[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Configuring UNIX clients to retrieve user info from LDAP



On Wednesday 22 October 2008 03:26:13 Nazeeruddin Mohammad wrote:
> Thanks for the reply. Here are the messing details.
>
> >What OS / Distro ?
>
> I am using CentOS 5.1. The nsswitch.conf is properly configured. If change
> the uri or host in /etc/ldap.conf to a standard ldap, it works fine. Only
> if I refer to an ldap server which is proxy to AD server it fails.
>
> >Add:
> >debug 1
>
> I did this and here is a sample output.  It's connecting to the server
> (hera2), but not getting any information. Strange!
>
>
> ldap_create
> ldap_url_parse_ext(ldap://hera2.research.phg.com.au/)
> ldap_create
> ldap_url_parse_ext(ldap://hera2.research.phg.com.au/)
> ldap_simple_bind
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP hera2.research.phg.com.au:389
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 192.168.100.237:389
> ldap_connect_timeout: fd: 3 tm: 15 async: 0
> ldap_ndelay_on: 3
> ldap_is_sock_ready: 3
> ldap_ndelay_off: 3
> ldap_open_defconn: successful
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({i) ber:
> ber_flush: 14 bytes to sd 3
> ldap_result ld 0x4f3b510 msgid 1
> ldap_chkResponseList ld 0x4f3b510 msgid 1 all 0
> ldap_chkResponseList returns ld 0x4f3b510 NULL
> wait4msg ld 0x4f3b510 msgid 1 (timeout 15000000 usec)
> wait4msg continue ld 0x4f3b510 msgid 1 all 0
> ** ld 0x4f3b510 Connections:
> * host: hera2.research.phg.com.au  port: 389  (default)
>   refcnt: 2  status: Connected
>   last used: Wed Oct 22 09:46:44 2008
>
> ** ld 0x4f3b510 Outstanding Requests:
>  * msgid 1,  origid 1, status InProgress
>    outstanding referrals 0, parent count 0
> ** ld 0x4f3b510 Response Queue:
>    Empty
> ldap_chkResponseList ld 0x4f3b510 msgid 1 all 0
> ldap_chkResponseList returns ld 0x4f3b510 NULL
> ldap_int_select
> read1msg: ld 0x4f3b510 msgid 1 all 0
> ber_get_next
> ber_get_next: tag 0x30 len 12 contents:
> read1msg: ld 0x4f3b510 msgid 1 message type bind
> ber_scanf fmt ({eaa) ber:
> read1msg: ld 0x4f3b510 0 new referrals
> read1msg:  mark request completed, ld 0x4f3b510 msgid 1
> request done: ld 0x4f3b510 msgid 1
> res_errno: 0, res_error: <>, res_matched: <>
> ldap_free_request (origid 1, msgid 1)
> ldap_free_connection 0 1
> ldap_free_connection: refcnt 1
> ldap_parse_result
> ber_scanf fmt ({iaa) ber:
> ber_scanf fmt (}) ber:
> ldap_msgfree
> ldap_search
> put_filter: "(&(objectClass=user)(uid=nazeerm))"
> put_filter: AND
> put_filter_list "(objectClass=user)(uid=nazeerm)"
> put_filter: "(objectClass=user)"
> put_filter: simple
> put_simple_filter: "objectClass=user"
> put_filter: "(uid=nazeerm)"
> put_filter: simple
> put_simple_filter: "uid=nazeerm"
> ldap_send_initial_request
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({) ber:
> ber_flush: 204 bytes to sd 3
> ldap_result ld 0x4f3b510 msgid 2
> ldap_chkResponseList ld 0x4f3b510 msgid 2 all 1
> ldap_chkResponseList returns ld 0x4f3b510 NULL
> wait4msg ld 0x4f3b510 msgid 2 (timeout 15000000 usec)
> wait4msg continue ld 0x4f3b510 msgid 2 all 1
> ** ld 0x4f3b510 Connections:
> * host: hera2.research.phg.com.au  port: 389  (default)
>   refcnt: 2  status: Connected
>   last used: Wed Oct 22 09:46:44 2008
>
> ** ld 0x4f3b510 Outstanding Requests:
>  * msgid 2,  origid 2, status InProgress
>    outstanding referrals 0, parent count 0
> ** ld 0x4f3b510 Response Queue:
>    Empty
> ldap_chkResponseList ld 0x4f3b510 msgid 2 all 1
> ldap_chkResponseList returns ld 0x4f3b510 NULL
> ldap_int_select
>

So, looking at the exact filter that is sent, what happens if you perform a 
search as follows:

$ ldapsearch -x -H ldap://ldapserver.research.phg.com.au/ -b 
dc=internal,dc=phg,dc=com,dc=au "(&(objectClass=user)(uid=nazeerm))"


> -----Original Message-----
> From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net]
> Sent: Tuesday, 21 October 2008 5:22 PM
> To: openldap-technical@openldap.org
> Cc: Nazeeruddin Mohammad
> Subject: Re: Configuring UNIX clients to retrieve user info from LDAP
>
> On Tuesday 21 October 2008 00:48:20 Nazeeruddin Mohammad wrote:
> > Hi All,
> >
> > Sorry for reposting the mail. This is a long term problem for me. I am
> > unable to retrieve user information from LDAP server, which is a proxy to
> > AD. The normal LDAP search (see the command below) gets me the data, but
> > the "getent passwd" only gets me local users from passwd file.
> >
> > ldapsearch -x -h ldapserver -LLL -b dc=internal,dc=phg,dc=com,dc=au
> >  '(uid=nazeerm)'
> >
> >
> > Is there any problem with my configuration? Thank you very much.
> >
> >
> > Here is my client configuration.
> >
> >
> >
> > --------------------------------------
> >
> > uri ldap://ldapserver.research.phg.com.au/
> > base dc=internal,dc=phg,dc=com,dc=au
> > scope sub
> > bind_timelimit 15
> > timelimit 15
> > ssl no
> > referrals no
> > nss_base_passwd dc=internal,dc=phg,dc=com,dc=au?sub
> > nss_base_shadow dc=internal,dc=phg,dc=com,dc=au?sub
> > nss_base_group
> > dc=internal,dc=phg,dc=com,dc=au?sub?&(objectCategory=group)(gidnumber=*)
> >
> > nss_map_objectclass posixAccount user
> > nss_map_objectclass shadowAccount user
> > nss_map_objectclass posixGroup group
> >
> > nss_map_attribute gecos cn
> > nss_map_attribute homeDirectory unixHomeDirectory
> > nss_map_attribute uniqueMember member
> > nss_initgroups_ignoreusers root,ldap
> >
> > pam_filter objectClass=posixAccount
> > pam_login_attribute uid
> > pam_lookup_policy no