nss_ldap active directory authentication
807557Mar 2 2006 — edited Mar 19 2006Hi all,
i have a hard time convincing nss_ldap to authenticate against our Active Directory server. I know nss_ldap successfully connect to the AD server but the bindDN is always null so the access is denied. Also, it is out of the question to configure AD to permit anonymous ldap browsing.
i used the following ldapclient command to configure ldap on my solaris 10 server
ldapclient -v manual \
-a objectClassMap=passwd:posixAccount=User \
-a attributeMap=passwd:uid=sAMAccountName \
-a attributeMap=passwd:uidNumber=msSFU30UidNumber \
-a attributeMap=passwd:gidNumber=msSFU30GidNumber \
-a attributeMap=passwd:uniquemember=member \
-a attributeMap=passwd:homeDirectory=msSFU30HomeDirectory \
-a attributeMap=passwd:loginShell=msSFU30LoginShell \
-a attributeMap=passwd:gecos=msSFU30Gecos \
-a attributeMap=passwd:posixGroup=Group \
-a defaultSearchBase=cn=Users,dc=example,dc=com \
-a serviceSearchDescriptor=passwd:cn=Users,dc=example,dc=com
-a defaultServerList=xxx.xxx.xxx.xxx \
-a domainName=example.com. \
-a credentialLevel=proxy \
-a authenticationMethod=sasl/digest-md5 \
-a proxyPassword=password \
-a proxyDN=cn=ldapuser,ou=users,dc=example,dc=com
I traced the connection with snoop and i found than the DN field in the bind request is always null and i think it should be something like cn=ldapuser,ou=users,dc=example,dc=com.
I have also tried to use the ldapsearch tool to query the AD. The bindDN is also null and the connection is denied but if i specify a bindDN using the -D option, it works.
My question is how do i configure nss_ldap so it will use the proxyDN as the bindDN to establish the ldap connection?
Am i missing something?