Re: Cant set up authentication through AD

[Oleg Makarov <oamakarov [at] platbox.com>]

I tried ldapsearch and it's good.
ldapsearch -d8 -H ldap://192.168.93.95/ -W -x -LLL -o ldif-wrap=no -D 'share [at] test.local' -b 'cn=users,dc=test,dc=local' '(sAMAccountName=testing)'
Enter LDAP Password:
dn: CN=testing,CN=Users,DC=test,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: testing
sn: testing
givenName: testing
distinguishedName: CN=testing,CN=Users,DC=test,DC=local
instanceType: 4
whenCreated: 20141008032715.0Z
whenChanged: 20141014062146.0Z
displayName: testing
uSNCreated: 13228
uSNChanged: 16509
name: testing
objectGUID:: PXk6KMmHMUqJtRpzmBpzrA==
userAccountControl: 66048
badPwdCount: 3
codePage: 0
countryCode: 0
badPasswordTime: 130577560524690471
lastLogoff: 0
lastLogon: 130576477027030627
pwdLastSet: 130577413061676263
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA+E0BMRbz9hXKyocmUAQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: testing
sAMAccountType: 805306368
userPrincipalName: testing [at] test.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=local
dSCorePropagationData: 20141013041248.0Z
dSCorePropagationData: 20141008033722.0Z
dSCorePropagationData: 16010101000416.0Z
lastLogonTimestamp: 130576462809815230

But still can't access by testing account and I'm getting 'invalid credentials' :(
My conf again:
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://192.168.93.95

# The search base that will be used for all queries.
base CN=Users,DC=test,DC=local

# The LDAP protocol version to use.
ldap_version 3

# The DN to bind with for normal lookups.
binddn CN=share,CN=Users,DC=test,DC=local
bindpw Zxcvb123

# The DN used for password modifications by root.
# Leave this blank unless you want to allow password changes from your debian systems
# If so, you will need to place the password in /etc/ldap.secret - be sure it is only readable by root
#rootpwmoddn cn=admin,dc=example,dc=com

# The search scope.
scope sub

# Mappings for Active Directory
# This is the important bit; these fields match up with the fields added by Directory Services for UNIX
pagesize 1000
referrals off
filter passwd (objectClass=user)
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
# If you wish to override the shell given by LDAP, uncomment the next line
#map    passwd loginShell       "/bin/bash"
filter shadow (objectClass=user)
map    shadow uid              sAMAccountName
#map    shadow shadowLastChange pwdLastSet
#filter group  (&(objectClass=group)(gidNumber=*))
#map    group  gid              member

# SSL options
#ssl off
#tls_reqcert never

Maybe I need change something in /etc/ldap.conf?
Here it is:
host 192.168.93.95
base dc=test,dc=local
uri ldap://192.168.93.95

ldap_version 3

binddn share [at] test.local
bindpw Zxcvb123

port 389

timelimit 120
bind_timelimit 120
idle_timelimit 3600

# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

ssl no
referrals no

14.10.2014 15:27, Berend De Schouwer пишет:

On Tue, 14 Oct, 2014 at 12:35 , Oleg Makarov oamakarov [at] platbox.com wrote:

But in my conf I want to bind by share [at] test.local, why is it trying to bind as 'testing'?

Lookup vs. login.  Logins will use the actual user.  Normally you want the password to be confirmed server-side so you can enforce policies, and prevents impersonations.

there is not ntp server between servers but the time is closely correct.

I don't know if that matters.  It's a good idea for eg. SSO, but you might not need it.

this line is confusing me:
nslcd: [8b4567] <host=x> DEBUG: ldap_simple_bind_s("CN=share,CN=Users,DC=test,DC=local","***") (uri="ldap://192.168.93.95")
nslcd: [8b4567] <host=x> DEBUG: ldap_result(): end of results (0 total)
is that mean that it didn't see a 'share' account ?

No, it means it bound, and searched for nothing.  It tests bind.

But ldapsearch works fine with 'share' and 'testing' acc!
ldapsearch -d8 -H ldap://192.168.93.95/ -W -LLL -o ldif-wrap=no -D 'CN=testing,CN=Users,DC=test,DC=local' -b 'cn=users,dc=test,dc=local' '(sAMAccountName=testing)'
Enter LDAP Password:
dn: CN=testing,CN=Users,DC=test,DC=local

You aren't using '-x' with ldapsearch, which means SASL is in use.  Have you setup nslcd for SASL?  You can look for ldapsearch's settings in /etc/openldap/ldap.conf.

Can you try ldapsearch with -x (no SASL)?

--
BW | Oleg Makarov | Engineer Online payments | oamakarov [at] platbox.com | +7. 495.775-7375 ext 208 | +7.925.2093259 cell | www.platbox.com

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/