Re: [nssldap] some questions regarding Active Directory <--> NSS Ldap

[Илья Шипицин <chipitsine [at] gmail.com>]

yes, I can specify base as DC=mydomain, but from technical point of view  user can be at CN=subdivision1,CN=sites,DC=mydomain and I cannot predict it definetely. So, I have to bind first using proxy-user and determine (i.e. search) for (&(objectClass=user)(sAMAccountname=xxx)), but that's not enough, because when proxy user finds DN it cannot read password-related field from AD (in order to perform pam "auth" operation). so, there must be second operation, i.e. bind with cn=xxx,CN=subdivision1,CN=sites,DC=mydomain and pam-supplied password. the question is: can pam_ldap perform such an operation or not.

23 февраля 2010 г. 22:27 пользователь Jeffrey Watts <jeffrey.w.watts [at] gmail.com> написал:

Ah, I understand.  I don't see a way around your problem then.  If admins can simply add OUs willy-nilly, then you will always have problems (unless you specify the root of the domain as your search base).  We have that problem to a limited extent (executives are in their own container for some silly reason), but the list of exceptions is very small here.

Jeffrey.

2010/2/23 Илья Шипицин <chipitsine [at] gmail.com>

in multi-site AD there many OUs with users. and when proxy-user reads
AD, it cannot read userPassword attribute (which is possible in case
of OpenLDAP).
there no readable password-field in case of Active Directory, so proxy
user only can "find" where actually certain user  "lives", but after
that there must be second operation: bind with supplied credentials
(yes! we already found the full DN!), also, despite numerous
nss_base_* variables... administrators just add OU as they want to, I
cannot predict that. So, I cannot specify all the OUs.