Re: LDAP Auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Nov 20, 2003 at 01:13:24PM -0800, Joseph M Bironas wrote:
> On Thu, 2003-11-20 at 12:25, Nalin Dahyabhai wrote:
> > What info are you getting from the LDAP server (LDIF would be helpful
> > here)?  Does it conform to the posixAccount schema?  What are the host
> > and base DN you're configuring nss_ldap to search with, and how did you
> > invoke ldapsearch to troubleshoot it?
> 
> I can pull an entire record from LDAP. The server is actually Win2K
> using Active Directory, but using the AD4Unix schema, so there is a
> mapping for posixAccount to User, but the relevant username/passwords
> work on a RH7.3 machine and a RH8 machine with an identical config in
> /etc/ldap.conf and /etc/openldap/ldap.conf
> 
> The host I'm searching against is 192.168.2.xx, and the base DN is
> dc=company,dc=com - the scope is sub. Here are the relevant schema
> mappings:
> 
> nss_base_passwd        dc=company,dc=com?sub
> nss_base_shadow        dc=company,dc=com?sub
> nss_base_group         dc=company,dc=com?sub
> nss_map_objectclass posixAccount User
> nss_map_attribute uid msSFUName
> nss_map_attribute uniqueMember posixMember
> nss_map_attribute userPassword msSFUPassword
> nss_map_attribute homeDirectory msSFUHomeDirectory
> nss_map_attribute cn msSFUName
> nss_map_objectclass posixGroup Group
> pam_login_attribute sAMAccountName
> pam_login_attribute msSFUName
> pam_filter objectclass=User
> 
> ldapsearch works when invoked as follows:
> # ldapsearch -x -D "cn=Administrator,cn=Users,dc=company,dc=com" -W
> "sAMAccountName=[username]"

Hmm....  I'm afraid I don't have any first-hand knowledge of what user
account objects in the AD4Unix schema look like.  Again, LDIF (or the
results from your ldapsearch) would be useful here, to see what nss_ldap
has to start with.  You may want to retry running ldapsearch using
  "(&(msSFUName=[username])(objectclass=User))"
as the filter, as that should match your nss_ldap configuration more
closely than the one you listed above.

> /etc/nsswitch.conf is configured correctly. 
> 
> What am I missing that is keeping getent from reporting the ldap users?
> It's been a while since I got this running on RedHat 7.3 and RedHat 8,
> has fedora changed it's nss_ldap and pam_ldap packaging? (I remember
> having to recompile for RH 7.3 to support schema mapping).

Other than moving to newer versions of both modules, I don't think so.
Schema mapping is indeed enabled for nss_ldap at build-time.

As an aside, running 'strace -s128 getent -s "dns ldap" passwd [username]'
can be pretty informative when you're debugging this sort of thing.  You
can watch the LDAP protocol messages, which unless you're using TLS, are
largely human-readable.

Cheers,

Nalin




[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux