what distro are you using?
if you are using rhel or centos or scientific linux or the like, you might want to take a look at authconfig-tui command / wizard to setup your ldap pam. (rhel 5? 6?)

From the error you show me, it looks like the system is really expecting a binddn in DN format which means "dn=<username>,[ou=somewhere],[...],dc=seth,dc=local"

if -D "<dnname>" does not work but -D "username@domain" does then it means that you are not correctly writing the dnname that refers to "username@domain". ldapsearch won't care if you use the <username>@<domain> format but maybe ldap.conf does.

1 members found this post helpful.

hmmm.... this can be right... I am going to test it tomorrow, I am somewhere else now... but the thing is that sometimes I can su some users from AD, sometimes it prompts for password... that's why I am not sure... hasta luego and thanks for all your help

You having to give a password for an ldap/ad user should have nothing to do with the ldap setup (correct me if wrong)

ldap authentication can be used without any kerberos or winbind or ntlm or whatever. First get the normal authentication going by using the authconfig-tui tool (if rhel-derivate) and verifying the nsswithc.conf and ldap.conf and /etc/openldap/ldap.conf files. Verify that the DN's are correct for the binddn parameter in ldap-format.

instead of using su to test, maybe try with getent like here:
[root@test ~]# cat /etc/passwd | grep username
[root@test ~]# getent passwd username
username:*:5002:1001:username:/home/username:/bin/sh
=> the passwd should not contain the user
=> getent shows the user from ldap/ad.

Now, if you correctly configured the files beforementioned, you should not be asked for an authentication password when you do as root: {{{su <domainusername>}}}
The binddn and passwd you configured are used to bind to AD and cause you are root, you can be anybody else without giving any passwords. (it's about setuid: just changing the userid)
What brings me to this point: did you enable unix-attributes in AD? I'm not sure they are needed per se but they will allow your user to have a unix userid and groupid which you could use in sudo.

Another thing: in ldap.conf, you also have the nss_base filters which filter you logins. for testsetup, you can remove them to see if they give any trouble.

pam is configured automagically by authconfig-tui.

1 members found this post helpful.

Hi! Thanks really thanks for your replys!

Actually I think I didn't make myself clear.First I am using freebsd 9. See... this is what happens:

I am logged in with the user "negar" which is a local wheel user. So I can sudo. I "su alex" and alex is an active directory user. I have no problem and I am logged in and have the prompt:

[root@ldap /usr/local/etc/openldap]# su alex
$
$ whoami
alex

Then, with alex I try to sudo, I have the passwords prompt::
$ sudo ls
Password:
LDAP Password:
and I have the "pam_ldap: error trying to bind (invalid DN syntax)"
Maybe it's because alex is not in wheel group. This is my problem. I need to sudo with users in active directory.

I really appreciate if you share some clue with me. I am going to try and also waiting to hear from you :X

If you want to use sudo with AD-users, you just have to modify the /etc/sudoers file or whatever it is called on freebsd. On linux you can use the visudo command as root to change this file which is the secure and recommanded way.

Now, the only way I know how to use the ad-users for sudo is as follows:
1) go to AD and enable unix-attributes
2) make sure you have given non-root userid's (uid) to your ad user (alex)
3) create a group in AD and give it unix-attributes and give it a unix groupid (gid)
4) you don't have to add alex to the group in AD-way, you just have to go to the unix attributes of alex and give him the gid of this newly created ad-group. (I think it's a dropdown box anyway)
5) do visudo and add this group to the file: example: %linuxadmins ALL=(ALL) ALL where linuxadmins is the name of the unix-enabled ad-group.

Now an important remark about ad-users in linux/unix: use NSS filters in ldap.conf that block access for ad-users with system uid's (probably all id's less than 1000 I guess)
Otherwise, anybody who is admin in AD can change his unix uid in ad to "0" and be root on your server when he/she logs in with the ad account.

hope this helps.

1 members found this post helpful.

I did the whole thing. I have a group named sudoers in AD and the gid is 10001

I changed the user's group to the sudoers, I mean the gid, and now have this:

[root@ldap /usr/local/etc/openldap]# getent passwd alex
alex:*:10002:10001:alex:/home/alex:/bin/sh

I put the group in sudoers like this:

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL
%sudoers ALL=(ALL) ALL

But still doesn't work. I don't think that I have any other problem, because I can do everything with my AD users and ldapsearch can see my whole AD, I just can't sudo...

Isn't it because of name?? Shouldn't I probably use the GID in %sudoers ALL=(ALL) ALL?? Does unix have any idea about group names in AD??

as far as I can see, your config in sudo is correct.
You don't have to worry abt. the groupname being ad, the user alex has the group id (gid) 10001 which is the only important thing in fact.
if you su alex and do id, what do you get?
Have you checked your logfiles for clues when you try to sudo with alex? Did you check with tcpdump/wireshark what gets transferred?

1 members found this post helpful.

I have the error:

sudo: pam_lapd: error trying to bind (invalid DN syntax)

I really don't know what it's talking aboute : )) I am still trying...

yes, but what do your logfiles say when you sudo with alex?
another thing: could you please post your complete config for pam_ldap? (/usr/local/etc/ldap.conf)

1 members found this post helpful.

Sure, and thanks for your help...

Here is the last time I su alex, it happens every time:

Aug 28 12:24:03 ldap su: pam_ldap: error trying to bind (Invalid DN syntax)
Aug 28 12:24:03 ldap su: in _openpam_check_error_code(): pam_sm_acct_mgmt(): unexpected return value 11
Aug 28 12:24:18 ldap sudo: pam_ldap: error trying to bind (Invalid DN syntax)

and here is my ldap.conf


host 10.0.5.38
uri ldap://ldap.seth.local/


base dc=seth,dc=local
binddn ldap@seth.local
bindpw *****
scope sub
ssl no
pam_password ad
nss_base_passwd dc=seth,dc=local?sub
nss_base_shadow dc=seth,dc=local?sub
nss_base_group dc=seth,dc=local?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
pam_login_attribute sAMAccountName
pam_filter objectclass=User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn





Ps:

I added these two lines to my ldap.config

pam_groupdn DC=seth,DC=local?sub
pam_member_attribute uniquemember

still doesn't work

There is also something with this pam_lapd module I am not sure about, maybe my problem is related to that. In freebsd, it is said that in all services in pam.d directory we should add
auth sufficient /usr/local/lib/pam_ldap.so
everywhere there is a pam_unix.so

for example I have this for sshd

auth required pam_unix.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so

# account
account required pam_nologin.so
account required pam_login_access.so
account required pam_unix.so
account sufficient /usr/local/lib/pam_ldap.so

is there any configuration for pam_ldap?? I have just did that and nsswitch

group: files ldap
group_compat: nis
hosts: files dns
shadow: files ldap
sudoers: files ldaP
networks: files ldap
passwd: files ldap
passwd_compat: nis
shells: files ldap
services: compat
services_compat: nis
protocols: files
rpc: files ldap

I still think that you will have to put a CN in binddn and you have "binddn ldap@seth.local"
Now I know that ldapsearch will accept this notation but try ldapsearch with "cn=ldap,...,dc=seth,dc=local" until it works and put the cn in the binddn in ldap.conf (pam)

... => fill in the missing pieces, I don't know how your ad is organized.

1 members found this post helpful.

I made it work with::

ldapsearch -x -h seth.local -D "cn=ldap,cn=Users,dc=seth,dc=local" -b "dc=seth,dc=local" -w **** "mesudo@seth.local"

and added "cn=ldap,cn=Users,dc=seth,dc=local" instead of ldap@seth.local but still doesn't work it's just the problem of pam I know, but I should find out what to change...

are other fields in ldap.conf correct?? would you please check them for me I am not sure, here is the last version:


host 10.0.5.38
uri ldap://ldap.seth.local/
base dc=seth,dc=local
binddn cn=ldap,cn=users,dc=seth,dc=local
bindpw ******
scope sub
ssl no
pam_password ad
pam_groupdn DC=seth,DC=local?sub
pam_member_attribute uniquemember
nss_base_passwd dc=seth,dc=local?sub
nss_base_shadow dc=seth,dc=local?sub
nss_base_group dc=seth,dc=local?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
pam_login_attribute sAMAccountName
pam_filter objectclass=User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn


----------------

I checked my lof and this time:

pam_ldap: error trying to bind (Invalid credentials)

I mean no other invalid DN syntax! I am sure I'm entering passowrds correctly and as you see my ldap bind works... as far as I have realized one should have a pam account while using ldap single (not AD) how does it work for AD? here:: http://forums.freebsd.org/showthread.php?t=18437

not a good idea to put your bindpw password on the post :-) (again)

for your config file:
you might want to try changing
"pam_member_attribute uniquemember" to "pam_member_attribute member"
But that won't change much becausa afaik, this parameter is only used to restrict logins. (try anyway)

the nss_base_... is very permissive but that is ok for a dev. system
the rest looks fine to me.

your login with ad works so I assume that the pam ldap.conf cannot be your problem.


wrong credentials realy means what it says. So, another point: does it still ask for 2 passwords when you do sudo alex?
Try giving the nopasswd in the sudo file for alex or the group so we can see what happens then.
There is no local account alex?

what files have you changed in pam.d directory and what are the contents?
Does sudo work for some ad users or for none?
In case you only changed the pam.d/sshd file then sudo will probably not work with ad because that file is for ssh login only.

1 members found this post helpful.

Oh, I just forget to hide my password

I moved the
auth sufficient pam_ldap.so no_warn try_first_pass
line up the one for pam_unix.so, now it doesn't ask for passwords, but still I have the wrong credential error. I changed the files for all the services, I couldn't find a specific document for every service, besides, in the pam.d files, I CAN NOT use the address, so I just created a soft-link to pam_ldap.so in /usr/lib. I don't have a local user alex, and su doesn't work for anybody. seems like I don't need to enter ldap password. I have passwords like each other in AD, can it be because of that? I can not even su from consule, it can't be just the matter of ssh... do you have any configuration for files in pam.d??