Re: debian 6 nslcd and ldap auth to AD
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: debian 6 nslcd and ldap auth to AD
- From: Michele Petrazzo <michele.petrazzo [at] unipex.it>
- To: "Page, Jeremy" <jeremy.page [at] gilbarco.com>
- Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: debian 6 nslcd and ldap auth to AD
- Date: Thu, 27 Oct 2011 16:48:44 +0200
27/10/2011 16:11, Page, Jeremy wrote:
Is your uid "user"?
Yes. I have, like now, n.surname (name dot surname).
It looks like you're filter will only map someone
with a UID of "user". I think you may want to have it say:
filter="(&(objectClass=posixAccount)(uid=*))")
Sorry for confuse you. I'm using "user" like filter and "user" like
username ;)
I'm filtering by:
filter passwd (objectClass=user)
because if I user filter="(&(objectClass=posixAccount)(uid=*))") it say
me that it not found the data. This happen also when I use ldapsearch,
so with objectClass=posixAccount it reply null, but show me all the
results when I use objectClass=user
I am a little confused at what you're saying, can you please provide
your nslcd.conf file in entirety?
Very simple:
uid nslcd
gid nslcd
uri ldap://dcgc01.corp.company.net/
base dc=corp,dc=inasset,dc=net
binddn CORP\ldapquery
bindpw ***
filter passwd (objectClass=user)
map passwd uid sAMAccountName
filter shadow (objectClass=user)
map shadow uid sAMAccountName
If you don't have Windows 2003R2 as your domain controllers your schema
will not have RFC2703 attributes defined (uid etc).
Here I have win2k8 (no r2)
Since you are
mapping your sAMAccountname to UID the query for password works but the
filter does not since there is no actual UID value in LDAP.
I use this filter because I have found this infos on the net, without a
big knowing of how it works.
Try just filtering on objectClass=user.
That is that I use (like you can see)
Thanks,
Michele
-----Original Message-----
From: Michele Petrazzo [michele.petrazzo [at] unipex.it]
Sent: Thursday, October 27, 2011 10:00 AM
To: Page, Jeremy
Cc: nss-pam-ldapd-users@lists.arthurdejong.org
Subject: Re: debian 6 nslcd and ldap auth to AD
27/10/2011 15:41, Page, Jeremy wrote:
You may need to have a following / on your URI
Thanks,
but cannot be this because my nslcd connect successfully to the server,
and "something other doesn't work".
Seeing your filters, are similar to mine and, replacing your inside my
file, I receive the same:
nslcd: [8b4567] DEBUG: ldap_simple_bind_s("CORP\ldapquery","***")
(uri="ldap://dc.corp.company.net/")
nslcd: [8b4567] passwd entry
CN=user,OU=company,DC=corp,DC=inasset,DC=net does not contain uidNumber
value
Thanks,
Michele
# Ignore local users (not supported in v7.2
nss_initgroups_ignoreusers ALLLOCAL
-----Original Message-----
From:
nss-pam-ldapd-users-bounces+pagej=gilbarco.com@lists.arthurdejong.org
[nss-pam-ldapd-users-bounces+pagej=gilbarco.com [at] lists.arthurdej
ong.org]
On Behalf Of Michele Petrazzo
Sent: Thursday, October 27, 2011 6:35 AM
To: nss-pam-ldapd-users@lists.arthurdejong.org
Subject: debian 6 nslcd and ldap auth to AD
Hi list,
I'm trying to bind my debian box to an AD server through nslcd but I'm
receiving a strange error that I haven't resolved googling.
First configuration:
uri ldap://dcgc01.corp.company.net
base dc=corp,dc=company,dc=net
binddn CORP\ldapquery
bindpw mypasswd
Debug message:
nslcd: [8b4567] DEBUG: myldap_search(base="dc=corp,dc=company,dc=net",
filter="(&(objectClass=posixAccount)(uid=user))")
and no login. With the same filter also ldapsearch give me no results.
Adding:
filter passwd (objectClass=user)
map passwd uid sAMAccountName
filter shadow (objectClass=user)
map shadow uid sAMAccountName
debug say me:
nslcd: [8b4567] DEBUG: myldap_search(base="dc=corp,dc=company,dc=net",
filter="(&(objectClass=user)(sAMAccountName=user))")
...
passwd entry CN=My Name,OU=MyOU,DC=corp,DC=company,DC=net does not
contain uidNumber value
but ldapsearch with (&(objectClass=user)(samaccountname=user)) give me
a complete results and the right samaccountname
Also a debug with -dd show me not so much for understand, so... what's
the next?
Thanks,
Michele
--
To unsubscribe send an email to
reproduction of a manual signature that is included in any attachment.
Please be advised that this email may contain confidential
information. If you are not the intended recipient, please notify us
by email by replying to the sender and delete this message. The
sender disclaims that the content of this email constitutes an offer
to enter into, or the acceptance of, any agreement; provided that the
foregoing does not invalidate the binding effect of any digital or
other electronic reproduction of a manual signature that is included
in any attachment.
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/