Re: [nssldap] some questions regarding Active Directory <--> NSS Ldap

[Jeffrey Watts <jeffrey.w.watts [at] gmail.com>]

Yeah, I'm not sure how to help you at this point, since I haven't worked with pam_ldap much.  I will say that using pam_krb5 is much simpler than that, and that you ought to seriously take a look at it.

The /etc/krb5.conf file is very easy to set up, and once it's set up Kerberos auth tends to just "work".  To be honest only 5% of my effort was in getting Kerberos working, another 20% was in getting nss_ldap set up to map attributes correctly, and the other 75% was securing the connection and other issues (like trying to make that POS nscd work).

Jeffrey.

2010/2/23 Илья Шипицин <chipitsine [at] gmail.com>

yes, I can specify base as DC=mydomain, but from technical point of view  user can be at CN=subdivision1,CN=sites,DC=mydomain and I cannot predict it definetely. So, I have to bind first using proxy-user and determine (i.e. search) for (&(objectClass=user)(sAMAccountname=xxx)), but that's not enough, because when proxy user finds DN it cannot read password-related field from AD (in order to perform pam "auth" operation). so, there must be second operation, i.e. bind with cn=xxx,CN=subdivision1,CN=sites,DC=mydomain and pam-supplied password. the question is: can pam_ldap perform such an operation or not.

23 февраля 2010 г. 22:27 пользователь Jeffrey Watts <jeffrey.w.watts [at] gmail.com> написал:

Ah, I understand.  I don't see a way around your problem then.  If admins can simply add OUs willy-nilly, then you will always have problems (unless you specify the root of the domain as your search base).  We have that problem to a limited extent (executives are in their own container for some silly reason), but the list of exceptions is very small here.

Jeffrey.

2010/2/23 Илья Шипицин <chipitsine [at] gmail.com>

in multi-site AD there many OUs with users. and when proxy-user reads
AD, it cannot read userPassword attribute (which is possible in case
of OpenLDAP).
there no readable password-field in case of Active Directory, so proxy
user only can "find" where actually certain user  "lives", but after
that there must be second operation: bind with supplied credentials
(yes! we already found the full DN!), also, despite numerous
nss_base_* variables... administrators just add OU as they want to, I
cannot predict that. So, I cannot specify all the OUs.

-- 

"He that would make his own liberty secure must guard even his enemy from oppression; for if he violates this duty he establishes a precedent that will reach to himself." -- Thomas Paine