Re: [nssldap] ldapsearch works - nss_ldap does not - but only when tls/ssl isenabled
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] ldapsearch works - nss_ldap does not - but only when tls/ssl isenabled
- From: Andreas Hasenack <ahasenack [at] terra.com.br>
- To: nssldap [at] padl.com
- Subject: Re: [nssldap] ldapsearch works - nss_ldap does not - but only when tls/ssl isenabled
- Date: Wed, 16 May 2007 13:05:06 -0300
On Wed, May 16, 2007 at 01:22:09PM +0100, James Hogarth wrote:
> ldapsearch query:
>
> ldapsearch -Hldaps://<domain controller> -x -W -b "<ldap base>" -s sub
> -D <bind dn> -LLL "(&(objectCategory=user)(uidnumber=*))" cn
> unixHomeDirectory member uidnumber gidnumber
>
> ldap.conf:
Be carefull, there are many "ldap.conf" out there. nss_ldap uses
/etc/ldap.conf by default: debian (ubuntu) may do otherwise.
> TLS_CACERT /etc/ssl/certs/AD_CA_CERT.pem
This is not recognized by nss_ldap nor pam_ldap. Seems an option to
openldap's ldap.conf.
> tls_cacertfile /etc/ssl/certs/AD_CA_CERT.pem
> uri ldap://<domain controller>
try ldaps:// here
> ldap_version 3
> base <base>
> rootbinddn <bind dn>
> scope sub
> referrals no
> nss_base_passwd <base>?sub?&(objectCategory=user)(uidnumber=*)
> nss_base_shadow <base>?sub?&(objectCategory=user)(uidnumber=*)
> nss_base_group <base>?sub?&(objectCategory=group)(gidnumber=*)
> nss_map_objectclass posixAccount user
> nss_map_objectclass shadowAccount user
> nss_map_objectclass posixGroup group
> nss_map_attribute gecos cn
> nss_map_attribute homeDirectory unixHomeDirectory
> nss_map_attribute uniqueMember member