[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

LDAP Authentification between Debian and Active Directory


Has anybody managed to implement an LDAP connection between Debian and Microsofts Active Directory?
I've tried Woody and Sarge but am unable to login with either of  them.
It would be of great help to me if I could ascertain if it is at all possible to achieve the connection with standard Debian packages (libpam-ldap/libnss-ldap) or whether alterations/improvements (bug-fixes?) are necessary. According to the Packet descriptions, the necessary arguments (enable-rfc2307bis und --enable-schema-mapping) have been compiled.
I would be grateful if anyone could provide detailed tips.
I've attached a more detailed description of the problem.
I've contacted various experts but up till now with no success. I'm desperate!!



Detailed description:

Constellation is as follows:
Windows -> Windows 2003 DC with ServicesForUnix 3.5
Debian -> (Version ????) with libpam-ldap and libnss-ldap installed.

In ldap.conf I've included a user with binddn/bindpw that is authorised to bind with the Windows 2003 domain. (((Aus Sicherheit ---- For reasons of security / To cover all eventualities))) I've linked all possible config files(/etc/libnss-ldap.conf, /etc/pam_ldap.conf, /etc/ldap/ldap.conf, /etc/ldap.conf).

/etc/nsswitch.conf is as follows:

passwd    files ldap
group     files ldap
shadow    files ldap

/etc/pam.d/login is as follows:

auth        required      pam_nologin.so
auth        sufficient    pam_ldap.so
auth        sufficient    pam_unix.so use_first_pass
account     sufficient    pam_ldap.so
account     required      pam_unix.so
session     sufficient    pam_ldap.so
session     required      pam_unix.so
password    sufficient    pam_ldap.so
password    sufficient    pam_unix.so

I can read all the attributes using ldapsearch, so I assume that binduser has functioned correctly. Another Linux Box (Suse 9.2) works like a dream, so I also assume that the Windows configuration is OK. Using a network monitoring tool, I can see that the only difference between the Debian and Suse logins is that Debian doesn't request the attributes of the user on the Windows 2003 DC. The login then obviously fails. A previous bind with binduser is successful.
Could the problem lie in the Debian modules (pam_ldap.so, ....) ?
I'd be glad in the first place if somebody could confirm that Debian and Windows 2003 actually can communicate via LDAP.
Any further tips which could help clarify the problem would be appreciated.

Reply to: