Re: Unix authentication in corporate AD

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Wednesday, 1 September 2010 17:05:36 Edsall, William (WJ) wrote:
> Hello,
>  Just a few questions regarding authenticating OpenLDAP (centos 5.4) to
> windows active directory.

Could you list what you have actually configured? There are multiple solutions, 
which will work under different conditions for different goals.

> I'm able to bind,

How are you checking this? What software are you using?

> I've confirmed this by changing the bind password, and
> then the bind attempt fails. However I'm unable to authenticate.
> 
> My attempt is always as follows:
> su: user blabla does not exist

So, NSS is unable to find information about the user 'blabla'. I note that 
trying 'getent passwd blabla', or 'getent passwd' may be more informative.

However:
1)Is nss_ldap installed?
2)Is 'ldap' listed in the passwd line of /etc/nsswitch.conf (it should be, 
probably for 'group' as well, but IMHO best not in 'shadow').
3)Have you configured /etc/ldap.conf appropriately? Can you supply a sanitised 
minimal version of your /etc/ldap.conf ?

> No errors end up in the messages log.
> 
> My question is .. could this be because the active directory I'm trying
> to authenticate against doesn't have any windows services for unix
> installed?

It could be because your directory server doesn't hold the unix attributes for 
the user blabla. SFU had non-standard attributes for these, so you would need 
to configure attribute mapping on the "client" side. In Windows 2003R2 and 
later, I believe rfc2307bis is available, but may need to be enabled.

You could provide a sanitised version of the LDIF for the user in question 
(e.g. from querying AD) if you aren't able to tell for yourself.

> Should that even matter if I can bind?

Yes it should (at least to 'su'). What should the user's uid and gid (number) 
be? What shell should be started for the user?

Regards,
Buchan