[Date Prev][Date Next] [Chronological] [Thread] [Top]

Followup: using OpenLDAP with Active Directory



So I've made *some* progress. I created a new user in AD, and used this new account to bind with. And, using simple authentication and password prompting, my search worked correctly:

ldapsearch -Hldap://dim-win2300.dacrib.local -tt -x -D "ldap-proxy@dacrib.local" -b "dc=dacrib,dc=local" -W -L "(objectClass=user)" dn


However, I can't seem to get it to work, if I don't specify the ID and password to bind with:

----------------------------
ldapsearch -v -x -Hldap://dim-win2300.dacrib.local "(objectClass=user)" sAMAccountName

ldap_initialize( ldap://dim-win2300.dacrib.local:389/??base )
filter: (objectClass=user)
requesting: sAMAccountName
# extended LDIF
#
# LDAPv3
# base <dc=DaCrib,dc=local> (default) with scope subtree
# filter: (objectClass=user)
# requesting: sAMAccountName
#

# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece

# numResponses: 1
--------------------------

I thought perhaps the problem was that SASL was interferring, so I tried to turn it off in ldap.conf, but that didn't seem to work.

As an aside, where does ldap.conf live, in Ubuntu 9.04? I have 2, one in /etc and one in /etc/ldap. And I don't know which one (if either) is being read ... is there any way to tell which one is in use?

-------------------
host 10.0.0.60
base dc=DaCrib,dc=local

#binddn CN=ldap-proxy,CN=Users,DC=DaCrib,DC=local
binddn ldap-proxy@dacrib.local
bindpw XXXXXXXX

use_sasl        off
SASL_SECPROPS none
SSL no

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
# rootbinddn cn=Administrator,dc=dacrib,dc=local

# RFC 2307 (AD) mappings
# <to> <from>
nss_map_attribute userPassword sambaPassword
nss_map_attribute gecos name
nss_map_attribute uid unixName
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
pam_filter objectclass=User
pam_password crypt

nss_initgroups_ignoreusers avahi,backup,bin,daemon,dhcp,dovecot,festival,games,gnats,haldaemon,hplip,irc,klog,li
buuid,list,lp,mail,man,messagebus,mysql,news,polkituser,postfix,proxy,root,saned,sshd,sync,sys,syslog,uucp,www-d
ata
-----------------------

Anyone? I feel I am close, but can't figure out why doing it interactively from the command line binds and searches, and relying on the ldap.conf to supply that information does not ...

Thanks