Hi

I have a ldap server on freebsd 9 connecting to an Active Directory server and it can see AD perfectly. I also have krb5 on my ldap server which seems to be working fine, using kinit. pam_ldap, nss_ldap and pam_krb5 are also installed.

Now that I want to "su alex", and alex is in active directory, I have error below:

Aug 30 11:06:32 ldap su: pam_ldap: error trying to bind (Invalid credentials)
Aug 30 11:06:32 ldap su: in _openpam_check_error_code(): pam_sm_acct_mgmt(): unexpected return value 11


I know that it is because of the first try for binding maybe to ldap server. I have been looking everywhere for it, I realized that pam_ldap is using the same ldap.conf file, here is my ldap.conf file:

-------------------

host 10.0.5.38 #this is the IP of Active directory server
uri ldap://ldap.seth.local/
base dc=seth,dc=local
binddn cn=ldap,cn=users,dc=seth,dc=local
bindpw *******
scope sub
ssl no
pam_password ad
pam_groupdn DC=seth,DC=local?sub
pam_member_attribute uniquemember

nss_base_passwd dc=seth,dc=local?sub
nss_base_shadow dc=seth,dc=local?sub
nss_base_group dc=seth,dc=local?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
pam_login_attribute sAMAccountName
pam_filter objectclass=User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn

-------

as pam_ldap is trying to connect to ldap (I guess) the ip address in host 10.0.5.38 can not work for it (should it?? am I right??) people talk about a file named pam_ldap.conf, I don't have it on my system, on freebsd 9. I created one in /etc, it didn't work.

can you please give me some detail info about connecting pam_ldap to use ldap and connect to active directory?? I have read every manual I have found but I can not find anything usefull...

Thanks

if you're using pam_ldap then you won't need any kerberos stuff at all.

Can you bind to AD manually from there? There is no "first time" status at all, don't worry about that.

Try an ldapsearch and don't worry about anything else until you know you can get a successfully bind that way.

THEN once that's done look to update the ldap config based on what you're found, if anything, and if ther's still no progress I would personally look to capture the traffic (plain ldap on 389 only of course) and inspect the ldap operations with wireshark, comparing pam to ldapsearch for differences.

One thing I'd mention is that you haven't said you've installed the AD extensions for UNIX? I'm not sure what they're called, but by default there si not enough data in AD to support POSIX logins

1 members found this post helpful.

Yes, I have done all of them, I can see my whole AD with ldapsearch,I can both ldapsearch and also getent passwd user, are you sure about not needing kerberos??

Is it possible to use krb5 and pam_krb5 and not use pam_ldap??

THANKS ALOOOOOOT for the clue!!!!

I did it! I just used kerberos! I think my config had some problem with pam_ldap.... I will look for it...

THANK YOU!!!!

pam_ldap is used to validate a users credentials, you use nss_ldap to get the user data from ldap and pam_ldap to check the password. These things having nothing in common, they really just coincide for a common goal. So you can use nss_ldap for the data from AD and the pam_krb5 for the authentication side of things if you want. If that IS the case then you've no interest in pam_ldap. In the first place. You *could* validate the password twice, but what's the point of that?

So if you can ldapsearch **BINDING AS THE CHOSEN USER** not the generic search account (which is what's used for the nss getent goodness) then as above I would compare and contrast with wireshark. But that's my solution for just about everything!

1 members found this post helpful.

Ahh, cool well whatever you're happy with is fine, but I would ask if you're already polling account info over ldap why change protocol to check the password if you're not interested in SSO stuff that Kerberos can provide. Maybe you'd actually rather look at doign that "properly" and used winbind for domain membership?

1 members found this post helpful.

Yes, I am going to dig into it, actually my boss needs it right now, so I have to stop here! But I am going to have a cute home lab and do them all over again and test what's going on I can find nothing for pam_ldap configuration in freebsd 9 and everybody is talking about a pam_ldap.conf which exists in like freebsd 8... I read pam_ldap manual and it says pam_ldap uses ldap.conf for configuration, but it is not prommissed that it always works :O it says you should use other files, and my problem is that I don't know what those other files are!

Anyway I am cleaning up right now and going to put the things I found in topics I have written, I'll be back