[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Configuring UNIX clients to retrieve user info from LDAP
If I run this query I am getting the following response.
ldapsearch -x -H ldap://hera2.research.phg.com.au/ -b dc=internal,dc=phg,dc=com,dc=au "(&(objectClass=user)(uid=nazeerm))"
# extended LDIF
#
# LDAPv3
# base <dc=internal,dc=phg,dc=com,dc=au> with scope subtree
# filter: (&(objectClass=user)(uid=nazeerm))
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece
# numResponses: 1
------------------
Instead, if I modify the query to the following, then I am getting the request entry:
ldapsearch -x -H ldap://hera2.research.phg.com.au/ -b dc=internal,dc=phg,dc=com,dc=au "(uid=nazeerm)"
# extended LDIF
#
# LDAPv3
# base <dc=internal,dc=phg,dc=com,dc=au> with scope subtree
# filter: (uid=nazeerm)
# requesting: ALL
#
dn: cn=Nazeeruddin Mohammad,ou=Da Vinci Coders,ou=Portland
givenName: Nazeeruddin
gidNumber: 1000
UNIXHOMEDIRECTORY: /home/research/nazeerm
uidNumber: 10009
MSSFU30NISDOMAIN: internal
loginShell: /bin/bash
MSSFU30NAME: nazeerm
# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope
ration a successful bind must be completed on the connection., data 0, vece
# numResponses: 2
# numEntries: 1
Regards
Nazeer
-----Original Message-----
From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net]
Sent: Wednesday, 22 October 2008 5:43 PM
To: Nazeeruddin Mohammad
Cc: openldap-technical@openldap.org
Subject: Re: Configuring UNIX clients to retrieve user info from LDAP
On Wednesday 22 October 2008 03:26:13 Nazeeruddin Mohammad wrote:
> Thanks for the reply. Here are the messing details.
>
> >What OS / Distro ?
>
> I am using CentOS 5.1. The nsswitch.conf is properly configured. If change
> the uri or host in /etc/ldap.conf to a standard ldap, it works fine. Only
> if I refer to an ldap server which is proxy to AD server it fails.
>
> >Add:
> >debug 1
>
> I did this and here is a sample output. It's connecting to the server
> (hera2), but not getting any information. Strange!
>
>
> ldap_create
> ldap_url_parse_ext(ldap://hera2.research.phg.com.au/)
> ldap_create
> ldap_url_parse_ext(ldap://hera2.research.phg.com.au/)
> ldap_simple_bind
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP hera2.research.phg.com.au:389
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 192.168.100.237:389
> ldap_connect_timeout: fd: 3 tm: 15 async: 0
> ldap_ndelay_on: 3
> ldap_is_sock_ready: 3
> ldap_ndelay_off: 3
> ldap_open_defconn: successful
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({i) ber:
> ber_flush: 14 bytes to sd 3
> ldap_result ld 0x4f3b510 msgid 1
> ldap_chkResponseList ld 0x4f3b510 msgid 1 all 0
> ldap_chkResponseList returns ld 0x4f3b510 NULL
> wait4msg ld 0x4f3b510 msgid 1 (timeout 15000000 usec)
> wait4msg continue ld 0x4f3b510 msgid 1 all 0
> ** ld 0x4f3b510 Connections:
> * host: hera2.research.phg.com.au port: 389 (default)
> refcnt: 2 status: Connected
> last used: Wed Oct 22 09:46:44 2008
>
> ** ld 0x4f3b510 Outstanding Requests:
> * msgid 1, origid 1, status InProgress
> outstanding referrals 0, parent count 0
> ** ld 0x4f3b510 Response Queue:
> Empty
> ldap_chkResponseList ld 0x4f3b510 msgid 1 all 0
> ldap_chkResponseList returns ld 0x4f3b510 NULL
> ldap_int_select
> read1msg: ld 0x4f3b510 msgid 1 all 0
> ber_get_next
> ber_get_next: tag 0x30 len 12 contents:
> read1msg: ld 0x4f3b510 msgid 1 message type bind
> ber_scanf fmt ({eaa) ber:
> read1msg: ld 0x4f3b510 0 new referrals
> read1msg: mark request completed, ld 0x4f3b510 msgid 1
> request done: ld 0x4f3b510 msgid 1
> res_errno: 0, res_error: <>, res_matched: <>
> ldap_free_request (origid 1, msgid 1)
> ldap_free_connection 0 1
> ldap_free_connection: refcnt 1
> ldap_parse_result
> ber_scanf fmt ({iaa) ber:
> ber_scanf fmt (}) ber:
> ldap_msgfree
> ldap_search
> put_filter: "(&(objectClass=user)(uid=nazeerm))"
> put_filter: AND
> put_filter_list "(objectClass=user)(uid=nazeerm)"
> put_filter: "(objectClass=user)"
> put_filter: simple
> put_simple_filter: "objectClass=user"
> put_filter: "(uid=nazeerm)"
> put_filter: simple
> put_simple_filter: "uid=nazeerm"
> ldap_send_initial_request
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({) ber:
> ber_flush: 204 bytes to sd 3
> ldap_result ld 0x4f3b510 msgid 2
> ldap_chkResponseList ld 0x4f3b510 msgid 2 all 1
> ldap_chkResponseList returns ld 0x4f3b510 NULL
> wait4msg ld 0x4f3b510 msgid 2 (timeout 15000000 usec)
> wait4msg continue ld 0x4f3b510 msgid 2 all 1
> ** ld 0x4f3b510 Connections:
> * host: hera2.research.phg.com.au port: 389 (default)
> refcnt: 2 status: Connected
> last used: Wed Oct 22 09:46:44 2008
>
> ** ld 0x4f3b510 Outstanding Requests:
> * msgid 2, origid 2, status InProgress
> outstanding referrals 0, parent count 0
> ** ld 0x4f3b510 Response Queue:
> Empty
> ldap_chkResponseList ld 0x4f3b510 msgid 2 all 1
> ldap_chkResponseList returns ld 0x4f3b510 NULL
> ldap_int_select
>
So, looking at the exact filter that is sent, what happens if you perform a
search as follows:
$ ldapsearch -x -H ldap://ldapserver.research.phg.com.au/ -b
dc=internal,dc=phg,dc=com,dc=au "(&(objectClass=user)(uid=nazeerm))"
> -----Original Message-----
> From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net]
> Sent: Tuesday, 21 October 2008 5:22 PM
> To: openldap-technical@openldap.org
> Cc: Nazeeruddin Mohammad
> Subject: Re: Configuring UNIX clients to retrieve user info from LDAP
>
> On Tuesday 21 October 2008 00:48:20 Nazeeruddin Mohammad wrote:
> > Hi All,
> >
> > Sorry for reposting the mail. This is a long term problem for me. I am
> > unable to retrieve user information from LDAP server, which is a proxy to
> > AD. The normal LDAP search (see the command below) gets me the data, but
> > the "getent passwd" only gets me local users from passwd file.
> >
> > ldapsearch -x -h ldapserver -LLL -b dc=internal,dc=phg,dc=com,dc=au
> > '(uid=nazeerm)'
> >
> >
> > Is there any problem with my configuration? Thank you very much.
> >
> >
> > Here is my client configuration.
> >
> >
> >
> > --------------------------------------
> >
> > uri ldap://ldapserver.research.phg.com.au/
> > base dc=internal,dc=phg,dc=com,dc=au
> > scope sub
> > bind_timelimit 15
> > timelimit 15
> > ssl no
> > referrals no
> > nss_base_passwd dc=internal,dc=phg,dc=com,dc=au?sub
> > nss_base_shadow dc=internal,dc=phg,dc=com,dc=au?sub
> > nss_base_group
> > dc=internal,dc=phg,dc=com,dc=au?sub?&(objectCategory=group)(gidnumber=*)
> >
> > nss_map_objectclass posixAccount user
> > nss_map_objectclass shadowAccount user
> > nss_map_objectclass posixGroup group
> >
> > nss_map_attribute gecos cn
> > nss_map_attribute homeDirectory unixHomeDirectory
> > nss_map_attribute uniqueMember member
> > nss_initgroups_ignoreusers root,ldap
> >
> > pam_filter objectClass=posixAccount
> > pam_login_attribute uid
> > pam_lookup_policy no
***************************************************************************
CAUTION: This email message and accompanying data may contain information
that is confidential and/or subject to legal privilege. If you are not the
intended recipient, you are notified that any use, dissemination,
distribution or copying of this message or data is prohibited.
If you have received this email message in error, please notify us
immediately and erase all copies of this message and attachments. Thank you.
***************************************************************************