[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: proxy to AD does not work during login client machine

To: Dan White <dwhite@cafedemocracy.org>
Subject: RE: proxy to AD does not work during login client machine
From: Leo Xiao <lxiao@vmware.com>
Date: Mon, 15 Jun 2015 22:58:19 +0000
Accept-language: en-US
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Content-language: en-US
In-reply-to: <20150615135958.GB3846@dan.olp.net>
References: <5009d83a07d146f0a9dd32eb6781c7b4@EX13-MBX-022.vmware.com> <1b3bf2ea6c0f4ae7924d03e339219880@EX13-MBX-022.vmware.com>, <20150615135958.GB3846@dan.olp.net>
Thread-index: AQHQo2pbR2SbilN1o0aAh0kN6le5cJ2n99dwgAYdz4CAAB/OTg==
Thread-topic: proxy to AD does not work during login client machine

Hi Dan,

Thanks a lot for the comments. I want to authenticate anonymously, Not with SASL.
Is there any pam configuration needed for this scenario? Could you share some link/doc to me? Thanks  so much.
When I use openldap user login, just run authconfig-gtk(modified the /etc/openldap/ldap.conf) and set the ldapserver/base DN can lead me login success.

Thanks,
Leo
________________________________________
From: Dan White <dwhite@cafedemocracy.org>
Sent: Monday, June 15, 2015 9:59 PM
To: Leo Xiao
Cc: openldap-technical@openldap.org
Subject: Re: proxy to AD does not work during login client machine

On 06/11/15 23:38 +0000, Leo Xiao wrote:
>Hi technical,
>
>I hit a problem during configure proxy to AD.
>I can run command:
>$ldapsearch -x -h localhost -LLL -b dc=mydomain,dc=local -D cn=open,cn=users,dc=mydomain,dc=local -W "(cn=open1)" cn sAMAccountName
>which return the SAMACCOUNTNAME:open successfully. --- This may mean the proxy works well.
>But if I run command with out -D -D cn=open,cn=users,dc=mydomain,dc=local. The search will failed.

So you are attempting to authenticate anonymously? Or with SASL?

>when I try to login my client machine with AD user. It always failed. --- I can login with openldapuser successfully.

You'll need to trouble shoot your nss/pam config, which ever one you're
using.

>I think I need some configuration to force the -D in slapd.con. Is there any problems with my slapd.conf? Or any trouble shooting comments? Appreciate it very much.
>
>Below is my slapd.conf:
>#######################################################################
># database definitions
>#######################################################################
>database       ldap
>suffix         "DC=mydomain,DC=local"
>uri            ldap://dc-ad.mydomain.local/
>chase-referrals no
>rebind-as-user  yes
>idassert-bind   bindmethod=simple
>                binddn="CN=open,OU=users,DC=mydomain,DC=local"
>                credentials=open
>                mode=none
>                flags=non-prescriptive
>idassert-authzFrom "*"
>
>
>Thanks,
>Leo
>

--
Dan White

Follow-Ups:
- Re: proxy to AD does not work during login client machine
  - From: Dan White <dwhite@cafedemocracy.org>

References:
- proxy to AD does not work during login client machine
  - From: Leo Xiao <lxiao@vmware.com>
- Re: proxy to AD does not work during login client machine
  - From: Dan White <dwhite@cafedemocracy.org>

Prev by Date: RE: problem using redundant ldap servers with keystone
Next by Date: Re: proxy to AD does not work during login client machine
Index(es):
- Chronological
- Thread