Using RHWS 4 update 4 and Windows 2003 Server.

Win2k3 running SFU30 hosts my AD.

trying to connect with RHWS44 there are 2 ldap.conf

/etc/ldap.conf
and
/etc/openldap/ldap.conf

/etc/ldap.conf seems to do nothing.

I could only get basic seach with /etc/openldap/ldap.conf.

using
asks me to enter my passwd and works fine


using:
returns:
using:
returns:
I think that for some reason it is not using the binddn and bindpw that i have listed in my conf file..

Can anyone help me sort this please..

Can you even point out how to do this without ssl as i want to get the guts of this working initally then when i get round to sorting out certificates then do the ssl

Ok, I have a few possibly dumb questions.

1. will the command "openssl x509 -inform DER -in activedirectory.crt -outform PEM -out adcert.pem" give me the same output as "openssl pkcs7 -in activedirectory.cer -inform DER -out adcert.pem -outform PEM" because the second one horks on my systems, with a cannot load PKCS7 object error. I believe it should work fine, since the goal is turn the cert into PEM form.

2. the fact that the nsswitch.conf example is on a gentoo box kind of throws me, is that the same content needed for a fedora system? I assume so, but I've been wrong before on how different linux distros handle the same thing.

3. The /etc/pam.d/system-auth file says it is auto generated there in the text. So does it need to be edited, or is that the result I should get from the other steps?

I'll probably have a few more questions before I finish ironing out all the issues.

tux2460:

I can not remember for sure how I took my Windows cert and included in /etc/openldap/certs directory. Seems like it was more like what you were doing in your first example.

The /etc/nsswitch.conf file is similar on CentOS 4 distro which would be very similar to a fedora based distro.

You can hand edit /etc/pam.d/system-auth file, but if you use one of the fancy fedora/red-hat tools (system-config-authentication, authconfig, or other tool) for modifying the files then your hand edits will be lost.

sruckh:

Thanks for the reply, I was fairly sure the syntax was right on the first command, just wanted to double check.

So for the nsswitch.conf, I'll need to edit it so that it looks like the example Bleunique posted?

I'll try and make sure, I don't use any of the tools after I finish my edit. I'll back up the file just in case.

This is such an irritating subject though, I've seen a few dozen guides for this, but none seem to be complete, and each seems to have it's own spin. So it's hard to fill in some of the gaps.

Thanks for your help.

hi, another AD-auth newbie with problems here

kerberos auth is utterly trivial, I have a keytab, can do ldapsearches no prob, etc. As an example, if I simply use:
ldapsearch "msSFU30Name=brianl"
I get my entire record! No worries!

Problem is, nss_ldap won't resolve uids/gids. I put debug on all the pam lines, and set the debug line in /etc/ldap.conf to 1. The stuff it shows me that I worry about is (Uid nums changed..."XXXX" is actually a valid, correct number):

put_filter: "(&(objectclass=User)(msSFU30UidNumber=XXXX))"
put_filter: AND
put_filter_list "(objectclass=User)(msSFU30UidNumber=XXXX)"
put_filter: "(objectclass=User)"
put_filter: simple
put_simple_filter: "objectclass=User"
put_filter: "(msSFU30UidNumber=XXXX)"
put_filter: simple
put_simple_filter: "msSFU30UidNumber=XXXX"
ldap_send_initial_request
ldap_send_server_request
ber_flush: 265 bytes to sd 7
ldap_result msgid 12
ldap_chkResponseList for msgid=12, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 12
wait4msg continue, msgid 12, all 1
ldap_chkResponseList for msgid=12, all=1
ldap_chkResponseList returns NULL


Clearly it's just...something...in /etc/ldap.conf, but I've used every suggested permutation of /etc/ldap.conf (the 3 suggested in this thread were tried, for example) to no avail.

What bothers me is if instead of ldapsearch "msSFU30Name=brianl" I use ldapsearch "msSFU30Name=brianl" "objectclass=User" I no longer get my whole record...instead, I just get my DN as below. Could that be all that nss_ldap is getting back to, and thus has nothing to map back to my uid/gid? Remember, if I leave off the objectclass=user and just search my name, I get my full record...not just the below.

ldapsearch "msSFU30Name=brianl" "objectclass=User" result:

SASL/GSSAPI authentication started
SASL username: rh4adtest/rh4adtest@CLINICOMP.COM
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: msSFU30UidNumber=XXXX
# requesting: objectclass=User
#

# Brian LaMere, Users, CLINICOMP.com
dn: CN=Brian LaMere,CN=Users,DC=CLINICOMP,DC=com

# search reference
ref: ldap://CLINICOMP.COM/CN=Configuration,DC=CLINICOMP,DC=com

# search result
search: 5
result: 0 Success

# numResponses: 3
# numEntries: 1
# numReferences: 1

I should probably mention that I'm using RHEL4 update4...

anonymous AD searches are not allowed, but as I can do the search just fine with ldapsearch...

final note: yes, I've configured nsswitch.conf, else ldap wouldn't be getting involved when I do an ls -al /home (/home has dirs owned by users that don't have local passwd entries...)

and I can log in with my AD passwd, even...and sudo, and pass tokens, and...anything auth related. Anything nsquery related fails, however.

Hi,

I don't think this issue has been resolved in this thead....

How do you get the pam_groupdn option in ldap.conf to restrict users in AD? It doesn't seem to work...

Thanks.

Hello Guys,

I tried to use the configuration shown for a test of a Fedora core 6 and a Windows 2003 R2 Domain but I have not been able to make it work. I removed the Certificate part to not complicate the things while I cannot make it work.

Every time that I try to authenticate I have the following error:

[root@ldaptestclient ~]# su raul
su: user raul does not exist
[root@ldaptestclient ~]# su ldap_test
su: user ldap_test does not exist

and in the /var/log/secure I have the following errors:

[root@ldaptestclient ~]# tail /var/log/secure
May 3 11:34:37 ldaptestclient sshd[3562]: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
May 3 11:34:46 ldaptestclient sshd[3561]: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
May 3 11:34:53 ldaptestclient sshd[3562]: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
May 3 11:35:18 ldaptestclient sshd[3561]: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
May 3 11:35:25 ldaptestclient sshd[3562]: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
May 3 11:36:22 ldaptestclient sshd[3561]: nss_ldap: could not search LDAP server - Server is unavailable
May 3 11:36:29 ldaptestclient sshd[3562]: nss_ldap: could not search LDAP server - Server is unavailable
May 3 14:19:12 ldaptestclient gdm[2562]: pam_unix(gdm:auth): check pass; user unknown
May 3 14:19:12 ldaptestclient gdm[2562]: pam_unix(gdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
May 3 14:21:16 ldaptestclient gdm[2562]: pam_succeed_if(gdm:auth): error retrieving information about user raul

Attached is my /etc/ldap.conf and the /etc/nsswitch.conf


/etc/ldap.conf
# This file should be world readable but not world writable.
base cn=Users,dc=epochldaptest,dc=com
host 192.168.2.70
scope sub
ssl no
#TLS_CACERT /etc/ssl/certs/adcert.pem
binddn cn=ldap_test,cn=Users,dc=epochldaptest,dc=com
bindpwd Secret*1234
#rootbinddn cn=administrator,cn=Users,dc=epochldaptest,dc=com

#
# Active Directory Mappings
#
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
nss_base_passwd cn=Users,dc=epochldaptest,dc=com
nss_base_shadow cn=Users,dc=epochldaptest,dc=com
nss_base_group cn=Users,dc=epochldaptest,dc=com
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute cn sAMAccountName
nss_map_attribute uniqueMember member
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_objectclass posixGroup Group.com


[root@ldaptestclient ~]# vi /etc/nsswitch.conf

passwd: files ldap compat
shadow: files ldap compat
group: files ldap compat
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files

I'm sure that it is something easy but too hard for a newbie in this topic.

Thanks in advance for your help.

Raul

Mambley, It has been a very long time since I have looked at this stuff, and I do not have my test environment available, but it looks like your LDAP config is set up for Microsoft's Service for Unix (SFU). You mention you are using Win2k3 R2 which does not require the Services for Unix package. It instead has its own schema updates and utilities.

See some of the links posted in early messages of this thread. There are examples between Win2k3 R2 and Win2k/2k3 with Services for Unix.

I did not strictly analyze your config, but from a high level your ldap.conf file did not appear to match that of someone utilizing Win2k3 R2 features.

Greetings,

I've been given the task of finding a single-sign-on solution for a heterogeneous environment comprised of HP-UX, Solaris, Linux, and Windows (and possibly NetBSD).

I'd like to know if there is any way to have one machine perform all the requisite LDAP <=> ADS translation while all the other machines auth against it with a minimal LDAP client configuration?

Many thanks in advance, and Wraukon the Excellent salutes you.