authenticating fedora against ms active directory
I'm trying to get a fedora core 5 box authenticated against an active directory server in our company. I've followed examples from several sources and still can not get a proper response from ldapsearch or getent.
The AD server is a 2k3 box, sp1, with ms SFU 3.5 running on the system. A generic user for binding has been created.
I can use ldap browser\editor v2.8.2 with the same credentials on the fedora machine to connect to and browse the directory, however, when I try a simple 'ldapsearch -x ""' this is the response I get:
# extended LDIF
# base <> with scope subtree
# filter: (objectclass=*)
# search result
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope
ration a successful bind must be completed on the connection., data 0, vece
# numResponses: 1
For simplicity, I'm starting with a stripped down ldap.conf in /etc/openldap that includes the following:
Openldap packages installed are the following:
Does anyone have any idea why I'm not able to connect using the command line tools but the ldap browser app works? Thanks in advance
I tried passing the binddn from the command line to ldapsearch with the following command:
ldapsearch -x -b "dc=company,dc=corp" -W -D "CN=LDAPSvc,CN=Users,DC=company,DC=corp"
and then entering the passwd when prompted. This gets me the expected responses, which leaves me wondering why it's not reading it from the file?
perms on /etc/openldap/ldap.conf are 0644 and the directory is 0755. I'm guessing that it can read at least some of the file if it's getting the host out of there since I'm not passing that on the command line.
I'm actually working on the same project but, w/ FC4.
This tut got me started.
However, there is one line in the ldap.conf file that's wrong.
change the value of "binddn" to just the username of your ldap binding user
binddn cn=dirsearch,cn=Users, dc=lanrx,dc=com
I would also move this "dirsearch" user to the guest group in AD and any other restrictions
that you can think of.
After that it should work perfectly(w/ out SSL though).
At the moment I have dovecot(imaps/pop3s),sendmail,local login, and SSH using PAM to auth to AD on Win2K all over SSL. It IS possible!
Here are some other tuts that I've found helpful
I tried with just the username in the binddn and I'm still getting the same response: no search results returned without the complete command line posted earlier. getent passwd <username> returns nothing either, although it takes a few minutes for it to complete. (exit code returned from getent is 2)
By the way, shortening basedn and the binddn on the command line to just the user also works:
ldapsearch -x -W -b "dc=company,dc=corp" -D ldapsvc
and even this works:
ldapsearch -x -W
so it looks like the binddn is being read, but not the password.
Perhaps your /etc/pam.d/system-auth password section is misconfigured.
Look through the docs and see how they configure it.
Mine looks like this
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
found a link that was a great resource, just wanted to post it back here in case anyone is having the same issue:
omg wrong thread..
|All times are GMT -5. The time now is 10:36 AM.|