[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LDAP authentication against Active Directory in Sarge

Besides ldap.conf, you also need to configure pam:

apt-get install libpam-ldap -y
apt-get install libnss-ldap -y
apt-get install libpam-cracklib -y

Note: libpam-cracklib is not required for LDAP (it
just enforces strong passwords)

The following config files work, but you can change
them to suit your needs:

/etc/pam.d/common-auth:
auth	sufficient	pam_ldap.so
auth	required	pam_unix.so use_first_pass

/etc/pam.d/common-account:
account	sufficient	pam_ldap.so
account	required	pam_unix.so

/etc/pam.d/common-password:
password   required   pam_cracklib.so retry=3 minlen=6
difok=3
password   sufficient pam_ldap.so use_authtok
try_first_pass
password   required   pam_unix.so use_authtok
try_first_pass md5

Also, if you intend to change user passwords with
passwd via libpam-ldap, you will need to patch
pam_ldap.so:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=284104

Good luck!

--- Carlos Rodrigues <carlos.efr@mail.telepac.pt>
wrote:
> Hi!
> 
> I have a sarge install which I'm using to test some
> things. One of those
> things is LDAP authentication against Active
> Directory.
> 
> This works just fine on a bunch of SUSE 9.2 boxes
> but I can't make it
> work on the Debian Sarge box.
> 
> If I just alter nsswitch.conf to change "passwd" and
> "group" to "files
> ldap", nothing seems to happen ("finger user"
> returns nothing, for
> instance).
> 
> This is my /etc/ldap.conf, which is basically the
> same I use in the SUSE
> boxes (the only difference is the domain, because
> I'm using a different
> domain to test it out) and exactly the same as I'm
> using in another test 
> box using CentOS 4:
> 
> #
> # ldap.conf - Active Directory authentication
> #
> 
> ldap_version	3
> 
> host	ldapserver # in /etc/hosts
> ssl	no
> 
> # Active Directory doesn't allow anonymous access:
> binddn	cn=ldap,cn=Users,dc=sandbox,dc=intranet,dc=pt
> bindpw	xxxxxx
> 
> base 	cn=Users,dc=sandbox,dc=intranet,dc=pt
> scope	sub
> 
> nss_base_passwd
> cn=Users,dc=sandbox,dc=intranet,dc=pt?sub
> nss_base_shadow
> cn=Users,dc=sandbox,dc=intranet,dc=pt?sub
> nss_base_group
> cn=Users,dc=sandbox,dc=intranet,dc=pt?sub
> 
> pam_password	ad
> 
> pam_login_attribute	sAMAccountName
> pam_member_attribute	msSFU30PosixMember
> 
> # only members of this group can access this server:
> pam_groupdn	cn=Domain
> Users,dc=sandbox,dc=intranet,dc=pt
> 
> pam_filter	(objectclass=user)
> 
> nss_map_objectclass	posixAccount user
> nss_map_objectclass	shadowAccount user
> nss_map_objectclass	posixGroup Group
> 
> nss_map_attribute	uid sAMAccountName
> nss_map_attribute	uidNumber msSFU30UidNumber
> nss_map_attribute	gidNumber msSFU30GidNumber
> nss_map_attribute	loginShell msSFU30LoginShell
> nss_map_attribute	gecos msSFU30Gecos
> nss_map_attribute	userPassword msSFU30Password
> nss_map_attribute	homeDirectory msSFU30HomeDirectory
> nss_map_attribute	uniqueMember msSFU30PosixMember
> 
> # EOF - ldap.conf
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to
> debian-user-REQUEST@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com
Reply to: