[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: proxy to AD does not work during login client machine

To: Dan White <dwhite@cafedemocracy.org>
Subject: RE: proxy to AD does not work during login client machine
From: Leo Xiao <lxiao@vmware.com>
Date: Wed, 17 Jun 2015 07:34:11 +0000
Accept-language: en-US
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Content-language: en-US
In-reply-to: <20150616133305.GC3825@dan.olp.net>
References: <5009d83a07d146f0a9dd32eb6781c7b4@EX13-MBX-022.vmware.com> <1b3bf2ea6c0f4ae7924d03e339219880@EX13-MBX-022.vmware.com> <20150615135958.GB3846@dan.olp.net> <d45fbcbe4cd94657bfc03513c5acbb46@EX13-MBX-022.vmware.com> <20150616133305.GC3825@dan.olp.net>
Thread-index: AQHQo2pbR2SbilN1o0aAh0kN6le5cJ2n99dwgAYdz4CAAB/OToABawQAgACzw/A=
Thread-topic: proxy to AD does not work during login client machine

Hi Dan,
Appreciate it very much for your help!
I'm using rhel6.6 (both ldap server and client machine),  and what I want to archive is login rhel with AD users (on rhel login UI). 
Is it mean that my ldap proxy configuration works well? Because I can run command:
>>$ldapsearch -x -h localhost -LLL -b dc=mydomain,dc=local -D 
>>cn=open,cn=users,dc=mydomain,dc=local -W "(cn=open1)" cn sAMAccountName which return the SAMACCOUNTNAME:open successfully.

So now I should focus on the trouble shooting of rhel client side configuration, right? 
Could anybody share a successful scenario config files to me? 
I had searched on google for many times this week and also read the chapter of proxy  in book "Mastering Openldap" but still didn't resolve my problem.

Thanks,
Leo


-----Original Message-----
From: Dan White [mailto:dwhite@cafedemocracy.org] 
Sent: Tuesday, June 16, 2015 9:33 PM
To: Leo Xiao
Cc: Dan White; openldap-technical@openldap.org
Subject: Re: proxy to AD does not work during login client machine

>From: Dan White <dwhite@cafedemocracy.org>
>>On 06/11/15 23:38 +0000, Leo Xiao wrote:
>>Hi technical,
>>
>>I hit a problem during configure proxy to AD.
>>I can run command:
>>$ldapsearch -x -h localhost -LLL -b dc=mydomain,dc=local -D 
>>cn=open,cn=users,dc=mydomain,dc=local -W "(cn=open1)" cn sAMAccountName which return the SAMACCOUNTNAME:open successfully. --- This may mean the proxy works well.
>>But if I run command with out -D -D cn=open,cn=users,dc=mydomain,dc=local. The search will failed.
>
>So you are attempting to authenticate anonymously? Or with SASL?

On 06/15/15 22:58 +0000, Leo Xiao wrote:
>Hi Dan,
>
>Thanks a lot for the comments. I want to authenticate anonymously, Not with SASL.
>
>Is there any pam configuration needed for this scenario? Could you 
>share some link/doc to me? Thanks  so much.
>
>When I use openldap user login, just run authconfig-gtk(modified the
>/etc/openldap/ldap.conf) and set the ldapserver/base DN can lead me 
>login success.

The configuration to do anonymous binds is highly dependent on the ldap pam module you are using. See slapo-nssov(5) if you are using the one distributed by the OpenLDAP project. Otherwise, configuration of your ldap pam module is outside the scope of this project. However, assuming your pam ldap module uses (links against) libldap, consult the ldap.conf(5) manpage as well.

--
Dan White

References:
- proxy to AD does not work during login client machine
  - From: Leo Xiao <lxiao@vmware.com>
- Re: proxy to AD does not work during login client machine
  - From: Dan White <dwhite@cafedemocracy.org>
- RE: proxy to AD does not work during login client machine
  - From: Leo Xiao <lxiao@vmware.com>
- Re: proxy to AD does not work during login client machine
  - From: Dan White <dwhite@cafedemocracy.org>

Prev by Date: authentication with SSL
Next by Date: does slapd store/cache TLS certs
Index(es):
- Chronological
- Thread