Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.


  Search this Thread
Old 09-08-2006, 09:51 AM   #1
LQ Newbie
Registered: Feb 2006
Posts: 10

Rep: Reputation: 0
authenticating fedora against ms active directory


I'm trying to get a fedora core 5 box authenticated against an active directory server in our company. I've followed examples from several sources and still can not get a proper response from ldapsearch or getent.

The AD server is a 2k3 box, sp1, with ms SFU 3.5 running on the system. A generic user for binding has been created.

I can use ldap browser\editor v2.8.2 with the same credentials on the fedora machine to connect to and browse the directory, however, when I try a simple 'ldapsearch -x ""' this is the response I get:

# extended LDIF
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting:

# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope
ration a successful bind must be completed on the connection., data 0, vece

# numResponses: 1

For simplicity, I'm starting with a stripped down ldap.conf in /etc/openldap that includes the following:

base dc=company,dc=corp
binddn CN=LDAPSvc,CN=Users,DC=company,DC=corp
bindpw secret

Openldap packages installed are the following:


Does anyone have any idea why I'm not able to connect using the command line tools but the ldap browser app works? Thanks in advance
Old 09-08-2006, 10:04 AM   #2
LQ Newbie
Registered: Feb 2006
Posts: 10

Original Poster
Rep: Reputation: 0

I tried passing the binddn from the command line to ldapsearch with the following command:

ldapsearch -x -b "dc=company,dc=corp" -W -D "CN=LDAPSvc,CN=Users,DC=company,DC=corp"

and then entering the passwd when prompted. This gets me the expected responses, which leaves me wondering why it's not reading it from the file?

perms on /etc/openldap/ldap.conf are 0644 and the directory is 0755. I'm guessing that it can read at least some of the file if it's getting the host out of there since I'm not passing that on the command line.

Any suggestions?
Old 09-08-2006, 07:41 PM   #3
Registered: Sep 2003
Location: Central Coast, California
Posts: 179

Rep: Reputation: 30
I'm actually working on the same project but, w/ FC4.

This tut got me started.

However, there is one line in the ldap.conf file that's wrong.

change the value of "binddn" to just the username of your ldap binding user

Change this...
binddn cn=dirsearch,cn=Users, dc=lanrx,dc=com

To this...

binddn dirsearch

I would also move this "dirsearch" user to the guest group in AD and any other restrictions
that you can think of.

After that it should work perfectly(w/ out SSL though).

At the moment I have dovecot(imaps/pop3s),sendmail,local login, and SSH using PAM to auth to AD on Win2K all over SSL. It IS possible!


Here are some other tuts that I've found helpful
Old 09-11-2006, 08:44 AM   #4
LQ Newbie
Registered: Feb 2006
Posts: 10

Original Poster
Rep: Reputation: 0
same problems

I tried with just the username in the binddn and I'm still getting the same response: no search results returned without the complete command line posted earlier. getent passwd <username> returns nothing either, although it takes a few minutes for it to complete. (exit code returned from getent is 2)

By the way, shortening basedn and the binddn on the command line to just the user also works:

ldapsearch -x -W -b "dc=company,dc=corp" -D ldapsvc

and even this works:

ldapsearch -x -W

so it looks like the binddn is being read, but not the password.

Last edited by paulgnyc; 09-11-2006 at 09:07 AM.
Old 09-11-2006, 06:21 PM   #5
Registered: Sep 2003
Location: Central Coast, California
Posts: 179

Rep: Reputation: 30
Perhaps your /etc/pam.d/system-auth password section is misconfigured.

Look through the docs and see how they configure it.

Mine looks like this
password requisite /lib/security/$ISA/ retry=3
password sufficient /lib/security/$ISA/ nullok use_authtok md5
password sufficient /lib/security/$ISA/ use_authtok
password required /lib/security/$ISA/
Old 09-15-2006, 08:25 AM   #6
LQ Newbie
Registered: Feb 2006
Posts: 10

Original Poster
Rep: Reputation: 0

found a link that was a great resource, just wanted to post it back here in case anyone is having the same issue:
Old 10-26-2006, 07:41 AM   #7
LQ Newbie
Registered: Oct 2006
Distribution: Ubuntu RHEL SLES Debian Backtrack
Posts: 12

Rep: Reputation: 0
omg wrong thread..

sry again

delete me.


directory, ldap

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Authenticating Against Active Directory LDAP Question pyotr1 Linux - General 2 09-30-2006 06:25 PM
Authenticating Linux Active Directory paul_mat Red Hat 2 09-30-2006 06:24 PM
Authenticating Linux against Windows 2003 Active Directory Builder Linux - Enterprise 26 08-30-2005 03:56 AM
Problems authenticating to Active Directory eantoranz Linux - Networking 3 08-02-2005 04:11 PM
Authenticating DB2 ODBC users against Active Directory bmeckle AIX 2 07-06-2005 10:46 AM > Forums > Enterprise Linux Forums > Linux - Enterprise

All times are GMT -5. The time now is 05:57 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration