LDAP Auth
Nalin Dahyabhai
nalin at redhat.com
Thu Nov 20 22:47:08 UTC 2003
On Thu, Nov 20, 2003 at 01:13:24PM -0800, Joseph M Bironas wrote:
> On Thu, 2003-11-20 at 12:25, Nalin Dahyabhai wrote:
> > What info are you getting from the LDAP server (LDIF would be helpful
> > here)? Does it conform to the posixAccount schema? What are the host
> > and base DN you're configuring nss_ldap to search with, and how did you
> > invoke ldapsearch to troubleshoot it?
>
> I can pull an entire record from LDAP. The server is actually Win2K
> using Active Directory, but using the AD4Unix schema, so there is a
> mapping for posixAccount to User, but the relevant username/passwords
> work on a RH7.3 machine and a RH8 machine with an identical config in
> /etc/ldap.conf and /etc/openldap/ldap.conf
>
> The host I'm searching against is 192.168.2.xx, and the base DN is
> dc=company,dc=com - the scope is sub. Here are the relevant schema
> mappings:
>
> nss_base_passwd dc=company,dc=com?sub
> nss_base_shadow dc=company,dc=com?sub
> nss_base_group dc=company,dc=com?sub
> nss_map_objectclass posixAccount User
> nss_map_attribute uid msSFUName
> nss_map_attribute uniqueMember posixMember
> nss_map_attribute userPassword msSFUPassword
> nss_map_attribute homeDirectory msSFUHomeDirectory
> nss_map_attribute cn msSFUName
> nss_map_objectclass posixGroup Group
> pam_login_attribute sAMAccountName
> pam_login_attribute msSFUName
> pam_filter objectclass=User
>
> ldapsearch works when invoked as follows:
> # ldapsearch -x -D "cn=Administrator,cn=Users,dc=company,dc=com" -W
> "sAMAccountName=[username]"
Hmm.... I'm afraid I don't have any first-hand knowledge of what user
account objects in the AD4Unix schema look like. Again, LDIF (or the
results from your ldapsearch) would be useful here, to see what nss_ldap
has to start with. You may want to retry running ldapsearch using
"(&(msSFUName=[username])(objectclass=User))"
as the filter, as that should match your nss_ldap configuration more
closely than the one you listed above.
> /etc/nsswitch.conf is configured correctly.
>
> What am I missing that is keeping getent from reporting the ldap users?
> It's been a while since I got this running on RedHat 7.3 and RedHat 8,
> has fedora changed it's nss_ldap and pam_ldap packaging? (I remember
> having to recompile for RH 7.3 to support schema mapping).
Other than moving to newer versions of both modules, I don't think so.
Schema mapping is indeed enabled for nss_ldap at build-time.
As an aside, running 'strace -s128 getent -s "dns ldap" passwd [username]'
can be pretty informative when you're debugging this sort of thing. You
can watch the LDAP protocol messages, which unless you're using TLS, are
largely human-readable.
Cheers,
Nalin
More information about the users
mailing list