Re: LDAP authentication against Active Directory in Sarge
Besides ldap.conf, you also need to configure pam:
apt-get install libpam-ldap -y
apt-get install libnss-ldap -y
apt-get install libpam-cracklib -y
Note: libpam-cracklib is not required for LDAP (it
just enforces strong passwords)
The following config files work, but you can change
them to suit your needs:
/etc/pam.d/common-auth:
auth sufficient pam_ldap.so
auth required pam_unix.so use_first_pass
/etc/pam.d/common-account:
account sufficient pam_ldap.so
account required pam_unix.so
/etc/pam.d/common-password:
password required pam_cracklib.so retry=3 minlen=6
difok=3
password sufficient pam_ldap.so use_authtok
try_first_pass
password required pam_unix.so use_authtok
try_first_pass md5
Also, if you intend to change user passwords with
passwd via libpam-ldap, you will need to patch
pam_ldap.so:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=284104
Good luck!
--- Carlos Rodrigues <carlos.efr@mail.telepac.pt>
wrote:
> Hi!
>
> I have a sarge install which I'm using to test some
> things. One of those
> things is LDAP authentication against Active
> Directory.
>
> This works just fine on a bunch of SUSE 9.2 boxes
> but I can't make it
> work on the Debian Sarge box.
>
> If I just alter nsswitch.conf to change "passwd" and
> "group" to "files
> ldap", nothing seems to happen ("finger user"
> returns nothing, for
> instance).
>
> This is my /etc/ldap.conf, which is basically the
> same I use in the SUSE
> boxes (the only difference is the domain, because
> I'm using a different
> domain to test it out) and exactly the same as I'm
> using in another test
> box using CentOS 4:
>
> #
> # ldap.conf - Active Directory authentication
> #
>
> ldap_version 3
>
> host ldapserver # in /etc/hosts
> ssl no
>
> # Active Directory doesn't allow anonymous access:
> binddn cn=ldap,cn=Users,dc=sandbox,dc=intranet,dc=pt
> bindpw xxxxxx
>
> base cn=Users,dc=sandbox,dc=intranet,dc=pt
> scope sub
>
> nss_base_passwd
> cn=Users,dc=sandbox,dc=intranet,dc=pt?sub
> nss_base_shadow
> cn=Users,dc=sandbox,dc=intranet,dc=pt?sub
> nss_base_group
> cn=Users,dc=sandbox,dc=intranet,dc=pt?sub
>
> pam_password ad
>
> pam_login_attribute sAMAccountName
> pam_member_attribute msSFU30PosixMember
>
> # only members of this group can access this server:
> pam_groupdn cn=Domain
> Users,dc=sandbox,dc=intranet,dc=pt
>
> pam_filter (objectclass=user)
>
> nss_map_objectclass posixAccount user
> nss_map_objectclass shadowAccount user
> nss_map_objectclass posixGroup Group
>
> nss_map_attribute uid sAMAccountName
> nss_map_attribute uidNumber msSFU30UidNumber
> nss_map_attribute gidNumber msSFU30GidNumber
> nss_map_attribute loginShell msSFU30LoginShell
> nss_map_attribute gecos msSFU30Gecos
> nss_map_attribute userPassword msSFU30Password
> nss_map_attribute homeDirectory msSFU30HomeDirectory
> nss_map_attribute uniqueMember msSFU30PosixMember
>
> # EOF - ldap.conf
>
>
>
> --
> To UNSUBSCRIBE, email to
> debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Reply to: