If I understand you correctly, you suggest I add these two lines to /etc/ldap.conf: nss_map_objectclass shadowAccount User nss_map_attribute userPassword msSFU30Password I tried adding these, but the issue remains unsolved. Any ideas on what to try next? Thanks in advance. Regards, Kenneth On Tue, Jul 26, 2011 at 10:31 AM, Rachel Polanskis <grove@xxxxxxxxxxx> wrote: > Hi, > have a look at this site: > > https://help.ubuntu.com/community/ActiveDirectoryHowto > > > It explains better than I can! > > -- > rachel polanskis > <r.polanskis@xxxxxxxxxx> > <grove@xxxxxxxxxxx> > > On 26/07/2011, at 17:27, Kenneth Holter <kenneho.ndu@xxxxxxxxx> wrote: > >> Thank you very much for your reply. >> >> Could you please elaborate on which attribute mappings exactly are you >> referring to? >> >> I have tried adding these lines to my ldap.conf file, but without success: >> >> nss_map_objectclass posixAccount user >> nss_map_objectclass shadowAccount user >> nss_map_attribute uid sAMAccountName >> nss_map_attribute homeDirectory unixHomeDirectory >> nss_map_attribute shadowLastChange pwdLastSet >> nss_map_objectclass posixGroup group >> nss_map_attribute uniqueMember member >> pam_login_attribute sAMAccountName >> pam_filter objectclass=User >> >> >> Best regards, >> Kenneth >> >> On Tue, Jul 26, 2011 at 3:06 AM, <grove@xxxxxxxxxxx> wrote: >>> On Mon, 25 Jul 2011, Kenneth Holter wrote: >>> >>> >>> Are you mapping the shadowaccount Attribute along with Userpassword >>> Attribute? >>> >>> You must map both if you use shadow passwd entry like in RH or Solaris. >>> >>> >>> rachel >>> >>> >>> >>> >>> >>>> Hi all, >>>> >>>> >>>> I posted this question on the RHEL 5 mailing list, but didn't get any >>>> replies. Then I came across pam-list, and this may be a more >>>> appropriate place to post this question. This is the case: >>>> >>>> I'm working on setting up our RHEL servers to authenticate against >>>> Active Directory 2008. With my current setup, users can log in and >>>> most everything looks good. But one issue I'm having is that when the >>>> "User must change password at next logon" box on AD i checked, I'm >>>> denied access to the linux box. First, this is my setup: >>>> >>>> ###### /etc/ldap.conf ########## >>>> >>>> uri ldaps://ldap.example.com >>>> base dc=example,dc=com >>>> >>>> nss_map_attribute uniqueMember msSFU30PosixMember >>>> nss_map_attribute userPassword msSFU30Password >>>> >>>> pam_password_prohibit_message Your password could not be changed >>>> pam_password ad >>>> ssl on >>>> tls_checkpeer no >>>> >>>> bind_timelimit 120 >>>> idle_timelimit 3600 >>>> bind_policy soft >>>> nss_initgroups_ignoreusers >>>> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman >>>> >>>> binddn cn=serviceuser,ou=accounts,dc=example,dc=com >>>> bindpw secret >>>> >>>> TLS_REQCERT allow >>>> >>>> ###### /etc/pam.d/system-auth ########### >>>> #%PAM-1.0 >>>> # /etc/pam.d/system-auth >>>> auth required pam_env.so >>>> auth sufficient pam_unix.so nullok try_first_pass >>>> auth requisite pam_succeed_if.so uid >= 500 quiet >>>> auth sufficient pam_ldap.so use_first_pass >>>> auth required pam_deny.so >>>> >>>> account required pam_unix.so broken_shadow >>>> account sufficient pam_localuser.so >>>> account sufficient pam_succeed_if.so uid < 500 quiet >>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >>>> account required pam_permit.so >>>> account required pam_access.so >>>> accessfile=/etc/security/access.custom.conf >>>> >>>> password requisite pam_cracklib.so try_first_pass retry=3 type= >>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass >>>> use_authtok >>>> password sufficient pam_ldap.so use_authtok >>>> password required pam_deny.so >>>> >>>> session optional pam_keyinit.so revoke >>>> session required pam_limits.so >>>> session [success=1 default=ignore] pam_succeed_if.so service in >>>> crond quiet use_uid >>>> session required pam_unix.so >>>> session optional pam_ldap.so >>>> session required pam_mkhomedir.so skel=/etc/skel umask=077 >>>> >>>> >>>> ####### /etc/nsswitch.conf #################### >>>> -- snip -- >>>> passwd: ldap compat >>>> shadow: ldap compat >>>> group: ldap compat >>>> -- snip -- >>>> >>>> >>>> So when I issue for example "ssh kenneth@server" to log into my RHEL >>>> server, this is what /var/log/secure tells me: >>>> >>>> ## output start ## >>>> 2011-07-22T13:37:21.140807+02:00 server sshd[11172]: >>>> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 >>>> tty=ssh ruser= rhost=server.example.com user=kenneth >>>> 2011-07-22T13:37:22.888911+02:00 server sshd[11172]: pam_ldap: error >>>> trying to bind as user "CN=kenneth,OU=Users,DC=example,DC=com" >>>> (Invalid credentials) >>>> 2011-07-22T13:37:24.694597+02:00 server sshd[11172]: Failed password >>>> for kenneth from 1.2.3.4 port 45352 ssh2 >>>> ## output end ## >>>> >>>> I've tried to google this issue, but haven't come across any >>>> information that have helped me resolve this issue. Does anyone here >>>> know what may be causing it? Any help will be greatly appreciated. >>>> >>>> >>>> Best regards, >>>> Kenneth Holter >>>> >>>> _______________________________________________ >>>> Pam-list mailing list >>>> Pam-list@xxxxxxxxxx >>>> https://www.redhat.com/mailman/listinfo/pam-list >>>> >>> >>> -- >>> Rachel Polanskis Kingswood, Greater Western Sydney, >>> Australia >>> grove@xxxxxxxxxxx http://www.zeta.org.au/~grove/grove.html >>> "The perversity of the Universe tends towards a maximum." - Finagle's Law >>> >>> _______________________________________________ >>> Pam-list mailing list >>> Pam-list@xxxxxxxxxx >>> https://www.redhat.com/mailman/listinfo/pam-list >>> >> >> _______________________________________________ >> Pam-list mailing list >> Pam-list@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/pam-list > > _______________________________________________ > Pam-list mailing list > Pam-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/pam-list > _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
