|
»
»
»
« Return to Thread: Active Directory pam_ldap search returns 0 results
Re: Active Directory pam_ldap search returns 0 results
by dstensrud
::
Rate this Message:
Okay I fixed my issue. I didn't have the right nss_base info in my
ldap.conf. instead of having cn=Users,dc=hops,dc=org, I needed
dc=hops,dc=org. after changing the nss options it works fine.
dstensrud wrote:
> Okay. I started using wireshark to monitor the information going back and
> forth between the AD and my linux machine. I'm trying to authenticate users
> through AD via pam_ldap. I can make a successful bind but when the user
> goes to do the search it doesn't return results. I have the same exact
> setup in another office and it works fine, but this one that I'm working on,
> the AD isn't mine, and I don't have access to it. If I issue an ldapsearch
> from the command line it works.. here is an example:
>
> LDAPSEARCH COMMAND:
> ================
> ldapsearch -vvv -x -W -D binduser@... -LLL
> "(&(objectclass=User)(sAMAccountName=jsmith))"
> ldap_initialize( <DEFAULT> )
> Enter LDAP Password:
> filter: (&(objectclass=User)(sAMAccountName=jsmith))
> requesting: All userApplication attributes
> dn: CN=jsmith,OU=Contrators,DC=hops,DC=org
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: jsmith
> description: Jimmy
> givenName: jsmith
> distinguishedName: CN=jsmith,OU=Contrators,DC=hops,DC=org
> instanceType: 4
> whenCreated: 20061219205530.0Z
> whenChanged: 20070101204220.0Z
> displayName: jsmith
> uSNCreated: 2206049
> uSNChanged: 2651279
> homeMTA: CN=Microsoft MTA,CN=RH-EXCH,CN=Servers,CN=hops,CN=Administrative G
> roups,CN=hops,CN=Microsoft
> Exchange,CN=Services,CN=Configuration,DC=HopS,DC=org
> proxyAddresses: smtp:jsmith@...
> proxyAddresses: X400:c=US;a= ;p=hops;o=Exchange;s=jsmith;
> proxyAddresses: SMTP:jsmith@...
> homeMDB: CN=Mailbox Store 4 (RH-EXCH),CN=First Storage
> Group,CN=InformationSto
> re,CN=RH-EXCH,CN=Servers,CN=hops,CN=Administrative Groups,CN=hops,CN=Mi
> crosoft Exchange,CN=Services,CN=Configuration,DC=hops,DC=org
> mDBUseDefaults: TRUE
> mailNickname: jsmith
> name: jsmith
> objectGUID:: nWOUBbOPdUW+jSjR8nEWlg==
> userAccountControl: 66048
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 128112802965635188
> lastLogon: 128112803066418373
> pwdLastSet: 128110353306467105
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAAVQehjxr3HWeam6GFVREAAA==
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: jsmith
> sAMAccountType: 805306368
> showInAddressBook: CN=Default Global Address List,CN=All Global Address
> Lists,
> CN=Address Lists Container,CN=hops,CN=Microsoft Exchange,CN=Services,CN=Co
> nfiguration,DC=hops,DC=org
> showInAddressBook: CN=All Users,CN=All Address Lists,CN=Address Lists
> Containe
> r,CN=hops,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=hops,DC
> =org
> legacyExchangeDN: /o=hops/ou=First Administrative Group/cn=Recipients/cn=wo
> rltracuser
> userPrincipalName: jsmith@...
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hops,DC=org
> lastLogonTimestamp: 128121577405726786
> textEncodedORAddress: c=US;a= ;p=hops;o=Exchange;s=jsmith;
> mail: jsmith@...
> msExchHomeServerName: /o=hops/ou=First Administrative Group/cn=Configuratio
> n/cn=Servers/cn=RH-EXCH
> msExchALObjectVersion: 49
> msExchMailboxSecurityDescriptor::
> AQAEgHgAAACUAAAAAAAAABQAAAAEAGQAAQAAAAACFAAD
>
> AAIAAQEAAAAAAAUKAAAAAAAAAEMASAA6ADMAMgA2ADgAAAAAAQAAAAEAAAEAAAAgAAAAAAAAAAAAA
>
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQUAAAAAAAUVAAAAVQehjxr3HWeam6GFHgUAAA
> EFAAAAAAAFFQAAAFUHoY8a9x1nmpuhhR4FAAA=
> msExchUserAccountControl: 0
> msExchMailboxGuid:: qsncZEFiX0SylodSUv+TWQ==
> msExchPoliciesIncluded:
> {2F6B8623-374D-4B15-B808-CB6FAFCE6F64},{26491CFC-9E50-
> 4857-861B-0CB8DF22B5D7}
> =======================
>
> Okay, now if I try to ssh into my machine which is setup to use pam_ldap to
> verify the password against this AD it fails. Here is the info. wireshark
> is showing me:
>
> WIRESHARK INFO
> ===============
> [The RTT to ACK the segment was: 0.001563000 seconds]
> Lightweight-Directory-Access-Protocol
> LDAPMessage bindResponse(1)
> messageID: 1
> protocolOp: bindResponse (1)
> bindResponse
> resultCode: success (0)
> [Response To: 30]
> [Time: 0.001563000 seconds]
>
> Frame 32 (66 bytes on wire, 66 byt
>
> ----------- so far so good, it just bound -----------------
>
> ------- okay now its going to issue the search-------------
>
> NOP
> Timestamps: TSval 1113900, TSecr 20408054
> Lightweight-Directory-Access-Protocol
> LDAPMessage searchRequest(2) "cn=Users,dc=hops,dc=org" wholeSubtree
> messageID: 2
> protocolOp: searchRequest (3)
> searchRequest
> baseObject: cn=Users,dc=hops,dc=org
> scope: wholeSubtree (2)
> derefAliases: neverDerefAliases (0)
> sizeLimit: 1
> timeLimit: 0
> typesOnly: False
> Filter: (&(objectclass=user)(sAMAccountName=jsmith))
> and: (&(objectclass=user)(sAMAccountName=jsmith))
> Filter: (objectclass=user)
> equalityMatch
> attributeDesc: objectclass
> assertionValue: user
> Filter: (sAMAccountName=jsmith)
> equalityMatch
> attributeDesc: sAMAccountName
> assertionValue: jsmith
> attributes: 0 items
>
> Frame 34 (88 bytes on wire, 88 bytes captured)
>
> ----------------- okay still so far so good... -------------------------
>
> ------------------- here is where there should be results.. but theres not
> --------------------
>
> [This is an ACK to the segment in frame: 27]
> [The RTT to ACK the segment was: 0.002079000 seconds]
> Lightweight-Directory-Access-Protocol
> LDAPMessage searchResDone(5) [0 results]
> messageID: 5
> protocolOp: searchResDone (5)
> searchResDone
> resultCode: success (0)
> [Response To: 27]
> [Time: 0.002079000 seconds]
>
> Frame 35 (66 bytes on wire, 66 bytes c
>
> =========END WIRESHARK INFO===========
>
> I have another environment setup using this same setup and it works fine..
> there are results in the search and everything.. Please help... Thanks, in
> advance.
>
>
>
ldap.conf. instead of having cn=Users,dc=hops,dc=org, I needed
dc=hops,dc=org. after changing the nss options it works fine.
dstensrud wrote:
> Okay. I started using wireshark to monitor the information going back and
> forth between the AD and my linux machine. I'm trying to authenticate users
> through AD via pam_ldap. I can make a successful bind but when the user
> goes to do the search it doesn't return results. I have the same exact
> setup in another office and it works fine, but this one that I'm working on,
> the AD isn't mine, and I don't have access to it. If I issue an ldapsearch
> from the command line it works.. here is an example:
>
> LDAPSEARCH COMMAND:
> ================
> ldapsearch -vvv -x -W -D binduser@... -LLL
> "(&(objectclass=User)(sAMAccountName=jsmith))"
> ldap_initialize( <DEFAULT> )
> Enter LDAP Password:
> filter: (&(objectclass=User)(sAMAccountName=jsmith))
> requesting: All userApplication attributes
> dn: CN=jsmith,OU=Contrators,DC=hops,DC=org
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: jsmith
> description: Jimmy
> givenName: jsmith
> distinguishedName: CN=jsmith,OU=Contrators,DC=hops,DC=org
> instanceType: 4
> whenCreated: 20061219205530.0Z
> whenChanged: 20070101204220.0Z
> displayName: jsmith
> uSNCreated: 2206049
> uSNChanged: 2651279
> homeMTA: CN=Microsoft MTA,CN=RH-EXCH,CN=Servers,CN=hops,CN=Administrative G
> roups,CN=hops,CN=Microsoft
> Exchange,CN=Services,CN=Configuration,DC=HopS,DC=org
> proxyAddresses: smtp:jsmith@...
> proxyAddresses: X400:c=US;a= ;p=hops;o=Exchange;s=jsmith;
> proxyAddresses: SMTP:jsmith@...
> homeMDB: CN=Mailbox Store 4 (RH-EXCH),CN=First Storage
> Group,CN=InformationSto
> re,CN=RH-EXCH,CN=Servers,CN=hops,CN=Administrative Groups,CN=hops,CN=Mi
> crosoft Exchange,CN=Services,CN=Configuration,DC=hops,DC=org
> mDBUseDefaults: TRUE
> mailNickname: jsmith
> name: jsmith
> objectGUID:: nWOUBbOPdUW+jSjR8nEWlg==
> userAccountControl: 66048
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 128112802965635188
> lastLogon: 128112803066418373
> pwdLastSet: 128110353306467105
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAAVQehjxr3HWeam6GFVREAAA==
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: jsmith
> sAMAccountType: 805306368
> showInAddressBook: CN=Default Global Address List,CN=All Global Address
> Lists,
> CN=Address Lists Container,CN=hops,CN=Microsoft Exchange,CN=Services,CN=Co
> nfiguration,DC=hops,DC=org
> showInAddressBook: CN=All Users,CN=All Address Lists,CN=Address Lists
> Containe
> r,CN=hops,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=hops,DC
> =org
> legacyExchangeDN: /o=hops/ou=First Administrative Group/cn=Recipients/cn=wo
> rltracuser
> userPrincipalName: jsmith@...
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hops,DC=org
> lastLogonTimestamp: 128121577405726786
> textEncodedORAddress: c=US;a= ;p=hops;o=Exchange;s=jsmith;
> mail: jsmith@...
> msExchHomeServerName: /o=hops/ou=First Administrative Group/cn=Configuratio
> n/cn=Servers/cn=RH-EXCH
> msExchALObjectVersion: 49
> msExchMailboxSecurityDescriptor::
> AQAEgHgAAACUAAAAAAAAABQAAAAEAGQAAQAAAAACFAAD
>
> AAIAAQEAAAAAAAUKAAAAAAAAAEMASAA6ADMAMgA2ADgAAAAAAQAAAAEAAAEAAAAgAAAAAAAAAAAAA
>
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQUAAAAAAAUVAAAAVQehjxr3HWeam6GFHgUAAA
> EFAAAAAAAFFQAAAFUHoY8a9x1nmpuhhR4FAAA=
> msExchUserAccountControl: 0
> msExchMailboxGuid:: qsncZEFiX0SylodSUv+TWQ==
> msExchPoliciesIncluded:
> {2F6B8623-374D-4B15-B808-CB6FAFCE6F64},{26491CFC-9E50-
> 4857-861B-0CB8DF22B5D7}
> =======================
>
> Okay, now if I try to ssh into my machine which is setup to use pam_ldap to
> verify the password against this AD it fails. Here is the info. wireshark
> is showing me:
>
> WIRESHARK INFO
> ===============
> [The RTT to ACK the segment was: 0.001563000 seconds]
> Lightweight-Directory-Access-Protocol
> LDAPMessage bindResponse(1)
> messageID: 1
> protocolOp: bindResponse (1)
> bindResponse
> resultCode: success (0)
> [Response To: 30]
> [Time: 0.001563000 seconds]
>
> Frame 32 (66 bytes on wire, 66 byt
>
> ----------- so far so good, it just bound -----------------
>
> ------- okay now its going to issue the search-------------
>
> NOP
> Timestamps: TSval 1113900, TSecr 20408054
> Lightweight-Directory-Access-Protocol
> LDAPMessage searchRequest(2) "cn=Users,dc=hops,dc=org" wholeSubtree
> messageID: 2
> protocolOp: searchRequest (3)
> searchRequest
> baseObject: cn=Users,dc=hops,dc=org
> scope: wholeSubtree (2)
> derefAliases: neverDerefAliases (0)
> sizeLimit: 1
> timeLimit: 0
> typesOnly: False
> Filter: (&(objectclass=user)(sAMAccountName=jsmith))
> and: (&(objectclass=user)(sAMAccountName=jsmith))
> Filter: (objectclass=user)
> equalityMatch
> attributeDesc: objectclass
> assertionValue: user
> Filter: (sAMAccountName=jsmith)
> equalityMatch
> attributeDesc: sAMAccountName
> assertionValue: jsmith
> attributes: 0 items
>
> Frame 34 (88 bytes on wire, 88 bytes captured)
>
> ----------------- okay still so far so good... -------------------------
>
> ------------------- here is where there should be results.. but theres not
> --------------------
>
> [This is an ACK to the segment in frame: 27]
> [The RTT to ACK the segment was: 0.002079000 seconds]
> Lightweight-Directory-Access-Protocol
> LDAPMessage searchResDone(5) [0 results]
> messageID: 5
> protocolOp: searchResDone (5)
> searchResDone
> resultCode: success (0)
> [Response To: 27]
> [Time: 0.002079000 seconds]
>
> Frame 35 (66 bytes on wire, 66 bytes c
>
> =========END WIRESHARK INFO===========
>
> I have another environment setup using this same setup and it works fine..
> there are results in the search and everything.. Please help... Thanks, in
> advance.
>
>
>
« Return to Thread: Active Directory pam_ldap search returns 0 results
| Free Forum Powered by Nabble | Forum Help |