-   Linux - Enterprise (
-   -   authenticating fedora against ms active directory (

paulgnyc 09-08-2006 09:51 AM

authenticating fedora against ms active directory

I'm trying to get a fedora core 5 box authenticated against an active directory server in our company. I've followed examples from several sources and still can not get a proper response from ldapsearch or getent.

The AD server is a 2k3 box, sp1, with ms SFU 3.5 running on the system. A generic user for binding has been created.

I can use ldap browser\editor v2.8.2 with the same credentials on the fedora machine to connect to and browse the directory, however, when I try a simple 'ldapsearch -x ""' this is the response I get:

# extended LDIF
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting:

# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope
ration a successful bind must be completed on the connection., data 0, vece

# numResponses: 1

For simplicity, I'm starting with a stripped down ldap.conf in /etc/openldap that includes the following:

base dc=company,dc=corp
binddn CN=LDAPSvc,CN=Users,DC=company,DC=corp
bindpw secret

Openldap packages installed are the following:


Does anyone have any idea why I'm not able to connect using the command line tools but the ldap browser app works? Thanks in advance

paulgnyc 09-08-2006 10:04 AM

I tried passing the binddn from the command line to ldapsearch with the following command:

ldapsearch -x -b "dc=company,dc=corp" -W -D "CN=LDAPSvc,CN=Users,DC=company,DC=corp"

and then entering the passwd when prompted. This gets me the expected responses, which leaves me wondering why it's not reading it from the file?

perms on /etc/openldap/ldap.conf are 0644 and the directory is 0755. I'm guessing that it can read at least some of the file if it's getting the host out of there since I'm not passing that on the command line.

Any suggestions?

psychobyte 09-08-2006 07:41 PM

I'm actually working on the same project but, w/ FC4.

This tut got me started.

However, there is one line in the ldap.conf file that's wrong.

change the value of "binddn" to just the username of your ldap binding user

Change this...
binddn cn=dirsearch,cn=Users, dc=lanrx,dc=com

To this...

binddn dirsearch

I would also move this "dirsearch" user to the guest group in AD and any other restrictions
that you can think of.

After that it should work perfectly(w/ out SSL though).

At the moment I have dovecot(imaps/pop3s),sendmail,local login, and SSH using PAM to auth to AD on Win2K all over SSL. It IS possible!


Here are some other tuts that I've found helpful

paulgnyc 09-11-2006 08:44 AM

same problems
I tried with just the username in the binddn and I'm still getting the same response: no search results returned without the complete command line posted earlier. getent passwd <username> returns nothing either, although it takes a few minutes for it to complete. (exit code returned from getent is 2)

By the way, shortening basedn and the binddn on the command line to just the user also works:

ldapsearch -x -W -b "dc=company,dc=corp" -D ldapsvc

and even this works:

ldapsearch -x -W

so it looks like the binddn is being read, but not the password.

psychobyte 09-11-2006 06:21 PM

Perhaps your /etc/pam.d/system-auth password section is misconfigured.

Look through the docs and see how they configure it.

Mine looks like this
password requisite /lib/security/$ISA/ retry=3
password sufficient /lib/security/$ISA/ nullok use_authtok md5
password sufficient /lib/security/$ISA/ use_authtok
password required /lib/security/$ISA/

paulgnyc 09-15-2006 08:25 AM

found a link that was a great resource, just wanted to post it back here in case anyone is having the same issue:

Ryan100 10-26-2006 07:41 AM

omg wrong thread..

sry again

delete me.

All times are GMT -5. The time now is 03:41 PM.