|
authenticating fedora against ms active directory
Hello,
I'm trying to get a fedora core 5 box authenticated against an active directory server in our company. I've followed examples from several sources and still can not get a proper response from ldapsearch or getent. The AD server is a 2k3 box, sp1, with ms SFU 3.5 running on the system. A generic user for binding has been created. I can use ldap browser\editor v2.8.2 with the same credentials on the fedora machine to connect to and browse the directory, however, when I try a simple 'ldapsearch -x ""' this is the response I get: # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (objectclass=*) # requesting: # # search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope ration a successful bind must be completed on the connection., data 0, vece # numResponses: 1 For simplicity, I'm starting with a stripped down ldap.conf in /etc/openldap that includes the following: host 192.168.1.31 base dc=company,dc=corp binddn CN=LDAPSvc,CN=Users,DC=company,DC=corp bindpw secret Openldap packages installed are the following: openldap-2.3.19-4 nss_ldap-249-1 openldap-clients-2.3.19-4 compat-openldap-2.3.19_2.2.29-4 Does anyone have any idea why I'm not able to connect using the command line tools but the ldap browser app works? Thanks in advance |
update
I tried passing the binddn from the command line to ldapsearch with the following command:
ldapsearch -x -b "dc=company,dc=corp" -W -D "CN=LDAPSvc,CN=Users,DC=company,DC=corp" and then entering the passwd when prompted. This gets me the expected responses, which leaves me wondering why it's not reading it from the file? perms on /etc/openldap/ldap.conf are 0644 and the directory is 0755. I'm guessing that it can read at least some of the file if it's getting the host out of there since I'm not passing that on the command line. Any suggestions? |
I'm actually working on the same project but, w/ FC4.
This tut got me started. http://technology.newsforge.com/arti...id=119&tid=118 However, there is one line in the ldap.conf file that's wrong. change the value of "binddn" to just the username of your ldap binding user Change this... binddn cn=dirsearch,cn=Users, dc=lanrx,dc=com To this... binddn dirsearch I would also move this "dirsearch" user to the guest group in AD and any other restrictions that you can think of. After that it should work perfectly(w/ out SSL though). At the moment I have dovecot(imaps/pop3s),sendmail,local login, and SSH using PAM to auth to AD on Win2K all over SSL. It IS possible! ======================= Here are some other tuts that I've found helpful http://www.connexitor.com/forums/vie...b8d12d0decc2ce http://www.linuxquestions.org/questi...71#post1943371 http://www.enterprisenetworkingplane...le.php/3514511 http://wanderingbarque.com/howtos/ma...ailserver.html |
same problems
I tried with just the username in the binddn and I'm still getting the same response: no search results returned without the complete command line posted earlier. getent passwd <username> returns nothing either, although it takes a few minutes for it to complete. (exit code returned from getent is 2)
By the way, shortening basedn and the binddn on the command line to just the user also works: ldapsearch -x -W -b "dc=company,dc=corp" -D ldapsvc and even this works: ldapsearch -x -W so it looks like the binddn is being read, but not the password. |
Perhaps your /etc/pam.d/system-auth password section is misconfigured.
Look through the docs and see how they configure it. Mine looks like this password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so |
working
found a link that was a great resource, just wanted to post it back here in case anyone is having the same issue:
http://cb-net.co.uk/readarticle.php?article_id=5 |
omg wrong thread..
sry again delete me. |
| All times are GMT -5. The time now is 11:12 PM. |