LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 08-27-2012, 02:43 AM   #1
samanka80
Member
 
Registered: Aug 2012
Posts: 78

Rep: Reputation: Disabled
Question Ldap doesn't go to search active directory / why?


Hi. It's me again, working on connecting to active directory from ldap.

When I ldapsearch test@seth.local (it exists in AD) I have this result:

# extended LDIF
#
# LDAPv3
# base <dc=seth,dc=local> (default) with scope subtree
# filter: (objectclass=*)
# requesting: test@seth.local
#

# search result
search: 2
result: 32 No such object

# numResponses: 1


seems like my ldap doesn't go to search AD at all! here are my configuration:

Ldap.conf

host 10.0.5.38 //it's Ip of my active directory????


uri ldap://ldap.seth.local/
base dc=seth,dc=local
ldap_version 3
binddn ldap@seth.local
bindpw *****
scope sub

pam_login_attribute sAMAccountName
pam_password ad
nss_base_passwd cn=users,dc=seth,dc=local?sub
nss_base_group cn=users,dc=seth,dc=local?sub
nss_base_shadow dc=seth,dc=local?sub
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute loginShell loginShell
nss_map_attribute gecos name
pam_login_attribute sAMAccountName
pam_filter objectclass=User
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember posixMember
nss_map_attribute cn sAMAccountName



and here is nsswitch.conf


group: files ldap
group_compat: nis
hosts: files dns
networks: files ldap
passwd: files ldap
passwd_compat: nis
shells: files ldap
services: compat
services_compat: nis
protocols: files
rpc: files ldap


what do you think my problem is??? Please even one little tiny clue may help me

God bless you
 
Old 08-27-2012, 03:41 AM   #2
lievendp
Member
 
Registered: Jan 2006
Location: Belgique
Distribution: Gentoo, Debian, Redhat, Centos, (x)Ubuntu
Posts: 111

Rep: Reputation: 27
Hello,

first, I see no reference to shadow for ldap in you nsswitch.conf but that is not the problem you are showing.
I cannot give you a solution for this because the setup is somewhat unclear.

however, I suggest you get a little reading going about the ldap-ad integration for linux. What is the goal: authenticate linux logins with AD? Use kerberos for SSO? There are plenty of tutorials around.
ie:
http://en.gentoo-wiki.com/wiki/Activ...ion_using_LDAP
http://www.centos.org/docs/5/html/De...uthconfig.html
... I think someone already mentioned a few in one of your previous posts?

As a first step, I can suggest you read on the ldapsearch utility. This will help you troubleshoot your problem. What ldapsearch query did you try to get your beforementioned result?

Is there a firewall on the windows dc that blocks your ldapsearch query? any networks in between? Can you nmap the DC and see that the ports are open for ldap? Do you have the correct credentials etc.

kind regards.
 
Old 08-27-2012, 03:54 AM   #3
samanka80
Member
 
Registered: Aug 2012
Posts: 78

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by lievendp View Post
Hello,

first, I see no reference to shadow for ldap in you nsswitch.conf but that is not the problem you are showing.
I cannot give you a solution for this because the setup is somewhat unclear.

however, I suggest you get a little reading going about the ldap-ad integration for linux. What is the goal: authenticate linux logins with AD? Use kerberos for SSO? There are plenty of tutorials around.
ie:
http://en.gentoo-wiki.com/wiki/Activ...ion_using_LDAP
http://www.centos.org/docs/5/html/De...uthconfig.html
... I think someone already mentioned a few in one of your previous posts?

As a first step, I can suggest you read on the ldapsearch utility. This will help you troubleshoot your problem. What ldapsearch query did you try to get your beforementioned result?

Is there a firewall on the windows dc that blocks your ldapsearch query? any networks in between? Can you nmap the DC and see that the ports are open for ldap? Do you have the correct credentials etc.

kind regards.

Hi.

Really thanks for your reply. I have actually been digging into this for a month, I use freebsd 9 and using kerberos, kerberos is working fine and I use the comment "ldapsearch myuser" and I have the ticket, even for the ldap bind acount... acuallyy I think somehow ldap is just searching it's table not active directory's, when I "getent passwd <AD username>" I have no errors, just empty, I think it's showing just ldap tables... I have also used the line "auth sufficient /usr/local/lib/pam_ldap.so" in pam.d services I need, I am still reading and testing, but I really need oponions and links just like what you send me. please if there is any other thing let me know.... thanks...

by the way I changed my etc/ldap.conf to this:

host 10.0.5.38
uri ldap://ldap.seth.local/
base dc=seth,dc=local
binddn cn=ldap,dc=seth,dc=local
bindpw *****
scope sub
ssl no
nss_base_passwd dc=seth,dc=local
nss_base_shadow dc=seth,dc=local
nss_base_group dc=seth,dc=local
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
pam_login_attribute sAMAccountName
pam_filter objectclass=User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn


I think somewhere there is a problem with my ldap.conf. but I am not sure...
 
Old 08-27-2012, 04:08 AM   #4
lievendp
Member
 
Registered: Jan 2006
Location: Belgique
Distribution: Gentoo, Debian, Redhat, Centos, (x)Ubuntu
Posts: 111

Rep: Reputation: 27
here's an example ldapsearch query to manually check if you can get the info from AD:

ldapsearch -x -h <ip-of-windows-DC> -D "<bind-dn>" -b "<base for search>" -w <password> "<filter>"
where it should look a little like this (example, adapt to your environment)
<binddn> : "cn=ldapuser,ou=users,dc=example,dc=com"
<base> : "dc=example,dc=com"
<filter> : "sAMAcountName=username"

at least the ldapsearch should give you the ad-info for the user you lookup. (username)
 
1 members found this post helpful.
Old 08-27-2012, 04:26 AM   #5
samanka80
Member
 
Registered: Aug 2012
Posts: 78

Original Poster
Rep: Reputation: Disabled
Hi again... I did this:

ldapsearch -h seth.local ldap@seth.local -W
# extended LDIF
#
# LDAPv3
# base <dc=seth,dc=local> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ldap@seth.local -W
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C0906DC, comment: In order to perform this ope
ration a successful bind must be completed on the connection., data 0, v1db0


seems like I really have problem with my ldap.conf. it seems fine but apparantly ldap is not using it, I had to use "-h seth.local" to force ldap connect to the server and it is not using the credentials I have defined in ldap.conf still digging...
 
Old 08-27-2012, 04:29 AM   #6
lievendp
Member
 
Registered: Jan 2006
Location: Belgique
Distribution: Gentoo, Debian, Redhat, Centos, (x)Ubuntu
Posts: 111

Rep: Reputation: 27
You are not giving any bind credentials etc. to your ldapsearch.
The error clearly states that you cannot do a successfull bind to AD. Forget about the ldap.conf for now, you will have to get a result from ldapsearch with the info I provided, then you can use the info from the ldapsearch into your ldap.conf.

Is seth.local the dns name of your ad server? try with the ip as host: -h "<ip-of-windc>"

Last edited by lievendp; 08-27-2012 at 04:30 AM.
 
1 members found this post helpful.
Old 08-27-2012, 04:32 AM   #7
samanka80
Member
 
Registered: Aug 2012
Posts: 78

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by lievendp View Post
here's an example ldapsearch query to manually check if you can get the info from AD:

ldapsearch -x -h <ip-of-windows-DC> -D "<bind-dn>" -b "<base for search>" -w <password> "<filter>"
where it should look a little like this (example, adapt to your environment)
<binddn> : "cn=ldapuser,ou=users,dc=example,dc=com"
<base> : "dc=example,dc=com"
<filter> : "sAMAcountName=username"

at least the ldapsearch should give you the ad-info for the user you lookup. (username)
You mean something like this??

ldapsearch -x -h seth.local -D "cn=ldap,ou=users,dc=seth,dc=local" -b "dc=seth,dc=local" -w //I used bind passwd here// "sAMAcountName=test"

after using the command I have this error:

ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0



by the way, ldap is my bind account and test is just some user...

and -h ip address gives me the same error...

Last edited by samanka80; 08-27-2012 at 04:35 AM.
 
Old 08-27-2012, 04:36 AM   #8
samanka80
Member
 
Registered: Aug 2012
Posts: 78

Original Poster
Rep: Reputation: Disabled
Can you review my ldap.conf?? is there anything else anywhere I should config?? by the way seems like my ports on server are open. here is the result of nmap... are they enough??

PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
515/tcp open printer
593/tcp open http-rpc-epmap
636/tcp open ldapssl
683/tcp open corba-iiop
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
 
Old 08-27-2012, 04:46 AM   #9
lievendp
Member
 
Registered: Jan 2006
Location: Belgique
Distribution: Gentoo, Debian, Redhat, Centos, (x)Ubuntu
Posts: 111

Rep: Reputation: 27
The ports are ok (I suspected as much because your windows pc's can authenticate)

but the ldapsearch error is still with the credentials.
-D "cn=ldap,ou=users,dc=seth,dc=local" => is this ldap user realy there?? you have to check in your AD. I see "binddn cn=ldap,dc=seth,dc=local" in your ldap.conf which is different from what you type at the ldapsearch.

If you don't want to type your ldap password in cleartext on the commandline, you can use the "-W" instead of "-w".

Only if the ldapsearch works, you can start worying abt. your ldap.conf file.

As far as I can see, there is no problem with the ldap.conf. However, I see no "pam_password ad" directive.
 
Old 08-27-2012, 05:11 AM   #10
samanka80
Member
 
Registered: Aug 2012
Posts: 78

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by lievendp View Post
The ports are ok (I suspected as much because your windows pc's can authenticate)

but the ldapsearch error is still with the credentials.
-D "cn=ldap,ou=users,dc=seth,dc=local" => is this ldap user realy there?? you have to check in your AD. I see "binddn cn=ldap,dc=seth,dc=local" in your ldap.conf which is different from what you type at the ldapsearch.

If you don't want to type your ldap password in cleartext on the commandline, you can use the "-W" instead of "-w".

Only if the ldapsearch works, you can start worying abt. your ldap.conf file.

As far as I can see, there is no problem with the ldap.conf. However, I see no "pam_password ad" directive.
Yes, the ldap user is really there... I just checked with "ou=users" and without it, none worked... should I use it or not, coz ldap user is really in users container. besides, I hadn't used deligation for my bind account, here is the page I used to give deligation for my domain to ldap right now::

http://www.advproxy.net/ldapads.html

But still can't have any result from ldapsearch

I had the directive "pam_password ad" but as I changed my configuration multiple times it is missed this time. I used this help for my current config:

http://blog.scottlowe.org/2007/07/09...2008/#comments
 
Old 08-27-2012, 05:23 AM   #11
samanka80
Member
 
Registered: Aug 2012
Posts: 78

Original Poster
Rep: Reputation: Disabled
///solved

Last edited by samanka80; 08-27-2012 at 05:46 AM.
 
Old 08-27-2012, 05:42 AM   #12
samanka80
Member
 
Registered: Aug 2012
Posts: 78

Original Poster
Rep: Reputation: Disabled
new thing! I used this command:

ldapsearch -x -h 10.0.5.38 -D "ldap@seth.local" -b "dc=seth,dc=local" -w ***** "sAMAcountName=test"
I mean "ldap@seth.local" instead of cn=ldap,ou=users,dc=seth,dc=local and have this result:



# extended LDIF
#
# LDAPv3
# base <dc=seth,dc=local> with scope subtree
# filter: sAMAcountName=test
# requesting: ALL
#

# search reference
ref: ldap://ForestDnsZones.seth.local/DC=ForestDnsZones,DC=seth,DC=local

# search reference
ref: ldap://DomainDnsZones.seth.local/DC=DomainDnsZones,DC=seth,DC=local

# search reference
ref: ldap://seth.local/CN=Configuration,DC=seth,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 4
# numReferences: 3

and then I replaced "sAMAcountName=test" with "test@seth.local" and I have many of this: seems like it is seeing my active directory.


# test, Users, seth.local
dn: CN=test,CN=Users,DC=seth,DC=local

# alex, Users, seth.local
dn: CN=alex,CN=Users,DC=seth,DC=local

# THINKPAD, Users, seth.local
dn: CN=THINKPAD,CN=Users,DC=seth,DC=local

# ldap, Computers, seth.local
dn: CN=ldap,CN=Computers,DC=seth,DC=local

# ldap, Users, seth.local
dn: CN=ldap,CN=Users,DC=seth,DC=local

# search reference
ref: ldap://ForestDnsZones.seth.local/DC=ForestDnsZones,DC=seth,DC=local

# search reference
ref: ldap://DomainDnsZones.seth.local/DC=DomainDnsZones,DC=seth,DC=local

# search reference
ref: ldap://seth.local/CN=Configuration,DC=seth,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 295
# numEntries: 291
# numReferences: 3


Please tell me if you see something wrong, I go digg more.

Last edited by samanka80; 08-27-2012 at 07:06 AM.
 
Old 08-27-2012, 05:57 AM   #13
samanka80
Member
 
Registered: Aug 2012
Posts: 78

Original Poster
Rep: Reputation: Disabled
Excellent! I think I am connecting the active directory after using deligation and adding the directive to use active directory in my ldap.conf.

I tried "su test" and test is on active directory... I see this error::

ldapsudo: pam_ldap: error trying to bind invalid dn syntax...

Trying trying trying....
 
Old 08-27-2012, 06:41 AM   #14
lievendp
Member
 
Registered: Jan 2006
Location: Belgique
Distribution: Gentoo, Debian, Redhat, Centos, (x)Ubuntu
Posts: 111

Rep: Reputation: 27
first, you might consider removing your password from your post (ldapsearch) :-)

I think you can use also "referrals off" in the ldap.conf but as far as I can read your error messages: the bind is still a problem.

Are you working with 1 AD domain or is there a trust or something? Also, you are working with MS AD, right?

I cannot see in your directory but the result from your ldapsearch don't return much, with "sAMAccountName=test", you should have a lot of info about the test user if it exists.
 
1 members found this post helpful.
Old 08-27-2012, 07:05 AM   #15
samanka80
Member
 
Registered: Aug 2012
Posts: 78

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by lievendp View Post
first, you might consider removing your password from your post (ldapsearch) :-)

I think you can use also "referrals off" in the ldap.conf but as far as I can read your error messages: the bind is still a problem.

Are you working with 1 AD domain or is there a trust or something? Also, you are working with MS AD, right?

I cannot see in your directory but the result from your ldapsearch don't return much, with "sAMAccountName=test", you should have a lot of info about the test user if it exists.
yes, I have a lot of results, almost all my active directory!

I use just one AD microsoft on win server 2008 r2 it is in the same domain an network as my ldap server.

there are some things I should do with the files in /etc/pam.d, here:

http://www.freebsd.org/doc/en_US.ISO...th/client.html

I did it, but when I "su test" it prompts me the password, and then the ldap password. when I enter the passwords I have the error can not bind, invalid DN syntax. what DN syntax, I mean in which file it is refering to??
 
  


Reply

Tags
active directory, connection, ldap


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Active Directory vs LDAP alex r Linux - Software 26 04-07-2010 04:47 AM
LDAP Vs. Active Directory. ghaleb.aoude@yahoo.com LinuxQuestions.org Member Intro 2 08-19-2009 07:15 AM
active directory to open ldap sumitrai Linux - Newbie 5 08-13-2009 03:16 PM
ldap & active directory ziox Linux - Security 1 05-02-2006 04:34 AM
LDAP and Active Directory Ecalvam Linux - Networking 5 11-10-2005 08:53 AM


All times are GMT -5. The time now is 10:34 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration