Hi, have a look at this site: https://help.ubuntu.com/community/ActiveDirectoryHowto It explains better than I can! -- rachel polanskis <r.polanskis@xxxxxxxxxx> <grove@xxxxxxxxxxx> On 26/07/2011, at 17:27, Kenneth Holter <kenneho.ndu@xxxxxxxxx> wrote: > Thank you very much for your reply. > > Could you please elaborate on which attribute mappings exactly are you > referring to? > > I have tried adding these lines to my ldap.conf file, but without success: > > nss_map_objectclass posixAccount user > nss_map_objectclass shadowAccount user > nss_map_attribute uid sAMAccountName > nss_map_attribute homeDirectory unixHomeDirectory > nss_map_attribute shadowLastChange pwdLastSet > nss_map_objectclass posixGroup group > nss_map_attribute uniqueMember member > pam_login_attribute sAMAccountName > pam_filter objectclass=User > > > Best regards, > Kenneth > > On Tue, Jul 26, 2011 at 3:06 AM, <grove@xxxxxxxxxxx> wrote: >> On Mon, 25 Jul 2011, Kenneth Holter wrote: >> >> >> Are you mapping the shadowaccount Attribute along with Userpassword >> Attribute? >> >> You must map both if you use shadow passwd entry like in RH or Solaris. >> >> >> rachel >> >> >> >> >> >>> Hi all, >>> >>> >>> I posted this question on the RHEL 5 mailing list, but didn't get any >>> replies. Then I came across pam-list, and this may be a more >>> appropriate place to post this question. This is the case: >>> >>> I'm working on setting up our RHEL servers to authenticate against >>> Active Directory 2008. With my current setup, users can log in and >>> most everything looks good. But one issue I'm having is that when the >>> "User must change password at next logon" box on AD i checked, I'm >>> denied access to the linux box. First, this is my setup: >>> >>> ###### /etc/ldap.conf ########## >>> >>> uri ldaps://ldap.example.com >>> base dc=example,dc=com >>> >>> nss_map_attribute uniqueMember msSFU30PosixMember >>> nss_map_attribute userPassword msSFU30Password >>> >>> pam_password_prohibit_message Your password could not be changed >>> pam_password ad >>> ssl on >>> tls_checkpeer no >>> >>> bind_timelimit 120 >>> idle_timelimit 3600 >>> bind_policy soft >>> nss_initgroups_ignoreusers >>> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman >>> >>> binddn cn=serviceuser,ou=accounts,dc=example,dc=com >>> bindpw secret >>> >>> TLS_REQCERT allow >>> >>> ###### /etc/pam.d/system-auth ########### >>> #%PAM-1.0 >>> # /etc/pam.d/system-auth >>> auth required pam_env.so >>> auth sufficient pam_unix.so nullok try_first_pass >>> auth requisite pam_succeed_if.so uid >= 500 quiet >>> auth sufficient pam_ldap.so use_first_pass >>> auth required pam_deny.so >>> >>> account required pam_unix.so broken_shadow >>> account sufficient pam_localuser.so >>> account sufficient pam_succeed_if.so uid < 500 quiet >>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >>> account required pam_permit.so >>> account required pam_access.so >>> accessfile=/etc/security/access.custom.conf >>> >>> password requisite pam_cracklib.so try_first_pass retry=3 type= >>> password sufficient pam_unix.so md5 shadow nullok try_first_pass >>> use_authtok >>> password sufficient pam_ldap.so use_authtok >>> password required pam_deny.so >>> >>> session optional pam_keyinit.so revoke >>> session required pam_limits.so >>> session [success=1 default=ignore] pam_succeed_if.so service in >>> crond quiet use_uid >>> session required pam_unix.so >>> session optional pam_ldap.so >>> session required pam_mkhomedir.so skel=/etc/skel umask=077 >>> >>> >>> ####### /etc/nsswitch.conf #################### >>> -- snip -- >>> passwd: ldap compat >>> shadow: ldap compat >>> group: ldap compat >>> -- snip -- >>> >>> >>> So when I issue for example "ssh kenneth@server" to log into my RHEL >>> server, this is what /var/log/secure tells me: >>> >>> ## output start ## >>> 2011-07-22T13:37:21.140807+02:00 server sshd[11172]: >>> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 >>> tty=ssh ruser= rhost=server.example.com user=kenneth >>> 2011-07-22T13:37:22.888911+02:00 server sshd[11172]: pam_ldap: error >>> trying to bind as user "CN=kenneth,OU=Users,DC=example,DC=com" >>> (Invalid credentials) >>> 2011-07-22T13:37:24.694597+02:00 server sshd[11172]: Failed password >>> for kenneth from 1.2.3.4 port 45352 ssh2 >>> ## output end ## >>> >>> I've tried to google this issue, but haven't come across any >>> information that have helped me resolve this issue. Does anyone here >>> know what may be causing it? Any help will be greatly appreciated. >>> >>> >>> Best regards, >>> Kenneth Holter >>> >>> _______________________________________________ >>> Pam-list mailing list >>> Pam-list@xxxxxxxxxx >>> https://www.redhat.com/mailman/listinfo/pam-list >>> >> >> -- >> Rachel Polanskis Kingswood, Greater Western Sydney, >> Australia >> grove@xxxxxxxxxxx http://www.zeta.org.au/~grove/grove.html >> "The perversity of the Universe tends towards a maximum." - Finagle's Law >> >> _______________________________________________ >> Pam-list mailing list >> Pam-list@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/pam-list >> > > _______________________________________________ > Pam-list mailing list > Pam-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/pam-list _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list