "(objectClass=user)" put_filter: simple put_simple_filter: "objectClass=user" put_filter: "(uid=nazeerm)" put_filter: simple put_simple_filter: "uid=nazeerm" ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 204 bytes to sd 3 ldap_result ld 0x4f3b510 msgid 2 ldap_chkResponseList ld 0x4f3b510 msgid 2 all 1 ldap_chkResponseList returns ld 0x4f3b510 NULL wait4msg ld 0x4f3b510 msgid 2 (timeout 15000000 usec) wait4msg continue ld 0x4f3b510 msgid 2 all 1 ** ld 0x4f3b510 Connections: * host: hera2.research.phg.com.au port: 389 (default) refcnt: 2 status: Connected last used: Wed Oct 22 09:46:44 2008
** ld 0x4f3b510 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** ld 0x4f3b510 Response Queue: Empty ldap_chkResponseList ld 0x4f3b510 msgid 2 all 1 ldap_chkResponseList returns ld 0x4f3b510 NULL ldap_int_select
-----Original Message----- From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net] Sent: Tuesday, 21 October 2008 5:22 PM To: openldap-technical@openldap.org Cc: Nazeeruddin Mohammad Subject: Re: Configuring UNIX clients to retrieve user info from LDAP
On Tuesday 21 October 2008 00:48:20 Nazeeruddin Mohammad wrote:
Hi All,
Sorry for reposting the mail. This is a long term problem for me. I am unable to retrieve user information from LDAP server, which is a proxy to AD. The normal LDAP search (see the command below) gets me the data, but the "getent passwd" only gets me local users from passwd file.
ldapsearch -x -h ldapserver -LLL -b dc=internal,dc=phg,dc=com,dc=au '(uid=nazeerm)'
Is there any problem with my configuration? Thank you very much.
Here is my client configuration.
uri ldap://ldapserver.research.phg.com.au/ base dc=internal,dc=phg,dc=com,dc=au scope sub bind_timelimit 15 timelimit 15 ssl no referrals no nss_base_passwd dc=internal,dc=phg,dc=com,dc=au?sub nss_base_shadow dc=internal,dc=phg,dc=com,dc=au?sub nss_base_group dc=internal,dc=phg,dc=com,dc=au?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group
nss_map_attribute gecos cn nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember member nss_initgroups_ignoreusers root,ldap
pam_filter objectClass=posixAccount pam_login_attribute uid pam_lookup_policy no
*************************************************************************** CAUTION: This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. Thank you. ***************************************************************************
On Wednesday 22 October 2008 03:26:13 Nazeeruddin Mohammad wrote:
Thanks for the reply. Here are the messing details.
What OS / Distro ?
I am using CentOS 5.1. The nsswitch.conf is properly configured. If change the uri or host in /etc/ldap.conf to a standard ldap, it works fine. Only if I refer to an ldap server which is proxy to AD server it fails.
Add: debug 1
I did this and here is a sample output. It's connecting to the server (hera2), but not getting any information. Strange!
ldap_create ldap_url_parse_ext(ldap://hera2.research.phg.com.au/) ldap_create ldap_url_parse_ext(ldap://hera2.research.phg.com.au/) ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP hera2.research.phg.com.au:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.100.237:389 ldap_connect_timeout: fd: 3 tm: 15 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush: 14 bytes to sd 3 ldap_result ld 0x4f3b510 msgid 1 ldap_chkResponseList ld 0x4f3b510 msgid 1 all 0 ldap_chkResponseList returns ld 0x4f3b510 NULL wait4msg ld 0x4f3b510 msgid 1 (timeout 15000000 usec) wait4msg continue ld 0x4f3b510 msgid 1 all 0 ** ld 0x4f3b510 Connections:
- host: hera2.research.phg.com.au port: 389 (default) refcnt: 2 status: Connected last used: Wed Oct 22 09:46:44 2008
** ld 0x4f3b510 Outstanding Requests:
- msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0
** ld 0x4f3b510 Response Queue: Empty ldap_chkResponseList ld 0x4f3b510 msgid 1 all 0 ldap_chkResponseList returns ld 0x4f3b510 NULL ldap_int_select read1msg: ld 0x4f3b510 msgid 1 all 0 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x4f3b510 msgid 1 message type bind ber_scanf fmt ({eaa) ber: read1msg: ld 0x4f3b510 0 new referrals read1msg: mark request completed, ld 0x4f3b510 msgid 1 request done: ld 0x4f3b510 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_search put_filter: "(&(objectClass=user)(uid=nazeerm))" put_filter: AND put_filter_list "(objectClass=user)(uid=nazeerm)" put_filter: "(objectClass=user)" put_filter: simple put_simple_filter: "objectClass=user" put_filter: "(uid=nazeerm)" put_filter: simple put_simple_filter: "uid=nazeerm" ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 204 bytes to sd 3 ldap_result ld 0x4f3b510 msgid 2 ldap_chkResponseList ld 0x4f3b510 msgid 2 all 1 ldap_chkResponseList returns ld 0x4f3b510 NULL wait4msg ld 0x4f3b510 msgid 2 (timeout 15000000 usec) wait4msg continue ld 0x4f3b510 msgid 2 all 1 ** ld 0x4f3b510 Connections:
- host: hera2.research.phg.com.au port: 389 (default) refcnt: 2 status: Connected last used: Wed Oct 22 09:46:44 2008
** ld 0x4f3b510 Outstanding Requests:
- msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0
** ld 0x4f3b510 Response Queue: Empty ldap_chkResponseList ld 0x4f3b510 msgid 2 all 1 ldap_chkResponseList returns ld 0x4f3b510 NULL ldap_int_select
So, looking at the exact filter that is sent, what happens if you perform a search as follows:
$ ldapsearch -x -H ldap://ldapserver.research.phg.com.au/ -b dc=internal,dc=phg,dc=com,dc=au "(&(objectClass=user)(uid=nazeerm))"
-----Original Message----- From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net] Sent: Tuesday, 21 October 2008 5:22 PM To: openldap-technical@openldap.org Cc: Nazeeruddin Mohammad Subject: Re: Configuring UNIX clients to retrieve user info from LDAP
On Tuesday 21 October 2008 00:48:20 Nazeeruddin Mohammad wrote:
Hi All,
Sorry for reposting the mail. This is a long term problem for me. I am unable to retrieve user information from LDAP server, which is a proxy to AD. The normal LDAP search (see the command below) gets me the data, but the "getent passwd" only gets me local users from passwd file.
ldapsearch -x -h ldapserver -LLL -b dc=internal,dc=phg,dc=com,dc=au '(uid=nazeerm)'
Is there any problem with my configuration? Thank you very much.
Here is my client configuration.
uri ldap://ldapserver.research.phg.com.au/ base dc=internal,dc=phg,dc=com,dc=au scope sub bind_timelimit 15 timelimit 15 ssl no referrals no nss_base_passwd dc=internal,dc=phg,dc=com,dc=au?sub nss_base_shadow dc=internal,dc=phg,dc=com,dc=au?sub nss_base_group dc=internal,dc=phg,dc=com,dc=au?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group
nss_map_attribute gecos cn nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember member nss_initgroups_ignoreusers root,ldap
pam_filter objectClass=posixAccount pam_login_attribute uid pam_lookup_policy no
If I run this query I am getting the following response.
ldapsearch -x -H ldap://hera2.research.phg.com.au/ -b dc=internal,dc=phg,dc=com,dc=au "(&(objectClass=user)(uid=nazeerm))"
# extended LDIF # # LDAPv3 # base <dc=internal,dc=phg,dc=com,dc=au> with scope subtree # filter: (&(objectClass=user)(uid=nazeerm)) # requesting: ALL #
# search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece # numResponses: 1
------------------
Instead, if I modify the query to the following, then I am getting the request entry:
ldapsearch -x -H ldap://hera2.research.phg.com.au/ -b dc=internal,dc=phg,dc=com,dc=au "(uid=nazeerm)"
# extended LDIF # # LDAPv3 # base <dc=internal,dc=phg,dc=com,dc=au> with scope subtree # filter: (uid=nazeerm) # requesting: ALL #
dn: cn=Nazeeruddin Mohammad,ou=Da Vinci Coders,ou=Portland givenName: Nazeeruddin
gidNumber: 1000 UNIXHOMEDIRECTORY: /home/research/nazeerm uidNumber: 10009 MSSFU30NISDOMAIN: internal loginShell: /bin/bash MSSFU30NAME: nazeerm
# search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope ration a successful bind must be completed on the connection., data 0, vece
# numResponses: 2 # numEntries: 1
Regards
Nazeer
-----Original Message----- From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net] Sent: Wednesday, 22 October 2008 5:43 PM To: Nazeeruddin Mohammad Cc: openldap-technical@openldap.org Subject: Re: Configuring UNIX clients to retrieve user info from LDAP
On Wednesday 22 October 2008 03:26:13 Nazeeruddin Mohammad wrote:
Thanks for the reply. Here are the messing details.
What OS / Distro ?
I am using CentOS 5.1. The nsswitch.conf is properly configured. If change the uri or host in /etc/ldap.conf to a standard ldap, it works fine. Only if I refer to an ldap server which is proxy to AD server it fails.
Add: debug 1
I did this and here is a sample output. It's connecting to the server (hera2), but not getting any information. Strange!
ldap_create ldap_url_parse_ext(ldap://hera2.research.phg.com.au/) ldap_create ldap_url_parse_ext(ldap://hera2.research.phg.com.au/) ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP hera2.research.phg.com.au:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.100.237:389 ldap_connect_timeout: fd: 3 tm: 15 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush: 14 bytes to sd 3 ldap_result ld 0x4f3b510 msgid 1 ldap_chkResponseList ld 0x4f3b510 msgid 1 all 0 ldap_chkResponseList returns ld 0x4f3b510 NULL wait4msg ld 0x4f3b510 msgid 1 (timeout 15000000 usec) wait4msg continue ld 0x4f3b510 msgid 1 all 0 ** ld 0x4f3b510 Connections:
- host: hera2.research.phg.com.au port: 389 (default) refcnt: 2 status: Connected last used: Wed Oct 22 09:46:44 2008
** ld 0x4f3b510 Outstanding Requests:
- msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0
** ld 0x4f3b510 Response Queue: Empty ldap_chkResponseList ld 0x4f3b510 msgid 1 all 0 ldap_chkResponseList returns ld 0x4f3b510 NULL ldap_int_select read1msg: ld 0x4f3b510 msgid 1 all 0 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x4f3b510 msgid 1 message type bind ber_scanf fmt ({eaa) ber: read1msg: ld 0x4f3b510 0 new referrals read1msg: mark request completed, ld 0x4f3b510 msgid 1 request done: ld 0x4f3b510 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_search put_filter: "(&(objectClass=user)(uid=nazeerm))" put_filter: AND put_filter_list "(objectClass=user)(uid=nazeerm)" put_filter: "(objectClass=user)" put_filter: simple put_simple_filter: "objectClass=user" put_filter: "(uid=nazeerm)" put_filter: simple put_simple_filter: "uid=nazeerm" ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 204 bytes to sd 3 ldap_result ld 0x4f3b510 msgid 2 ldap_chkResponseList ld 0x4f3b510 msgid 2 all 1 ldap_chkResponseList returns ld 0x4f3b510 NULL wait4msg ld 0x4f3b510 msgid 2 (timeout 15000000 usec) wait4msg continue ld 0x4f3b510 msgid 2 all 1 ** ld 0x4f3b510 Connections:
- host: hera2.research.phg.com.au port: 389 (default) refcnt: 2 status: Connected last used: Wed Oct 22 09:46:44 2008
** ld 0x4f3b510 Outstanding Requests:
- msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0
** ld 0x4f3b510 Response Queue: Empty ldap_chkResponseList ld 0x4f3b510 msgid 2 all 1 ldap_chkResponseList returns ld 0x4f3b510 NULL ldap_int_select
So, looking at the exact filter that is sent, what happens if you perform a search as follows:
$ ldapsearch -x -H ldap://ldapserver.research.phg.com.au/ -b dc=internal,dc=phg,dc=com,dc=au "(&(objectClass=user)(uid=nazeerm))"
-----Original Message----- From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net] Sent: Tuesday, 21 October 2008 5:22 PM To: openldap-technical@openldap.org Cc: Nazeeruddin Mohammad Subject: Re: Configuring UNIX clients to retrieve user info from LDAP
On Tuesday 21 October 2008 00:48:20 Nazeeruddin Mohammad wrote:
Hi All,
Sorry for reposting the mail. This is a long term problem for me. I am unable to retrieve user information from LDAP server, which is a proxy to AD. The normal LDAP search (see the command below) gets me the data, but the "getent passwd" only gets me local users from passwd file.
ldapsearch -x -h ldapserver -LLL -b dc=internal,dc=phg,dc=com,dc=au '(uid=nazeerm)'
Is there any problem with my configuration? Thank you very much.
Here is my client configuration.
uri ldap://ldapserver.research.phg.com.au/ base dc=internal,dc=phg,dc=com,dc=au scope sub bind_timelimit 15 timelimit 15 ssl no referrals no nss_base_passwd dc=internal,dc=phg,dc=com,dc=au?sub nss_base_shadow dc=internal,dc=phg,dc=com,dc=au?sub nss_base_group dc=internal,dc=phg,dc=com,dc=au?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group
nss_map_attribute gecos cn nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember member nss_initgroups_ignoreusers root,ldap
pam_filter objectClass=posixAccount pam_login_attribute uid pam_lookup_policy no
*************************************************************************** CAUTION: This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. Thank you. ***************************************************************************
On Wednesday 22 October 2008 09:00:47 Nazeeruddin Mohammad wrote:
If I run this query I am getting the following response.
ldapsearch -x -H ldap://hera2.research.phg.com.au/ -b dc=internal,dc=phg,dc=com,dc=au "(&(objectClass=user)(uid=nazeerm))"
# extended LDIF # # LDAPv3 # base <dc=internal,dc=phg,dc=com,dc=au> with scope subtree # filter: (&(objectClass=user)(uid=nazeerm)) # requesting: ALL #
# search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece # numResponses: 1
Instead, if I modify the query to the following, then I am getting the request entry:
ldapsearch -x -H ldap://hera2.research.phg.com.au/ -b dc=internal,dc=phg,dc=com,dc=au "(uid=nazeerm)"
# extended LDIF # # LDAPv3 # base <dc=internal,dc=phg,dc=com,dc=au> with scope subtree # filter: (uid=nazeerm) # requesting: ALL #
dn: cn=Nazeeruddin Mohammad,ou=Da Vinci Coders,ou=Portland givenName: Nazeeruddin
gidNumber: 1000 UNIXHOMEDIRECTORY: /home/research/nazeerm uidNumber: 10009 MSSFU30NISDOMAIN: internal loginShell: /bin/bash MSSFU30NAME: nazeerm
# search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope ration a successful bind must be completed on the connection., data 0, vece
# numResponses: 2 # numEntries: 1
Can't you fix your proxy to work with the first search ?
If you can't this becomes a more detailed nss_ldap problem.
(BTW, your subject is misleading, your client configuration would work if your proxy was working correctly).
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Kick, Claus -
Kumar, Amit H. -
Lynn York -
Michael Ströder -
Nazeeruddin Mohammad -
Pierangelo Masarati