LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices

Reply
 
Search this Thread
Old 10-26-2006, 08:42 AM   #31
Ryan100
LQ Newbie
 
Registered: Oct 2006
Distribution: Ubuntu RHEL SLES Debian Backtrack
Posts: 12

Rep: Reputation: 0

Using RHWS 4 update 4 and Windows 2003 Server.

Win2k3 running SFU30 hosts my AD.

trying to connect with RHWS44 there are 2 ldap.conf

/etc/ldap.conf
and
/etc/openldap/ldap.conf

/etc/ldap.conf seems to do nothing.

I could only get basic seach with /etc/openldap/ldap.conf.

Code:
uri ldap://<server1>/ ldap://<server2>/
base dc=domain,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
bindn cn=ldapbinduser,ou=lvl2,ou=lvl1,dc=domain,dc=com
bindpw passwd

#
# Active Directory Mappings
#
pam_login_attribute     sAMAccountName
pam_filter              objectclass=User
pam_password            ad
nss_base_passwd         ou=myUsers,dc=example,dc=com
nss_base_shadow         ou=myUsers,dc=example,dc=com
nss_base_group          ou=myUsers,dc=example,dc=com
nss_map_objectclass     posixAccount    User
nss_map_objectclass     shadowAccount   User
nss_map_attribute       uid             sAMAccountName
nss_map_attribute       uidNumber       msSFU30UidNumber
nss_map_attribute       gidNumber       msSFU30GidNumber
nss_map_attribute       cn              sAMAccountName
nss_map_attribute       uniqueMember    member
nss_map_attribute       userPassword    msSFU30Password
nss_map_attribute       homeDirectory   msSFU30HomeDirectory
nss_map_attribute       loginShell      msSFU30LoginShell
nss_map_attribute       gecos           name
nss_map_objectclass     posixGroup      Group
using
Code:
ldapsearch -x -W -D "cn=<ldapuser>,ou=<lvl2>,ou=<lvl1>,dc=domain,dc=com" -LLL "(sAMAccountName=ldapbinduser)"
asks me to enter my passwd and works fine


using:
Code:
ldapsearch -x -LLL "(sAMAccountName=ldapbinduser)"
returns:
Code:
Operations Error (1)
Additional information: 00000000: LdapErr: DSID-0C0905FF, 
comment: In order to perform this operation a successful 
bind must be completed on the connection., data 0, vece
using:
Code:
ldapsearch -LLL "(sAMAccountName=ldapbinduser)"
returns:
Code:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: 
Miscellaneous failure (No Credentials cache found)
I think that for some reason it is not using the binddn and bindpw that i have listed in my conf file..

Can anyone help me sort this please..

Can you even point out how to do this without ssl as i want to get the guts of this working initally then when i get round to sorting out certificates then do the ssl

Last edited by Ryan100; 10-26-2006 at 09:26 AM.
 
Old 11-07-2006, 11:52 PM   #32
tux2460
LQ Newbie
 
Registered: Dec 2005
Location: Iowa
Distribution: Open SuSe 10.1
Posts: 2

Rep: Reputation: 0
Ok, I have a few possibly dumb questions.

1. will the command "openssl x509 -inform DER -in activedirectory.crt -outform PEM -out adcert.pem" give me the same output as "openssl pkcs7 -in activedirectory.cer -inform DER -out adcert.pem -outform PEM" because the second one horks on my systems, with a cannot load PKCS7 object error. I believe it should work fine, since the goal is turn the cert into PEM form.

2. the fact that the nsswitch.conf example is on a gentoo box kind of throws me, is that the same content needed for a fedora system? I assume so, but I've been wrong before on how different linux distros handle the same thing.

3. The /etc/pam.d/system-auth file says it is auto generated there in the text. So does it need to be edited, or is that the result I should get from the other steps?

I'll probably have a few more questions before I finish ironing out all the issues.
 
Old 11-08-2006, 12:11 AM   #33
sruckh
LQ Newbie
 
Registered: Nov 2003
Posts: 14

Rep: Reputation: 0
tux2460:

I can not remember for sure how I took my Windows cert and included in /etc/openldap/certs directory. Seems like it was more like what you were doing in your first example.

The /etc/nsswitch.conf file is similar on CentOS 4 distro which would be very similar to a fedora based distro.

You can hand edit /etc/pam.d/system-auth file, but if you use one of the fancy fedora/red-hat tools (system-config-authentication, authconfig, or other tool) for modifying the files then your hand edits will be lost.
 
Old 11-08-2006, 12:24 AM   #34
tux2460
LQ Newbie
 
Registered: Dec 2005
Location: Iowa
Distribution: Open SuSe 10.1
Posts: 2

Rep: Reputation: 0
sruckh:

Thanks for the reply, I was fairly sure the syntax was right on the first command, just wanted to double check.

So for the nsswitch.conf, I'll need to edit it so that it looks like the example Bleunique posted?

I'll try and make sure, I don't use any of the tools after I finish my edit. I'll back up the file just in case.

This is such an irritating subject though, I've seen a few dozen guides for this, but none seem to be complete, and each seems to have it's own spin. So it's hard to fill in some of the gaps.

Thanks for your help.
 
Old 12-11-2006, 12:33 PM   #35
blamere
LQ Newbie
 
Registered: Dec 2006
Posts: 3

Rep: Reputation: 0
hi, another AD-auth newbie with problems here

kerberos auth is utterly trivial, I have a keytab, can do ldapsearches no prob, etc. As an example, if I simply use:
ldapsearch "msSFU30Name=brianl"
I get my entire record! No worries!

Problem is, nss_ldap won't resolve uids/gids. I put debug on all the pam lines, and set the debug line in /etc/ldap.conf to 1. The stuff it shows me that I worry about is (Uid nums changed..."XXXX" is actually a valid, correct number):

put_filter: "(&(objectclass=User)(msSFU30UidNumber=XXXX))"
put_filter: AND
put_filter_list "(objectclass=User)(msSFU30UidNumber=XXXX)"
put_filter: "(objectclass=User)"
put_filter: simple
put_simple_filter: "objectclass=User"
put_filter: "(msSFU30UidNumber=XXXX)"
put_filter: simple
put_simple_filter: "msSFU30UidNumber=XXXX"
ldap_send_initial_request
ldap_send_server_request
ber_flush: 265 bytes to sd 7
ldap_result msgid 12
ldap_chkResponseList for msgid=12, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 12
wait4msg continue, msgid 12, all 1
ldap_chkResponseList for msgid=12, all=1
ldap_chkResponseList returns NULL


Clearly it's just...something...in /etc/ldap.conf, but I've used every suggested permutation of /etc/ldap.conf (the 3 suggested in this thread were tried, for example) to no avail.

What bothers me is if instead of ldapsearch "msSFU30Name=brianl" I use ldapsearch "msSFU30Name=brianl" "objectclass=User" I no longer get my whole record...instead, I just get my DN as below. Could that be all that nss_ldap is getting back to, and thus has nothing to map back to my uid/gid? Remember, if I leave off the objectclass=user and just search my name, I get my full record...not just the below.

ldapsearch "msSFU30Name=brianl" "objectclass=User" result:

SASL/GSSAPI authentication started
SASL username: rh4adtest/rh4adtest@CLINICOMP.COM
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: msSFU30UidNumber=
XXXX
# requesting: objectclass=User
#

# Brian LaMere, Users, CLINICOMP.com
dn: CN=Brian LaMere,CN=Users,DC=CLINICOMP,DC=com

# search reference
ref: ldap://CLINICOMP.COM/CN=Configuration,DC=CLINICOMP,DC=com

# search result
search: 5
result: 0 Success

# numResponses: 3
# numEntries: 1
# numReferences: 1

Last edited by blamere; 12-11-2006 at 05:04 PM.
 
Old 12-11-2006, 12:36 PM   #36
blamere
LQ Newbie
 
Registered: Dec 2006
Posts: 3

Rep: Reputation: 0
I should probably mention that I'm using RHEL4 update4...

anonymous AD searches are not allowed, but as I can do the search just fine with ldapsearch...
 
Old 12-11-2006, 12:42 PM   #37
blamere
LQ Newbie
 
Registered: Dec 2006
Posts: 3

Rep: Reputation: 0
final note: yes, I've configured nsswitch.conf, else ldap wouldn't be getting involved when I do an ls -al /home (/home has dirs owned by users that don't have local passwd entries...)

and I can log in with my AD passwd, even...and sudo, and pass tokens, and...anything auth related. Anything nsquery related fails, however.
 
Old 03-14-2007, 07:52 PM   #38
psychobyte
Member
 
Registered: Sep 2003
Location: Central Coast, California
Posts: 179

Rep: Reputation: 30
restricting users by AD group

Hi,

I don't think this issue has been resolved in this thead....

How do you get the pam_groupdn option in ldap.conf to restrict users in AD? It doesn't seem to work...

Thanks.
 
Old 05-03-2007, 06:27 PM   #39
mambley
LQ Newbie
 
Registered: Jan 2006
Posts: 11

Rep: Reputation: 0
Fedora Core 6 doesn't authenticate on a W2k3 R2 Server via Ldap

Hello Guys,

I tried to use the configuration shown for a test of a Fedora core 6 and a Windows 2003 R2 Domain but I have not been able to make it work. I removed the Certificate part to not complicate the things while I cannot make it work.

Every time that I try to authenticate I have the following error:

[root@ldaptestclient ~]# su raul
su: user raul does not exist
[root@ldaptestclient ~]# su ldap_test
su: user ldap_test does not exist

and in the /var/log/secure I have the following errors:

[root@ldaptestclient ~]# tail /var/log/secure
May 3 11:34:37 ldaptestclient sshd[3562]: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
May 3 11:34:46 ldaptestclient sshd[3561]: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
May 3 11:34:53 ldaptestclient sshd[3562]: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
May 3 11:35:18 ldaptestclient sshd[3561]: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
May 3 11:35:25 ldaptestclient sshd[3562]: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
May 3 11:36:22 ldaptestclient sshd[3561]: nss_ldap: could not search LDAP server - Server is unavailable
May 3 11:36:29 ldaptestclient sshd[3562]: nss_ldap: could not search LDAP server - Server is unavailable
May 3 14:19:12 ldaptestclient gdm[2562]: pam_unix(gdm:auth): check pass; user unknown
May 3 14:19:12 ldaptestclient gdm[2562]: pam_unix(gdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
May 3 14:21:16 ldaptestclient gdm[2562]: pam_succeed_if(gdm:auth): error retrieving information about user raul

Attached is my /etc/ldap.conf and the /etc/nsswitch.conf


/etc/ldap.conf
# This file should be world readable but not world writable.
base cn=Users,dc=epochldaptest,dc=com
host 192.168.2.70
scope sub
ssl no
#TLS_CACERT /etc/ssl/certs/adcert.pem
binddn cn=ldap_test,cn=Users,dc=epochldaptest,dc=com
bindpwd Secret*1234
#rootbinddn cn=administrator,cn=Users,dc=epochldaptest,dc=com

#
# Active Directory Mappings
#
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
nss_base_passwd cn=Users,dc=epochldaptest,dc=com
nss_base_shadow cn=Users,dc=epochldaptest,dc=com
nss_base_group cn=Users,dc=epochldaptest,dc=com
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute cn sAMAccountName
nss_map_attribute uniqueMember member
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_objectclass posixGroup Group.com


[root@ldaptestclient ~]# vi /etc/nsswitch.conf

passwd: files ldap compat
shadow: files ldap compat
group: files ldap compat
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files

I'm sure that it is something easy but too hard for a newbie in this topic.

Thanks in advance for your help.

Raul
 
Old 05-04-2007, 08:15 PM   #40
sruckh
LQ Newbie
 
Registered: Nov 2003
Posts: 14

Rep: Reputation: 0
Mambley, It has been a very long time since I have looked at this stuff, and I do not have my test environment available, but it looks like your LDAP config is set up for Microsoft's Service for Unix (SFU). You mention you are using Win2k3 R2 which does not require the Services for Unix package. It instead has its own schema updates and utilities.

See some of the links posted in early messages of this thread. There are examples between Win2k3 R2 and Win2k/2k3 with Services for Unix.

I did not strictly analyze your config, but from a high level your ldap.conf file did not appear to match that of someone utilizing Win2k3 R2 features.
 
Old 10-29-2007, 08:27 PM   #41
Wraukon
LQ Newbie
 
Registered: Oct 2007
Posts: 2

Rep: Reputation: 0
LDAP <=> ADS (single-sign-on) for heterogeneous env.

Greetings,

I've been given the task of finding a single-sign-on solution for a heterogeneous environment comprised of HP-UX, Solaris, Linux, and Windows (and possibly NetBSD).

I'd like to know if there is any way to have one machine perform all the requisite LDAP <=> ADS translation while all the other machines auth against it with a minimal LDAP client configuration?

Many thanks in advance, and Wraukon the Excellent salutes you.
 
  


Reply

Tags
directory, ldap, password


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Active Directory Authentication zenix Suse/Novell 29 03-22-2007 11:00 AM
connecting samba to a windows 2003 active directory domain Jcrofton Linux - Networking 8 09-17-2006 07:07 PM
Authenticating Linux against Windows 2003 Active Directory Builder Linux - Enterprise 26 08-30-2005 04:56 AM
active directory authentication mozilla Linux - Networking 2 02-21-2005 05:55 AM
Slackware Linux and Windows 2003 Server Active Directory..HOW TO? Synick_ Linux - Networking 0 05-14-2004 07:24 AM


All times are GMT -5. The time now is 09:20 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration