LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices

Reply
 
Search this Thread
Old 03-17-2006, 06:57 AM   #16
fenix4life
LQ Newbie
 
Registered: Jul 2005
Posts: 4

Rep: Reputation: 0

Hi,

i've tried a lot off solution to get in touch with the Active Directory. I have now a working solution Using WIndows 2003R2 and the /etc/ldap.conf ,... configuration without SSL ( Red Hat Desktop).

The problem is now i wan't to make it possible to change the password using the passwd command in Linux.
I've read a lot of things which all brings another solution ( sometimes totally the opposit ). The main line in those solutions is that i need ssl

I've tried your solution on first page but it doesn't say what certificate you need.
Is it a self signed of the Linux client, is it one created on the AD, ...


I also found another solution Using stunnel to create a tunnel from port 389 on client to 636 but it runs as a deamon but doenst affect the traffic :s

Any input on how make it able using those certifs and making passwd works to change passwords.

Thx in advance.

Last edited by fenix4life; 03-17-2006 at 09:36 AM.
 
Old 03-21-2006, 08:41 AM   #17
fenix4life
LQ Newbie
 
Registered: Jul 2005
Posts: 4

Rep: Reputation: 0
hi,
me again

i managed ( i think ) to contact the LDAP-server by using SSL.
I used the program called stunnel for that.

Now i wanna change passwd of a user by using passwd but it gives me this mistake

->LDAP password information update failed: Can't contact LDAP server
..... problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
 
Old 07-26-2006, 09:40 AM   #18
Bleunique
LQ Newbie
 
Registered: Oct 2005
Posts: 8

Rep: Reputation: 0
Quote:
Originally Posted by fenix4life
hi,
me again

i managed ( i think ) to contact the LDAP-server by using SSL.
I used the program called stunnel for that.

Now i wanna change passwd of a user by using passwd but it gives me this mistake

->LDAP password information update failed: Can't contact LDAP server
..... problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
I've not tried stunnel, so I don't know what differences it may cause. The certificate you need is the Root CA certificate from your AD servers.

As far as your password problem, check two things:
1. Make sure your ldap.conf uses "pam_passwd ad"
2. Make sure the password you're using is sufficiently complex.

I'm working on trying this in with Kerberos, now.

Last edited by Bleunique; 08-16-2006 at 09:48 AM.
 
Old 08-16-2006, 12:25 AM   #19
sruckh
LQ Newbie
 
Registered: Nov 2003
Posts: 13

Rep: Reputation: 0
Anyone got a solution to this problem? I have the same error.

I can change user's passwords as root, but not as non-root users.

I thought the problem was most likely do to the permissions of the rootbinddn as opposed to the binddn user, but even when they are the same non root users are unable to change their password. They instead receive:

passwd
Changing password for user aduser.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Can't contact LDAP server
00000005: AtrErr: DSID-03190F00, #1:
0: 00000005: DSID-03190F00, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)

passwd: Permission denied

I have tried different LDAP settings including binding on port 636 and setting ssl parameter to on. I have also tried ssl set to start_tls but the results are the same.

If it was an Active Directory issue then I do not understand why root can change passwords but no other user can change passwords. My gut feel still thiks it has something to do with the rootbinddn user, but I sure am not able to prove that.

Does anyone have a solution to this problem?

Thanks.
 
Old 08-16-2006, 09:48 AM   #20
Bleunique
LQ Newbie
 
Registered: Oct 2005
Posts: 8

Rep: Reputation: 0
Can you turn up debugging on? I had a similar problem when only root could read my CA cert.
 
Old 08-16-2006, 05:25 PM   #21
sruckh
LQ Newbie
 
Registered: Nov 2003
Posts: 13

Rep: Reputation: 0
Good idea, but that is not it. Plus, if that was the problem, I would have guessed that the authentication part would not work either.

I have tried adding debug in the pam configuration and in the ldap.conf file (level set at 256), but nothing more descriptive shows up. I am using vendor supplied packages and do no know if debuggging was a compiled option.

Thanks for the feedback.

Anyone have suggestions?
 
Old 09-08-2006, 09:37 PM   #22
psychobyte
Member
 
Registered: Sep 2003
Location: Central Coast, California
Posts: 179

Rep: Reputation: 30
Hi,

I just found this thread and come up to the same problem with changing AD password with passwd.

Has anyone found a solution?

What about changing AD passwords with other types of commandline utils on linux? Or openldap commandline tools?

Any suggestions would help out.

Thanks.
 
Old 09-08-2006, 10:12 PM   #23
sruckh
LQ Newbie
 
Registered: Nov 2003
Posts: 13

Rep: Reputation: 0
I got it to work when using pam_krb5 instead of pam_ldap, but it does not work when you force password change at login or when password has expired. It only works if you have logged in successfully. Then you can issue passwd command and the password is changed.

I do not know if a different principal needs to be added to the keytab file or what the problem really is. If I did I would be happy to share the solution.

I am curious about others who have an enterprise solution that is working. With pam_krb5 or pam_ldap you can get authentication and authorization going without too much problem, but password aging, and password changing using passwd has been a challenge.
 
Old 09-11-2006, 05:21 PM   #24
psychobyte
Member
 
Registered: Sep 2003
Location: Central Coast, California
Posts: 179

Rep: Reputation: 30
On to another small issue,

in the ldap.conf file there is a entry (from one of the tutorials)

pam_groupdn cn=linuxusers,dc=iqcd,dc=ucsb,dc=edu


linuxusers is the AD group that you can assign users. However, this line doesn't seem to do anything except blocka ALL ldap auth. to AD. what is the nature of this paramater? Are there anyways of restricting user access to the linuxbox depending on which POSIX group they belong to?

Eg. user1 member of mail,linuxusers get access
user2 member of nomail no access
 
Old 09-11-2006, 05:31 PM   #25
psychobyte
Member
 
Registered: Sep 2003
Location: Central Coast, California
Posts: 179

Rep: Reputation: 30
sruckh,

How exactly do you change your AD password w/ Krb5? (i'm new to kerberos/ldap)

Also, have you found a way to change the password via web interface? Could usermin be used to change the password?

Thanks.
 
Old 09-11-2006, 10:24 PM   #26
sruckh
LQ Newbie
 
Registered: Nov 2003
Posts: 13

Rep: Reputation: 0
Windows 2003 w/IIS 6.0 does come with a very basic ASP application that allows you to change user passwords. You can check out Microsoft's knowledge base and find out more about IISADMPWD there.

here is the /etc/ldap.conf I was using:

#logdir /var/log
#debug 256

host winad.your.domain
#uri ldaps://winad.your.domain
scope sub
timelimit 5
# the following port command works if ssl is set to on
#port 636

# this is the user root will bind to LDAP database.
rootbinddn cn=lnxadm,cn=Users,dc=your,dc=net

# This is the user that is used to look up user's data in
# active directory. This user should have very limited access
# and should only be able to read active directory information.
binddn bind_user@your.domain
bindpw bind_user_password

# if bind_policy is set to soft it will make nss_ldap
# return a negative result if it cannot connect. If
# bind_policy is set to hard nss_ldap will try to
# connect to ldap server indefinitely.
bind_policy soft

# turn on TLS so clear text username and password
# are not send across the wire.
tls_checkpeer yes
ssl start_tls

# the following are undocumented settings. These
# values are typically set in the DEFINE statements
# in the source code. These were put in an attempt
# to not bring system to a crawl when LDAP server
# is unavailable. These settings do not appear
# to be helpful.

# prevents nss from indefinitely trying to make a connection
nss_reconnect_tries 2
#nss_reconnect_sleeptime
nss_reconnect_maxsleeptime 2
nss_reconnect_maxconntries 2


# set beginning point for where LDAP searches will begin.
nss_base_passwd ou=LNXUSERS,dc=your,dc=domain?sub
nss_base_shadow ou=LNXUSERS,dc=your,dc=domain?sub
nss_base_group ou=LNXUSERS,dc=your,dc=domain?sub?&(objectCategory=group)(gidnumber=*)

# These nss mappings are used when connecting to an Active
# Directory on Windows 2003 R2 (rfc2307). This will not
# work for an Active Directory schema based on Microsoft's
# Services for Unix (SFU) 3.x .

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
#nss_map_attribute gecos name
nss_map_attribute homeDirectory unixHomeDirectory

# These nss mappings are used when connecting to an Active
# Directory with Microsoft's Services for Unix 3.x installed.
# This is not needed for Windows 2003 R2.

#nss_map_objectclass posixAccount User
#nss_map_objectclass posixGroup Group
#nss_map_attribute uid sAMAccountName
#nss_map_attribute uidNumber msSFU30UidNumber
#nss_map_attribute gidNumber msSFU30GidNumber
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute loginShell msSFU30LoginShell
#nss_map_attribute gecos name

# pam_ldap setting to make sure that passwords are set correctly when
# using Active Directory
pam_password ad

I also had the file /etc/openldap/ldap.conf where I used the following options:

BASE ou=LNXUSERS,dc=your,dc=domain
HOST windad.your.domain
TLS_REQCERT demand
TLS_CACERT /etc/openldap/cacerts/winadCA.pem

Although this works just fine and no passwords travel across the wire in clear text, I am not satisfied with the solution. Also, as mentioned already, when using pam_ldap I can not force users to change password.

If anyone has an enterprise solution that is working it would be nice to get some input.

Thanks.
 
Old 09-27-2006, 02:42 PM   #27
cesar_tec
LQ Newbie
 
Registered: Mar 2003
Distribution: RHEL, KNOPPIX
Posts: 5

Rep: Reputation: 0
I have been able to make this work using Red Hat Directory Server. I am sure that Fedora Directory Server will work the same.

Through Directory Server you are able to interface with AD via TLS. Also - using the supplied utility that comes with Directory Server (PassSync.msi) you are able to sync passwords back and forth between Linux and AD. It also allows you to synchronize users and groups and it remaps attributes appropriately for consistency between the two directories.

IISADMPWD is a HUGE security risk and should not be used on a Windows box. In fact, delete the file. That's unless you are running an OWA Exchange server on it.
 
Old 10-03-2006, 02:31 PM   #28
Gangrif
Member
 
Registered: Feb 2004
Distribution: Fedora 19
Posts: 58

Rep: Reputation: 15
So, i've read through this entire thread, and followed the above tutorial. I am running centos4, and trying to authenticate to a Windows 2000 DC. I seem to have encountered one little bump, and i think things will work if i can overcome it.

When i try to login, the following error is generated (in /var/log/messages)

sshd: nss_ldap: could not search LDAP server - Referral

This is of course if i try to login using SSH. I assume a similar error is produced if i try to login at the console.

Here is my /etc/ldap.conf


# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
# This file should be world readable but not world writable.
base cn=Users,dc=my_domain,dc=com
host one.ofmydomain.controlers
scope sub
ssl no
#TLS_CACERT /etc/ssl/certs/adcert.pem
binddn cn=my_AD_user,cn=Users,dc=my_domain,dc=com
bindpwd my_AD_users_password
#rootbinddn cn=administrator,cn=Users,dc=example,dc=com
referrals yes
#
# Active Directory Mappings
#
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
nss_base_passwd cn=Users,dc=my_domain,dc=com
nss_base_shadow cn=Users,dc=my_domain,dc=com
nss_base_group cn=Users,dc=my_domain,dc=com
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute cn sAMAccountName
nss_map_attribute uniqueMember member
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_objectclass posixGroup Group



we do not have an SSL cert on our domain controler, at least not that i've been able to find (it wasnt setup by me)

The error mentions referals, so i tried adding the "referrals yes" line to ldap.conf, but it didnt help.

This is quite annoying, it seems to be so close to working.

Thanks for any input.
 
Old 10-03-2006, 03:31 PM   #29
sruckh
LQ Newbie
 
Registered: Nov 2003
Posts: 13

Rep: Reputation: 0
Here are some other places where I have discussed this topic:

http://www.winlinanswers.com/communi...topic.php?t=37
http://blog.scottlowe.org/2006/04/27...erver-2003-r2/
http://blog.scottlowe.org/2006/08/08...-r2-revisited/

Maybe these sites will give you a hint with what your are missing. Are you using kerberos and using keytab files?

Have you run openldap commands to test that you can browse your Active Directory with the user you have selected as your bind user?

You should be able to run 'id username' and 'getent passwd username' before you try to log in. If those commands do not work, you are not going to be able to log in.
 
Old 10-03-2006, 03:34 PM   #30
sruckh
LQ Newbie
 
Registered: Nov 2003
Posts: 13

Rep: Reputation: 0
Try your ldapsearch commands:

ldapsearch -x -W -D "cn=binduser,cn=GroupName,dc=domain,dc=name" -LLL "(sAMAccountName=AccountToSearchFor)"
 
  


Reply

Tags
directory, ldap, password


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Active Directory Authentication zenix Suse/Novell 29 03-22-2007 10:00 AM
connecting samba to a windows 2003 active directory domain Jcrofton Linux - Networking 8 09-17-2006 06:07 PM
Authenticating Linux against Windows 2003 Active Directory Builder Linux - Enterprise 26 08-30-2005 03:56 AM
active directory authentication mozilla Linux - Networking 2 02-21-2005 04:55 AM
Slackware Linux and Windows 2003 Server Active Directory..HOW TO? Synick_ Linux - Networking 0 05-14-2004 06:24 AM


All times are GMT -5. The time now is 03:31 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration