[Date Prev][Date Next] [Chronological] [Thread] [Top]

using Domino for authentication




I am trying to set up a linux box to use LDAP authentication with Domino as the directory, it is proving to be interesting. I have installed nss_ldap and pam_ldap on linux and set up the ldap.conf file to point to my domino server. I can run command line queries on the linux box like this one:

# ldapsearch -x "(&(objectclass=dominoPerson)(uid=abell))
version: 2

#
# filter: (&(objectclass=dominoPerson)(uid=abell))
# requesting: ALL
#

# Alan Bell, Intec
dn: CN=Alan Bell,O=Intec
cn: Alan Bell
shortname: ABell
uid: ABell
mail: ABell@intec.co.uk
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: dominoPerson
certificate:: MDMwMDJBMDIgNzM3RDIzRDYgMDdHMDE2MTQgRzAwMjM0MjEARUQ0MjNFMDMgRzAw
 MzAyMDAgMDEyMDg2MDAgMjkwNTUzMDAARUI2NzI1RzAgMDI0RkcwMDIgRkNENzQwMDAgQzg2QjI1M
 DAANjBDODQwMDAgQTM2RTI1ODAgMDFBMDc3MDAgMjkwNTUzMDAARUI2NzI1RzAgMDI0RkcwMDIgRk
 NENzQwMDAgQzg2QjI1MDAANjBDODQwMDAgQTM2RTI1ODAgNEYzRDQ5NkUgNzQ2NTYzNDMANEUzRDQ
 xNkMgNjE2RTIwNDIgNjU2QzZDMkYgNEYzRDQ5NkUANzQ2NTYzNDIgNTYwNDAwMzEgMkUzMDAwNDIg
 NDMwMTAwMDMANDI0MTAxMDAgMzA0MjRDMDIgMDA3NjAyNEUgNEU0RjAwQ0IAQzFBMzc5NzEgMjlDR
 EJFREUgRjE4Nzg3OTAgNjc1QkRGMDMAOEQ4N0REOUEgODc5OTQ2MTQgMTQ2QkMwM0EgMjg3RTc3MU
 IANEJFRjI2NkEgRUM2NDkyNTQgNTNCMDI2MzMgRERBRUY5QjQARTM0OEM1MTAgQjRDOUNERUIgRjN
 DNkYxQ0MgNTVEOURBOTQAQUI1QUFBRTUgRENDREVCNTUgNTkyNUVCMUQgMDYyRTQ1NEUAMDMwMDAx
 MDAgMDE0RDQxMDggMDA1QzEzRDMgOTdCRUY3NkIAODI3RTAwNTAgNTU1MjUzNDEgNDYxMUI2ODAgN
 kY3RDQ2MzEAOTdBRjE3NzggNEQyMTRFNEEgRjcxM0M3QjQgNEI0MzIzQjEANjU5ODA5NjYgQ0IwMT
 FDQzAgREUwRjkwODYgOTE3NEU0MjcAOEI4Q0VBM0YgREI3NkVFN0QgRjE5OTg3OTQgREU3MUY5Qzc
 AODMyNDZDNDYgNDBDNUFEMkYgQjE2QjkwNTcgRDJBNzVFRjMAOTdEQTNBMkUgMTQ2N0Y4MDcgNDI1
 NjA0MDAgMzEyRTMwMDAANDI0MzAxMDAgMDM0MjQxMDEgMDAzMDQyNEMgMDJHMDAxMDIANEU0RTQwM
 DAgNEI5OTc2REYgOTdGOUUzMEQgNjk0NjQyRDEANDIzNkVCMTUgRjVBOUMyMjQgQjkzRjEzRjggND
 kzRjBEMTQARDMyODM2QjIgNzVFMUU0OUQgN0Y3OTM1QzQgNTYwQjQ2NjAAQjRBMUVGN0EgOTE3QkR
 GRTkgMEQzQkNENzMgRkZGNTBENzYAQjVEMjg3RDUgNDU0RTAzMDAgMDEwMDAxNEQgNDEwODAwMUIA
 MzVBRUExNjEgMkM5MzhENkYgMDA1MDU1NTIgNTM0MTQ2MDEAMkI0REI0MjggRTRBMjNCNjAgQTFGM
 UVDQTkgNkRDODMxNDEAQjkxM0RGQUQgMjhERkZCMjggOEU0MDRFREMgNDdDRUI4MjQARjRDRTE2ME
 QgOURCMkMwODQgMzc3OTQ3MjAgMjIxODAyQjAANURDOTQxQ0QgQ0I3Mzg0OTcgRjJBNURFRTAgRjA
 wOEFDRDEAOTEwODYzMjEgOUE3NjU4OTEgNzA3N0IxNkEgQkUwNQ==
givenname: Alan
sn: Bell
maildomain: Intec

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
however I can't log in. When I compiled nss_ldap with the "--enable-debug-code" option I discovered that the query being passed to the domino server is "(&(objectclass=posixAccount)(uid=abell))" but the domino directory does not have an objectclass of posixAccount.  I have a line in my ldap.conf:
nss_map_objectclass posixAccount dominoPerson

which I hoped would map posixAccount onto dominoPerson.

excerpt from /var/log/messages:

Sep  4 10:38:54 cvs login(pam_unix)[17968]: bad username []
Sep  4 10:39:03 cvs login(pam_unix)[17974]: check pass; user unknown
Sep  4 10:39:03 cvs login(pam_unix)[17974]: authentication failure; logname= uid
=0 euid=0 tty=pts/3 ruser= rhost=ThisAddressDoesNotExist
Sep  4 10:39:05 cvs login[17974]: pam_ldap: ldap_search_s No such object
Sep  4 10:39:07 cvs login[17974]: FAILED LOGIN 1 FROM ThisAddressDoesNotExist FO
R abell, Authentication failure

I even changed posixAccount to dominoPerson in ldap-schema.h and recompiled but to no avail. Has anyone succeded in using domino LDAP with linux and got a clue for me?