LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Ldap doesn't go to search active directory / why? (http://www.linuxquestions.org/questions/linux-server-73/ldap-doesnt-go-to-search-active-directory-why-4175424161/)

samanka80 08-27-2012 02:43 AM

Ldap doesn't go to search active directory / why?
 
Hi. It's me again, working on connecting to active directory from ldap.

When I ldapsearch test@seth.local (it exists in AD) I have this result:

# extended LDIF
#
# LDAPv3
# base <dc=seth,dc=local> (default) with scope subtree
# filter: (objectclass=*)
# requesting: test@seth.local
#

# search result
search: 2
result: 32 No such object

# numResponses: 1


seems like my ldap doesn't go to search AD at all! here are my configuration:

Ldap.conf

host 10.0.5.38 //it's Ip of my active directory???? :confused:


uri ldap://ldap.seth.local/
base dc=seth,dc=local
ldap_version 3
binddn ldap@seth.local
bindpw *****
scope sub

pam_login_attribute sAMAccountName
pam_password ad
nss_base_passwd cn=users,dc=seth,dc=local?sub
nss_base_group cn=users,dc=seth,dc=local?sub
nss_base_shadow dc=seth,dc=local?sub
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute loginShell loginShell
nss_map_attribute gecos name
pam_login_attribute sAMAccountName
pam_filter objectclass=User
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember posixMember
nss_map_attribute cn sAMAccountName



and here is nsswitch.conf


group: files ldap
group_compat: nis
hosts: files dns
networks: files ldap
passwd: files ldap
passwd_compat: nis
shells: files ldap
services: compat
services_compat: nis
protocols: files
rpc: files ldap


what do you think my problem is??? Please even one little tiny clue may help me :(

God bless you

lievendp 08-27-2012 03:41 AM

Hello,

first, I see no reference to shadow for ldap in you nsswitch.conf but that is not the problem you are showing.
I cannot give you a solution for this because the setup is somewhat unclear.

however, I suggest you get a little reading going about the ldap-ad integration for linux. What is the goal: authenticate linux logins with AD? Use kerberos for SSO? There are plenty of tutorials around.
ie:
http://en.gentoo-wiki.com/wiki/Activ...ion_using_LDAP
http://www.centos.org/docs/5/html/De...uthconfig.html
... I think someone already mentioned a few in one of your previous posts?

As a first step, I can suggest you read on the ldapsearch utility. This will help you troubleshoot your problem. What ldapsearch query did you try to get your beforementioned result?

Is there a firewall on the windows dc that blocks your ldapsearch query? any networks in between? Can you nmap the DC and see that the ports are open for ldap? Do you have the correct credentials etc.

kind regards.

samanka80 08-27-2012 03:54 AM

Quote:

Originally Posted by lievendp (Post 4765187)
Hello,

first, I see no reference to shadow for ldap in you nsswitch.conf but that is not the problem you are showing.
I cannot give you a solution for this because the setup is somewhat unclear.

however, I suggest you get a little reading going about the ldap-ad integration for linux. What is the goal: authenticate linux logins with AD? Use kerberos for SSO? There are plenty of tutorials around.
ie:
http://en.gentoo-wiki.com/wiki/Activ...ion_using_LDAP
http://www.centos.org/docs/5/html/De...uthconfig.html
... I think someone already mentioned a few in one of your previous posts?

As a first step, I can suggest you read on the ldapsearch utility. This will help you troubleshoot your problem. What ldapsearch query did you try to get your beforementioned result?

Is there a firewall on the windows dc that blocks your ldapsearch query? any networks in between? Can you nmap the DC and see that the ports are open for ldap? Do you have the correct credentials etc.

kind regards.


Hi.

Really thanks for your reply. I have actually been digging into this for a month, I use freebsd 9 and using kerberos, kerberos is working fine and I use the comment "ldapsearch myuser" and I have the ticket, even for the ldap bind acount... acuallyy I think somehow ldap is just searching it's table not active directory's, when I "getent passwd <AD username>" I have no errors, just empty, I think it's showing just ldap tables... I have also used the line "auth sufficient /usr/local/lib/pam_ldap.so" in pam.d services I need, I am still reading and testing, but I really need oponions and links just like what you send me. please if there is any other thing let me know.... thanks...

by the way I changed my etc/ldap.conf to this:

host 10.0.5.38
uri ldap://ldap.seth.local/
base dc=seth,dc=local
binddn cn=ldap,dc=seth,dc=local
bindpw *****
scope sub
ssl no
nss_base_passwd dc=seth,dc=local
nss_base_shadow dc=seth,dc=local
nss_base_group dc=seth,dc=local
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
pam_login_attribute sAMAccountName
pam_filter objectclass=User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn


I think somewhere there is a problem with my ldap.conf. but I am not sure...

lievendp 08-27-2012 04:08 AM

here's an example ldapsearch query to manually check if you can get the info from AD:

ldapsearch -x -h <ip-of-windows-DC> -D "<bind-dn>" -b "<base for search>" -w <password> "<filter>"
where it should look a little like this (example, adapt to your environment)
<binddn> : "cn=ldapuser,ou=users,dc=example,dc=com"
<base> : "dc=example,dc=com"
<filter> : "sAMAcountName=username"

at least the ldapsearch should give you the ad-info for the user you lookup. (username)

samanka80 08-27-2012 04:26 AM

Hi again... I did this:

ldapsearch -h seth.local ldap@seth.local -W
# extended LDIF
#
# LDAPv3
# base <dc=seth,dc=local> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ldap@seth.local -W
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C0906DC, comment: In order to perform this ope
ration a successful bind must be completed on the connection., data 0, v1db0


seems like I really have problem with my ldap.conf. it seems fine but apparantly ldap is not using it, I had to use "-h seth.local" to force ldap connect to the server and it is not using the credentials I have defined in ldap.conf :( still digging...

lievendp 08-27-2012 04:29 AM

You are not giving any bind credentials etc. to your ldapsearch.
The error clearly states that you cannot do a successfull bind to AD. Forget about the ldap.conf for now, you will have to get a result from ldapsearch with the info I provided, then you can use the info from the ldapsearch into your ldap.conf.

Is seth.local the dns name of your ad server? try with the ip as host: -h "<ip-of-windc>"

samanka80 08-27-2012 04:32 AM

Quote:

Originally Posted by lievendp (Post 4765208)
here's an example ldapsearch query to manually check if you can get the info from AD:

ldapsearch -x -h <ip-of-windows-DC> -D "<bind-dn>" -b "<base for search>" -w <password> "<filter>"
where it should look a little like this (example, adapt to your environment)
<binddn> : "cn=ldapuser,ou=users,dc=example,dc=com"
<base> : "dc=example,dc=com"
<filter> : "sAMAcountName=username"

at least the ldapsearch should give you the ad-info for the user you lookup. (username)

You mean something like this??

ldapsearch -x -h seth.local -D "cn=ldap,ou=users,dc=seth,dc=local" -b "dc=seth,dc=local" -w //I used bind passwd here// "sAMAcountName=test"

after using the command I have this error:

ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0

:(

by the way, ldap is my bind account and test is just some user...

and -h ip address gives me the same error...

samanka80 08-27-2012 04:36 AM

Can you review my ldap.conf?? is there anything else anywhere I should config?? by the way seems like my ports on server are open. here is the result of nmap... are they enough??

PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
515/tcp open printer
593/tcp open http-rpc-epmap
636/tcp open ldapssl
683/tcp open corba-iiop
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown

lievendp 08-27-2012 04:46 AM

The ports are ok (I suspected as much because your windows pc's can authenticate)

but the ldapsearch error is still with the credentials.
-D "cn=ldap,ou=users,dc=seth,dc=local" => is this ldap user realy there?? you have to check in your AD. I see "binddn cn=ldap,dc=seth,dc=local" in your ldap.conf which is different from what you type at the ldapsearch.

If you don't want to type your ldap password in cleartext on the commandline, you can use the "-W" instead of "-w".

Only if the ldapsearch works, you can start worying abt. your ldap.conf file.

As far as I can see, there is no problem with the ldap.conf. However, I see no "pam_password ad" directive.

samanka80 08-27-2012 05:11 AM

Quote:

Originally Posted by lievendp (Post 4765228)
The ports are ok (I suspected as much because your windows pc's can authenticate)

but the ldapsearch error is still with the credentials.
-D "cn=ldap,ou=users,dc=seth,dc=local" => is this ldap user realy there?? you have to check in your AD. I see "binddn cn=ldap,dc=seth,dc=local" in your ldap.conf which is different from what you type at the ldapsearch.

If you don't want to type your ldap password in cleartext on the commandline, you can use the "-W" instead of "-w".

Only if the ldapsearch works, you can start worying abt. your ldap.conf file.

As far as I can see, there is no problem with the ldap.conf. However, I see no "pam_password ad" directive.

Yes, the ldap user is really there... I just checked with "ou=users" and without it, none worked... should I use it or not, coz ldap user is really in users container. besides, I hadn't used deligation for my bind account, here is the page I used to give deligation for my domain to ldap right now::

http://www.advproxy.net/ldapads.html

But still can't have any result from ldapsearch

I had the directive "pam_password ad" but as I changed my configuration multiple times it is missed this time. I used this help for my current config:

http://blog.scottlowe.org/2007/07/09...2008/#comments

samanka80 08-27-2012 05:23 AM

///solved

samanka80 08-27-2012 05:42 AM

new thing! I used this command:

ldapsearch -x -h 10.0.5.38 -D "ldap@seth.local" -b "dc=seth,dc=local" -w ***** "sAMAcountName=test"
I mean "ldap@seth.local" instead of cn=ldap,ou=users,dc=seth,dc=local and have this result:



# extended LDIF
#
# LDAPv3
# base <dc=seth,dc=local> with scope subtree
# filter: sAMAcountName=test
# requesting: ALL
#

# search reference
ref: ldap://ForestDnsZones.seth.local/DC=ForestDnsZones,DC=seth,DC=local

# search reference
ref: ldap://DomainDnsZones.seth.local/DC=DomainDnsZones,DC=seth,DC=local

# search reference
ref: ldap://seth.local/CN=Configuration,DC=seth,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 4
# numReferences: 3

and then I replaced "sAMAcountName=test" with "test@seth.local" and I have many of this: seems like it is seeing my active directory.


# test, Users, seth.local
dn: CN=test,CN=Users,DC=seth,DC=local

# alex, Users, seth.local
dn: CN=alex,CN=Users,DC=seth,DC=local

# THINKPAD, Users, seth.local
dn: CN=THINKPAD,CN=Users,DC=seth,DC=local

# ldap, Computers, seth.local
dn: CN=ldap,CN=Computers,DC=seth,DC=local

# ldap, Users, seth.local
dn: CN=ldap,CN=Users,DC=seth,DC=local

# search reference
ref: ldap://ForestDnsZones.seth.local/DC=ForestDnsZones,DC=seth,DC=local

# search reference
ref: ldap://DomainDnsZones.seth.local/DC=DomainDnsZones,DC=seth,DC=local

# search reference
ref: ldap://seth.local/CN=Configuration,DC=seth,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 295
# numEntries: 291
# numReferences: 3


Please tell me if you see something wrong, I go digg more.

samanka80 08-27-2012 05:57 AM

Excellent! I think I am connecting the active directory after using deligation and adding the directive to use active directory in my ldap.conf.

I tried "su test" and test is on active directory... I see this error::

ldapsudo: pam_ldap: error trying to bind invalid dn syntax...

Trying trying trying....

lievendp 08-27-2012 06:41 AM

first, you might consider removing your password from your post (ldapsearch) :-)

I think you can use also "referrals off" in the ldap.conf but as far as I can read your error messages: the bind is still a problem.

Are you working with 1 AD domain or is there a trust or something? Also, you are working with MS AD, right?

I cannot see in your directory but the result from your ldapsearch don't return much, with "sAMAccountName=test", you should have a lot of info about the test user if it exists.

samanka80 08-27-2012 07:05 AM

Quote:

Originally Posted by lievendp (Post 4765305)
first, you might consider removing your password from your post (ldapsearch) :-)

I think you can use also "referrals off" in the ldap.conf but as far as I can read your error messages: the bind is still a problem.

Are you working with 1 AD domain or is there a trust or something? Also, you are working with MS AD, right?

I cannot see in your directory but the result from your ldapsearch don't return much, with "sAMAccountName=test", you should have a lot of info about the test user if it exists.

yes, I have a lot of results, almost all my active directory!

I use just one AD microsoft on win server 2008 r2 it is in the same domain an network as my ldap server.

there are some things I should do with the files in /etc/pam.d, here:

http://www.freebsd.org/doc/en_US.ISO...th/client.html

I did it, but when I "su test" it prompts me the password, and then the ldap password. when I enter the passwords I have the error can not bind, invalid DN syntax. what DN syntax, I mean in which file it is refering to??


All times are GMT -5. The time now is 03:14 AM.