Ldap doesn't go to search active directory / why?
Hi. It's me again, working on connecting to active directory from ldap.
When I ldapsearch test@seth.local (it exists in AD) I have this result: # extended LDIF # # LDAPv3 # base <dc=seth,dc=local> (default) with scope subtree # filter: (objectclass=*) # requesting: test@seth.local # # search result search: 2 result: 32 No such object # numResponses: 1 seems like my ldap doesn't go to search AD at all! here are my configuration: Ldap.conf host 10.0.5.38 //it's Ip of my active directory???? :confused: uri ldap://ldap.seth.local/ base dc=seth,dc=local ldap_version 3 binddn ldap@seth.local bindpw ***** scope sub pam_login_attribute sAMAccountName pam_password ad nss_base_passwd cn=users,dc=seth,dc=local?sub nss_base_group cn=users,dc=seth,dc=local?sub nss_base_shadow dc=seth,dc=local?sub nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount user nss_map_attribute uid sAMAccountName nss_map_attribute uidNumber uidNumber nss_map_attribute gidNumber gidNumber nss_map_attribute loginShell loginShell nss_map_attribute gecos name pam_login_attribute sAMAccountName pam_filter objectclass=User nss_map_attribute userPassword msSFU30Password nss_map_attribute homeDirectory unixHomeDirectory nss_map_objectclass posixGroup Group nss_map_attribute uniqueMember posixMember nss_map_attribute cn sAMAccountName and here is nsswitch.conf group: files ldap group_compat: nis hosts: files dns networks: files ldap passwd: files ldap passwd_compat: nis shells: files ldap services: compat services_compat: nis protocols: files rpc: files ldap what do you think my problem is??? Please even one little tiny clue may help me :( God bless you |
Hello,
first, I see no reference to shadow for ldap in you nsswitch.conf but that is not the problem you are showing. I cannot give you a solution for this because the setup is somewhat unclear. however, I suggest you get a little reading going about the ldap-ad integration for linux. What is the goal: authenticate linux logins with AD? Use kerberos for SSO? There are plenty of tutorials around. ie: http://en.gentoo-wiki.com/wiki/Activ...ion_using_LDAP http://www.centos.org/docs/5/html/De...uthconfig.html ... I think someone already mentioned a few in one of your previous posts? As a first step, I can suggest you read on the ldapsearch utility. This will help you troubleshoot your problem. What ldapsearch query did you try to get your beforementioned result? Is there a firewall on the windows dc that blocks your ldapsearch query? any networks in between? Can you nmap the DC and see that the ports are open for ldap? Do you have the correct credentials etc. kind regards. |
Quote:
Hi. Really thanks for your reply. I have actually been digging into this for a month, I use freebsd 9 and using kerberos, kerberos is working fine and I use the comment "ldapsearch myuser" and I have the ticket, even for the ldap bind acount... acuallyy I think somehow ldap is just searching it's table not active directory's, when I "getent passwd <AD username>" I have no errors, just empty, I think it's showing just ldap tables... I have also used the line "auth sufficient /usr/local/lib/pam_ldap.so" in pam.d services I need, I am still reading and testing, but I really need oponions and links just like what you send me. please if there is any other thing let me know.... thanks... by the way I changed my etc/ldap.conf to this: host 10.0.5.38 uri ldap://ldap.seth.local/ base dc=seth,dc=local binddn cn=ldap,dc=seth,dc=local bindpw ***** scope sub ssl no nss_base_passwd dc=seth,dc=local nss_base_shadow dc=seth,dc=local nss_base_group dc=seth,dc=local nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group pam_login_attribute sAMAccountName pam_filter objectclass=User nss_map_attribute uid sAMAccountName nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute loginShell msSFU30LoginShell nss_map_attribute gecos name nss_map_attribute userPassword msSFU30Password nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_attribute uniqueMember msSFU30PosixMember nss_map_attribute cn cn I think somewhere there is a problem with my ldap.conf. but I am not sure... |
here's an example ldapsearch query to manually check if you can get the info from AD:
ldapsearch -x -h <ip-of-windows-DC> -D "<bind-dn>" -b "<base for search>" -w <password> "<filter>" where it should look a little like this (example, adapt to your environment) <binddn> : "cn=ldapuser,ou=users,dc=example,dc=com" <base> : "dc=example,dc=com" <filter> : "sAMAcountName=username" at least the ldapsearch should give you the ad-info for the user you lookup. (username) |
Hi again... I did this:
ldapsearch -h seth.local ldap@seth.local -W # extended LDIF # # LDAPv3 # base <dc=seth,dc=local> (default) with scope subtree # filter: (objectclass=*) # requesting: ldap@seth.local -W # # search result search: 2 result: 1 Operations error text: 000004DC: LdapErr: DSID-0C0906DC, comment: In order to perform this ope ration a successful bind must be completed on the connection., data 0, v1db0 seems like I really have problem with my ldap.conf. it seems fine but apparantly ldap is not using it, I had to use "-h seth.local" to force ldap connect to the server and it is not using the credentials I have defined in ldap.conf :( still digging... |
You are not giving any bind credentials etc. to your ldapsearch.
The error clearly states that you cannot do a successfull bind to AD. Forget about the ldap.conf for now, you will have to get a result from ldapsearch with the info I provided, then you can use the info from the ldapsearch into your ldap.conf. Is seth.local the dns name of your ad server? try with the ip as host: -h "<ip-of-windc>" |
Quote:
ldapsearch -x -h seth.local -D "cn=ldap,ou=users,dc=seth,dc=local" -b "dc=seth,dc=local" -w //I used bind passwd here// "sAMAcountName=test" after using the command I have this error: ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0 :( by the way, ldap is my bind account and test is just some user... and -h ip address gives me the same error... |
Can you review my ldap.conf?? is there anything else anywhere I should config?? by the way seems like my ports on server are open. here is the result of nmap... are they enough??
PORT STATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 111/tcp open rpcbind 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 515/tcp open printer 593/tcp open http-rpc-epmap 636/tcp open ldapssl 683/tcp open corba-iiop 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 49154/tcp open unknown 49155/tcp open unknown 49157/tcp open unknown 49158/tcp open unknown 49159/tcp open unknown |
The ports are ok (I suspected as much because your windows pc's can authenticate)
but the ldapsearch error is still with the credentials. -D "cn=ldap,ou=users,dc=seth,dc=local" => is this ldap user realy there?? you have to check in your AD. I see "binddn cn=ldap,dc=seth,dc=local" in your ldap.conf which is different from what you type at the ldapsearch. If you don't want to type your ldap password in cleartext on the commandline, you can use the "-W" instead of "-w". Only if the ldapsearch works, you can start worying abt. your ldap.conf file. As far as I can see, there is no problem with the ldap.conf. However, I see no "pam_password ad" directive. |
Quote:
http://www.advproxy.net/ldapads.html But still can't have any result from ldapsearch I had the directive "pam_password ad" but as I changed my configuration multiple times it is missed this time. I used this help for my current config: http://blog.scottlowe.org/2007/07/09...2008/#comments |
///solved
|
new thing! I used this command:
ldapsearch -x -h 10.0.5.38 -D "ldap@seth.local" -b "dc=seth,dc=local" -w ***** "sAMAcountName=test" I mean "ldap@seth.local" instead of cn=ldap,ou=users,dc=seth,dc=local and have this result: # extended LDIF # # LDAPv3 # base <dc=seth,dc=local> with scope subtree # filter: sAMAcountName=test # requesting: ALL # # search reference ref: ldap://ForestDnsZones.seth.local/DC=ForestDnsZones,DC=seth,DC=local # search reference ref: ldap://DomainDnsZones.seth.local/DC=DomainDnsZones,DC=seth,DC=local # search reference ref: ldap://seth.local/CN=Configuration,DC=seth,DC=local # search result search: 2 result: 0 Success # numResponses: 4 # numReferences: 3 and then I replaced "sAMAcountName=test" with "test@seth.local" and I have many of this: seems like it is seeing my active directory. # test, Users, seth.local dn: CN=test,CN=Users,DC=seth,DC=local # alex, Users, seth.local dn: CN=alex,CN=Users,DC=seth,DC=local # THINKPAD, Users, seth.local dn: CN=THINKPAD,CN=Users,DC=seth,DC=local # ldap, Computers, seth.local dn: CN=ldap,CN=Computers,DC=seth,DC=local # ldap, Users, seth.local dn: CN=ldap,CN=Users,DC=seth,DC=local # search reference ref: ldap://ForestDnsZones.seth.local/DC=ForestDnsZones,DC=seth,DC=local # search reference ref: ldap://DomainDnsZones.seth.local/DC=DomainDnsZones,DC=seth,DC=local # search reference ref: ldap://seth.local/CN=Configuration,DC=seth,DC=local # search result search: 2 result: 0 Success # numResponses: 295 # numEntries: 291 # numReferences: 3 Please tell me if you see something wrong, I go digg more. |
Excellent! I think I am connecting the active directory after using deligation and adding the directive to use active directory in my ldap.conf.
I tried "su test" and test is on active directory... I see this error:: ldapsudo: pam_ldap: error trying to bind invalid dn syntax... Trying trying trying.... |
first, you might consider removing your password from your post (ldapsearch) :-)
I think you can use also "referrals off" in the ldap.conf but as far as I can read your error messages: the bind is still a problem. Are you working with 1 AD domain or is there a trust or something? Also, you are working with MS AD, right? I cannot see in your directory but the result from your ldapsearch don't return much, with "sAMAccountName=test", you should have a lot of info about the test user if it exists. |
Quote:
I use just one AD microsoft on win server 2008 r2 it is in the same domain an network as my ldap server. there are some things I should do with the files in /etc/pam.d, here: http://www.freebsd.org/doc/en_US.ISO...th/client.html I did it, but when I "su test" it prompts me the password, and then the ldap password. when I enter the passwords I have the error can not bind, invalid DN syntax. what DN syntax, I mean in which file it is refering to?? |
All times are GMT -5. The time now is 06:51 AM. |