|
Configuring Active Directory users authentication on Cent-OS boxes
Hello,
I am trying to authenticate AD users on Cent-OS box.I have installed AD on my test machine. From Cent-OS, I can do ldapsearch on that. However when I try to authenticate using users it gives error in /var/log/messages as Code:
failed to bind to LDAP server ldap://10.55.199.117/: Server is unwilling to perform1.Does configuring kerberos authentication is required for this setup to work. 2.Does machine need to be added in AD to users get authenticate. Means do I need to add DNS server entries in /etc/resolve.conf |
1. no, not at all. You can do the entire thing with just ldap
2. no given you're not using ssl there, I would generically say look at the ldap request being done and compare that to your manual bind, using wireshark. |
Hi acid_kewpie,
Thanks for clearing my doubt. I am now installing wireshark and will check with that. I have tried with new machine to point to same AD. I have used authconfig-tui to enable the authentication. Now when I tried to use Code:
getent passwdCode:
Oct 22 10:12:36 br0212 su: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...my /etc/ldap.conf with removing commented line is as below, Code:
base dc=test,dc=com |
well you already have 2 different IP addreses in use there - .114 vs .117... what's that about? There are no bind credentials there, is AD allowing anonymous binds?
|
Hi acid_kewpie,
Sorry for confusion, actually .117 is Openldap server and .114 is AD server. earlier for .117 also similar messages was coming. But that was issue with my n/w.From my client, I am not able to reach to .117 with 389 port.After resolving that my authentication with Openldap is working fine. Now I want to do the same with AD. But I am getting above messages. To get the dump, I have tried tcudump command on client end [Cent-OS]. When I tried tcpdump, it does not show any messages. However /var/log/messages give Code:
Oct 22 11:04:18 br0212 nscd: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)... |
tcpdump won't decode the LDAP protocol, you really need to capture with wireshark / tshark / tcpdump and look at the capture in wireshark.
So can you do an ldapsearch to AD or not?? |
Hi,
Ok, will take capture in file and check. Yes my ldapsearch is working with AD Code:
[root@DevMMC2 ~]# ldapsearch -x -LLL -D 'test\Administrator' -H ldap://10.55.199.114 -b "dc=test,dc=com" -w '$unsolaris123' "(cn=pradip)" |
right so you have a binddn there, but none in ldap.conf, sounds like a good starting point.
|
Added entry in /etc/ldap.conf
Code:
binddn cn=Administrator,cn=users,dc=test,dc=com |
is there a password?
I'd suggest you look at wireshark to see the difference in the two queries, it's so useful. |
Yes, AD has password set for Administrator. But I have enabled Anonymous access on AD. Do we need to pass it from client using any file
Wireshark is not giving much info on packets, I am debugging that further. |
ldap on port 389, wireshark will break it all down very nicely, you'll get more information about the LDAP queries than you thought existed in the first place. Unless you've got TLS running on it too, but that's probably not the case.
|
Well, Might I have got the coz,
Below is tcpdump extract for two queries with AD 1.Successful ldapsearch command. Code:
0+...`&.....test\Administrator.Code:
04...`/....(cn=Administrator,cn=users,dc=test,dc=com..0........a.....I have observed two things, 1.For su request its not able to bind with AD, might becoz its not getting password. 2.Search query for su is with filter (&(objectclass=posixAccount)(uid=pradip))" Hence, 1.Need to pass password for Administrator bind 2.Somehow AD users are not POSIX enabled.so need to enable them Please comment on this if I am shooting in wrong direction :) |
yet again, please use wireshark to inspect the captures.
ALthough even from that binary garbage you can see you need to do a bind. |
Yes, I have used wireshark. but pasted the results which I get using 'Follow TCP stream' option.
Anyways, no issue is with bind with AD.I have googled and found that maybe I have to pass password through /etc/ldap.conf. However, I have enabled anonymous users to have read access on AD. Is there any other things to be checked? |
Don't follow the stream, expand the protocol sub trees.
Clearly the anonymous bind setting is not sufficient. You've an error message which gives back pages and pages of search results in google, so plenty of other people have been in your position. Without digging into it, I don't know if it's an AD or ldap client issue, but I would personally look to create a dedicated bind user and configuring ldap.conf to use that read only user account. |
Now I have my /etc/ldap.conf like below... but its still failing.
Code:
[root@DevMMC2 ~]# grep -v '#' /etc/ldap.conf |
I don't like to the look of a $ in the password, but yet yet again, look in wireshark! Expand the subtrees like in this picture... http://code.google.com/p/protobuf-wireshark/
|
2 Attachment(s)
I use this password to satisfy windows criteria of complex password, However I can try with simple one also.
From wireshark, as we confirmed that its because bind is not successful.I have compared bind requests for both ldapsearch and su. I have attached screenshot for that. |
OK, so you need to look at the output yourself, not post screenshots. look at the *responses*, one from ldapsearch and one from, say, getent passwd, with what you perceive to be the same details, and compare them.
|
Finally I got it working. There are many issue, but imp one was, providing proper mapping values in /etc/ldap.conf and bind-dn and its password.
acid_kewpie, thanks for all your help. |
| All times are GMT -5. The time now is 06:37 AM. |