[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems using OpenLDAP with Active Directory

To: Mailing List Open-LDAP <openldap-technical@openldap.org>
Subject: Problems using OpenLDAP with Active Directory
From: Mike Leone <turgon@mike-leone.com>
Date: Fri, 26 Mar 2010 11:31:22 -0400
User-agent: Thunderbird 2.0.0.24 (Windows/20100228)

I'm trying to configure lib-nss to use OpenLDAP against my Active
Directory. But I seem to be having lots of problems even getting it to

search properly. I have Samba all properly configured for AD - it'sproperly joined to the AD domain, and all seems to be working fine. NowI'd like to investigate using OpenLDAP to authenticate against AD.


AD server = 10.0.0.60
AD server name = dim-win2300.dacrib.local
AD domain name = DaCrib.local
AD Win2003 SP2 (with Services for Unix installed0

Linux server:
IP = 10.0.0.20
Ubuntu 9.04
OpenLDAP 2.4.2 (from repository)

Here's the /etc/ldap/ldap.conf:

------------------------
host 10.0.0.60

base dc=DaCrib,dc=local

binddn CN=Administrator,CN=Users,dc=DaCrib,dc=local
bindpw XXXXX

# RFC 2307 (AD) mappings
# <to> <from>
nss_map_attribute userPassword sambaPassword
nss_map_attribute gecos name
nss_map_attribute uid unixName
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
pam_filter objectclass=User
pam_password crypt

nss_initgroups_ignoreusers
avahi,backup,bin,daemon,dhcp,dovecot,festival,games,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,mysql,news,polkituser,postfix,proxy,root,saned,sshd,sync,sys,
syslog,uucp,www-data
--------------------------

Here's what an "ldapsearch" gives me: (command line will wrap in email)

--------------------------

ldapsearch -v -x -H ldap://10.0.0.60 "(objectClass=posixAccount)"sAMAccountName


ldap_initialize( ldap://10.0.0.60:389/??base )
filter: (objectClass=posixAccount)
requesting: sAMAccountName
# extended LDIF
#
# LDAPv3
# base <dc=DaCrib,dc=local> (default) with scope subtree
# filter: (objectClass=posixAccount)
# requesting: sAMAccountName
#

# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform
this operation a successful bind must be completed on the connection.,
data 0, vece

# numResponses: 1
----------------------------

So the question is ... why is it failing to bind?

No firewalls are running on either server (at the moment). It should
bind anonymously (I think). I tried turning up the debug level on the

ldapsearch, but that told me nothing I could understand. :-) I tried"-W" so it would prompt for a password, but it says "invalidcredentials", even thought I have verified the password of theAdministrator account.

From Windows, I can run ldp and bind (as administrator) and search withno problems. Similarly, I can use the command line utility "adfind" andsearch without issues, without binding.


So I've got something screwy in my ldap.conf, but I can't figure out where.

Thoughts?

Follow-Ups:
- Re: Problems using OpenLDAP with Active Directory
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: RE: Problem with getent passwd
Next by Date: Followup: using OpenLDAP with Active Directory
Index(es):
- Chronological
- Thread