Re: LDAP Authentification between Debian and Active Directory
Another option, if you just want authentication and not full mapping
support via LDAP is to use Active Directory's Kerberos implementation.
apt-get install libpam-krb5 krb5-config
and edit
/etc/pam.d/* to add relevant pam_krb5.so entries.
You'll need to use sarge/sid if you authenticate to 2003 though since
woody's kerberos implementation doesn't work with 2003 (though does with
2000).
-- asg
On Fri, Feb 11, 2005 at 06:59:38PM +0100, Mirko Lemke wrote:
> Hi @all,
>
> Problem solved.
> I 've installed a complete new Debian (Woody). Then i added the
> libpam0g-dev and libldap2-dev Packages. After that i compilied the
> actual PADL-Sources nss-ldap and pam-ldap (nss-ldap with
> --enable-schema-mapping and --enable-rfc2307bis options). The system was
> configured how i described below.
> And now it works very fine.
> The problems were the Debian specific packages, without them it works fine.
>
> If you have questions, post it.
>
> Greetings Mirko
>
>
> Mirko Lemke wrote:
>
> >
> >Hi,
> >
> >Has anybody managed to implement an LDAP connection between Debian and
> >Microsofts Active Directory?
> >I've tried Woody and Sarge but am unable to login with either of them.
> >It would be of great help to me if I could ascertain if it is at all
> >possible to achieve the connection with standard Debian packages
> >(libpam-ldap/libnss-ldap) or whether alterations/improvements
> >(bug-fixes?) are necessary.
> >According to the Packet descriptions, the necessary arguments
> >(enable-rfc2307bis und --enable-schema-mapping) have been compiled.
> >I would be grateful if anyone could provide detailed tips.
> >I've attached a more detailed description of the problem.
> >I've contacted various experts but up till now with no success. I'm
> >desperate!!
> >
> >Greetings
> >
> >Mirko
> >
> >
> >Detailed description:
> >
> >Constellation is as follows:
> >Windows -> Windows 2003 DC with ServicesForUnix 3.5
> >Debian -> (Version ????) with libpam-ldap and libnss-ldap installed.
> >
> >In ldap.conf I've included a user with binddn/bindpw that is authorised
> >to bind with the Windows 2003 domain. (((Aus Sicherheit ---- For reasons
> >of security / To cover all eventualities))) I've linked all possible
> >config files(/etc/libnss-ldap.conf, /etc/pam_ldap.conf,
> >/etc/ldap/ldap.conf, /etc/ldap.conf).
> >
> >/etc/nsswitch.conf is as follows:
> >
> >passwd files ldap
> >group files ldap
> >shadow files ldap
> >
> >/etc/pam.d/login is as follows:
> >
> >auth required pam_nologin.so
> >auth sufficient pam_ldap.so
> >auth sufficient pam_unix.so use_first_pass
> >account sufficient pam_ldap.so
> >account required pam_unix.so
> >session sufficient pam_ldap.so
> >session required pam_unix.so
> >password sufficient pam_ldap.so
> >password sufficient pam_unix.so
> >
> >I can read all the attributes using ldapsearch, so I assume that
> >binduser has functioned correctly.
> >Another Linux Box (Suse 9.2) works like a dream, so I also assume that
> >the Windows configuration is OK.
> >Using a network monitoring tool, I can see that the only difference
> >between the Debian and Suse logins is that Debian
> >doesn't request the attributes of the user on the Windows 2003 DC. The
> >login then obviously fails. A previous bind with binduser is successful.
> >Could the problem lie in the Debian modules (pam_ldap.so, ....) ?
> >I'd be glad in the first place if somebody could confirm that Debian and
> >Windows 2003 actually can communicate via LDAP.
> >Any further tips which could help clarify the problem would be appreciated.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
Reply to: