On Thu, Nov 20, 2003 at 01:13:24PM -0800, Joseph M Bironas wrote: > On Thu, 2003-11-20 at 12:25, Nalin Dahyabhai wrote: > > What info are you getting from the LDAP server (LDIF would be helpful > > here)? Does it conform to the posixAccount schema? What are the host > > and base DN you're configuring nss_ldap to search with, and how did you > > invoke ldapsearch to troubleshoot it? > > I can pull an entire record from LDAP. The server is actually Win2K > using Active Directory, but using the AD4Unix schema, so there is a > mapping for posixAccount to User, but the relevant username/passwords > work on a RH7.3 machine and a RH8 machine with an identical config in > /etc/ldap.conf and /etc/openldap/ldap.conf > > The host I'm searching against is 192.168.2.xx, and the base DN is > dc=company,dc=com - the scope is sub. Here are the relevant schema > mappings: > > nss_base_passwd dc=company,dc=com?sub > nss_base_shadow dc=company,dc=com?sub > nss_base_group dc=company,dc=com?sub > nss_map_objectclass posixAccount User > nss_map_attribute uid msSFUName > nss_map_attribute uniqueMember posixMember > nss_map_attribute userPassword msSFUPassword > nss_map_attribute homeDirectory msSFUHomeDirectory > nss_map_attribute cn msSFUName > nss_map_objectclass posixGroup Group > pam_login_attribute sAMAccountName > pam_login_attribute msSFUName > pam_filter objectclass=User > > ldapsearch works when invoked as follows: > # ldapsearch -x -D "cn=Administrator,cn=Users,dc=company,dc=com" -W > "sAMAccountName=[username]" Hmm.... I'm afraid I don't have any first-hand knowledge of what user account objects in the AD4Unix schema look like. Again, LDIF (or the results from your ldapsearch) would be useful here, to see what nss_ldap has to start with. You may want to retry running ldapsearch using "(&(msSFUName=[username])(objectclass=User))" as the filter, as that should match your nss_ldap configuration more closely than the one you listed above. > /etc/nsswitch.conf is configured correctly. > > What am I missing that is keeping getent from reporting the ldap users? > It's been a while since I got this running on RedHat 7.3 and RedHat 8, > has fedora changed it's nss_ldap and pam_ldap packaging? (I remember > having to recompile for RH 7.3 to support schema mapping). Other than moving to newer versions of both modules, I don't think so. Schema mapping is indeed enabled for nss_ldap at build-time. As an aside, running 'strace -s128 getent -s "dns ldap" passwd [username]' can be pretty informative when you're debugging this sort of thing. You can watch the LDAP protocol messages, which unless you're using TLS, are largely human-readable. Cheers, Nalin
