[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unix authentication in corporate AD



On 1/09/10 5:12 -0500, Dan White wrote:
On 01/09/10 12:05 -0400, Edsall, William (WJ)  wrote:
Hello, Just a few questions regarding authenticating OpenLDAP (centos
5.4) to windows active directory.

I'm able to bind, I've confirmed this by changing the bind password, and
then the bind attempt fails. However I'm unable to authenticate.

Could you clarify a few items?

Are you binding directly to an OpenLDAP server or an Active Directory
Server?

Which password are you changing, the user's password in Active Directory?

My attempt is always as follows: su: user blabla does not exist

With regards to OpenLDAP, a successful bind is a success authentication.

With something like su, your trouble may be related to a 3rd party PAM or
NSS module. How does su authenticate in your environment?

On 02/09/10 10:25 -0400, Edsall, William (WJ)  wrote:
Hello,
I am binding to an Active Directory server.

When I say I change the password for testing, I'm changing the bind
password in the ldap.conf file.

I believe PAM is using the ldap module:
passwd:     files ldap
shadow:     files ldap
group:      files ldap

The reason I used the binddn and bind password is because I know our
active directory setup does not allow anonymous binding.

So as I understand it, you are not using the OpenLDAP server, but the
OpenLDAP libraries in conjunction with a PAM ldap module. Do you know which
PAM module you are using? The PADL one?

If so, you may want to pose this problem on the pamldap@padl.com mailing
list, or you could post a sanitized copy of your ldap configuration here to
see if someone might recognize a problem.

A general trouble shooting tip would be to find out what query your PAM
ldap module is submitting to the Active Directory server, and attempting to
reproduce it with an ldapwhoami command, and playing with the
base/scope/filter settings until you get the expected response.

--
Dan White