Re: [nssldap] wireshark shows successful ldap searches, but no nss or pam stuff works
[Date Prev][Date Next] [Thread Prev][Thread Next]Re: [nssldap] wireshark shows successful ldap searches, but no nss or pam stuff works
- From: Cove Schneider <cove_s [at] yahoo.com>
- To: philoertel <phillipao [at] gmail.com>, nssldap [at] padl.com
- Subject: Re: [nssldap] wireshark shows successful ldap searches, but no nss or pam stuff works
- Date: Fri, 17 Jul 2009 00:54:01 -0700 (PDT)
I'm not sure your bases are quite right:
nss_base_passwd ou=People,
nss_base_shadow ou=People,
nss_base_group ou=Groups,
Maybe try:
nss_base_passwd ou=People,dc=soliantconsulting,dc=com
nss_base_shadow ou=People,dc=soliantconsulting,dc=com
nss_base_group ou=Groups,dc=soliantconsulting,dc=com
Also, you'll want rfc3407 enabled so the group memberships work:
nss_schema rfc2307bis
Lastly, you'll want to enable paging when using AD.Hope that helps,
Cove
From: philoertel <phillipao@gmail.com>
To: nssldap@padl.com
Sent: Thursday, July 16, 2009 10:49:59 AM
Subject: [nssldap] wireshark shows successful ldap searches, but no nss or pam stuff works
I'm at wit's end. I'm trying to set up pam on my Debian 4.1.2 box to
authenticate people against our AD server. But I've broken everything. I can
ssh and su as root. ssh as my regular user (who's both in ldap and
/etc/passwd) just hangs. ssh or su as any user in ldap but not in
/etc/passwd errors: "unknown id: test". getent passwd shows only users in
/etc/passwd. id root works, id poertel (me) hangs, and id <ldap-user> fails
with id: <ldap-user>: No such user. libnss-ldap is installed, and strace
shows su is checking nss, or at least it's opening the config files.
According to wireshark, there's a lot of successful-looking ldap activity
for each of these things. for both su poertel and id peortel there's a
search for people with sAMAccountName=poertel, and there's one response. For
getent password, there's a search for all people with objectclass=user, and
all the results i would expect are returned. even my su <ldap-user> and id
<ldap-user> generate ldap queries for that user, and the AD server sends the
right result. Strangely though, for my ssh poertel, there's some extra ldap
querying: search CN=Configuration (sAMAccountName=poertel), search
DC=ForestDnsZones (same condition), DC=DomainDnsZones (same condition). None
of those three queries come back with any results. My ssh <ldap-user>
doesn't generate those extra queries.
here are my configuration files for ldap and nss:
http://www.nabble.com/file/p24518891/ldap.conf ldap.conf
http://www.nabble.com/file/p24518891/libnss-ldap.conf libnss-ldap.conf
nsswitch has passwd, shadow, and group set to "files ldap"
This has been so confusing and difficult. Thanks for any advice.
- [nssldap] wireshark shows successful ldap searches, but no nss or pam stuff works,
philoertel
- Re: [nssldap] wireshark shows successful ldap searches, but no nss or pam stuff works, Cove Schneider
- Re: [nssldap] wireshark shows successful ldap searches, but no nss or pam stuff works, Guillaume Rousse
- Prev by Date: [nssldap] wireshark shows successful ldap searches, but no nss or pam stuff works
- Next by Date: Re: [nssldap] wireshark shows successful ldap searches, but no nss or pam stuff works
- Previous by thread: [nssldap] wireshark shows successful ldap searches, but no nss or pam stuff works
- Next by thread: Re: [nssldap] wireshark shows successful ldap searches, but no nss or pam stuff works