Hi,

i've tried a lot off solution to get in touch with the Active Directory. I have now a working solution Using WIndows 2003R2 and the /etc/ldap.conf ,... configuration without SSL ( Red Hat Desktop).

The problem is now i wan't to make it possible to change the password using the passwd command in Linux.
I've read a lot of things which all brings another solution ( sometimes totally the opposit ). The main line in those solutions is that i need ssl

I've tried your solution on first page but it doesn't say what certificate you need.
Is it a self signed of the Linux client, is it one created on the AD, ...


I also found another solution Using stunnel to create a tunnel from port 389 on client to 636 but it runs as a deamon but doenst affect the traffic :s

Any input on how make it able using those certifs and making passwd works to change passwords.

Thx in advance.

hi,
me again

i managed ( i think ) to contact the LDAP-server by using SSL.
I used the program called stunnel for that.

Now i wanna change passwd of a user by using passwd but it gives me this mistake

->LDAP password information update failed: Can't contact LDAP server
..... problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)

I've not tried stunnel, so I don't know what differences it may cause. The certificate you need is the Root CA certificate from your AD servers.

As far as your password problem, check two things:
1. Make sure your ldap.conf uses "pam_passwd ad"
2. Make sure the password you're using is sufficiently complex.

I'm working on trying this in with Kerberos, now.

Anyone got a solution to this problem? I have the same error.

I can change user's passwords as root, but not as non-root users.

I thought the problem was most likely do to the permissions of the rootbinddn as opposed to the binddn user, but even when they are the same non root users are unable to change their password. They instead receive:

passwd
Changing password for user aduser.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Can't contact LDAP server
00000005: AtrErr: DSID-03190F00, #1:
0: 00000005: DSID-03190F00, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)

passwd: Permission denied

I have tried different LDAP settings including binding on port 636 and setting ssl parameter to on. I have also tried ssl set to start_tls but the results are the same.

If it was an Active Directory issue then I do not understand why root can change passwords but no other user can change passwords. My gut feel still thiks it has something to do with the rootbinddn user, but I sure am not able to prove that.

Does anyone have a solution to this problem?

Thanks.

Can you turn up debugging on? I had a similar problem when only root could read my CA cert.

Good idea, but that is not it. Plus, if that was the problem, I would have guessed that the authentication part would not work either.

I have tried adding debug in the pam configuration and in the ldap.conf file (level set at 256), but nothing more descriptive shows up. I am using vendor supplied packages and do no know if debuggging was a compiled option.

Thanks for the feedback.

Anyone have suggestions?

Hi,

I just found this thread and come up to the same problem with changing AD password with passwd.

Has anyone found a solution?

What about changing AD passwords with other types of commandline utils on linux? Or openldap commandline tools?

Any suggestions would help out.

Thanks.

I got it to work when using pam_krb5 instead of pam_ldap, but it does not work when you force password change at login or when password has expired. It only works if you have logged in successfully. Then you can issue passwd command and the password is changed.

I do not know if a different principal needs to be added to the keytab file or what the problem really is. If I did I would be happy to share the solution.

I am curious about others who have an enterprise solution that is working. With pam_krb5 or pam_ldap you can get authentication and authorization going without too much problem, but password aging, and password changing using passwd has been a challenge.

On to another small issue,

in the ldap.conf file there is a entry (from one of the tutorials)

pam_groupdn cn=linuxusers,dc=iqcd,dc=ucsb,dc=edu


linuxusers is the AD group that you can assign users. However, this line doesn't seem to do anything except blocka ALL ldap auth. to AD. what is the nature of this paramater? Are there anyways of restricting user access to the linuxbox depending on which POSIX group they belong to?

Eg. user1 member of mail,linuxusers get access
user2 member of nomail no access

sruckh,

How exactly do you change your AD password w/ Krb5? (i'm new to kerberos/ldap)

Also, have you found a way to change the password via web interface? Could usermin be used to change the password?

Thanks.

Windows 2003 w/IIS 6.0 does come with a very basic ASP application that allows you to change user passwords. You can check out Microsoft's knowledge base and find out more about IISADMPWD there.

here is the /etc/ldap.conf I was using:

#logdir /var/log
#debug 256

host winad.your.domain
#uri ldaps://winad.your.domain
scope sub
timelimit 5
# the following port command works if ssl is set to on
#port 636

# this is the user root will bind to LDAP database.
rootbinddn cn=lnxadm,cn=Users,dc=your,dc=net

# This is the user that is used to look up user's data in
# active directory. This user should have very limited access
# and should only be able to read active directory information.
binddn bind_user@your.domain
bindpw bind_user_password

# if bind_policy is set to soft it will make nss_ldap
# return a negative result if it cannot connect. If
# bind_policy is set to hard nss_ldap will try to
# connect to ldap server indefinitely.
bind_policy soft

# turn on TLS so clear text username and password
# are not send across the wire.
tls_checkpeer yes
ssl start_tls

# the following are undocumented settings. These
# values are typically set in the DEFINE statements
# in the source code. These were put in an attempt
# to not bring system to a crawl when LDAP server
# is unavailable. These settings do not appear
# to be helpful.

# prevents nss from indefinitely trying to make a connection
nss_reconnect_tries 2
#nss_reconnect_sleeptime
nss_reconnect_maxsleeptime 2
nss_reconnect_maxconntries 2


# set beginning point for where LDAP searches will begin.
nss_base_passwd ou=LNXUSERS,dc=your,dc=domain?sub
nss_base_shadow ou=LNXUSERS,dc=your,dc=domain?sub
nss_base_group ou=LNXUSERS,dc=your,dc=domain?sub?&(objectCategory=group)(gidnumber=*)

# These nss mappings are used when connecting to an Active
# Directory on Windows 2003 R2 (rfc2307). This will not
# work for an Active Directory schema based on Microsoft's
# Services for Unix (SFU) 3.x .

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
#nss_map_attribute gecos name
nss_map_attribute homeDirectory unixHomeDirectory

# These nss mappings are used when connecting to an Active
# Directory with Microsoft's Services for Unix 3.x installed.
# This is not needed for Windows 2003 R2.

#nss_map_objectclass posixAccount User
#nss_map_objectclass posixGroup Group
#nss_map_attribute uid sAMAccountName
#nss_map_attribute uidNumber msSFU30UidNumber
#nss_map_attribute gidNumber msSFU30GidNumber
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute loginShell msSFU30LoginShell
#nss_map_attribute gecos name

# pam_ldap setting to make sure that passwords are set correctly when
# using Active Directory
pam_password ad

I also had the file /etc/openldap/ldap.conf where I used the following options:

BASE ou=LNXUSERS,dc=your,dc=domain
HOST windad.your.domain
TLS_REQCERT demand
TLS_CACERT /etc/openldap/cacerts/winadCA.pem

Although this works just fine and no passwords travel across the wire in clear text, I am not satisfied with the solution. Also, as mentioned already, when using pam_ldap I can not force users to change password.

If anyone has an enterprise solution that is working it would be nice to get some input.

Thanks.

I have been able to make this work using Red Hat Directory Server. I am sure that Fedora Directory Server will work the same.

Through Directory Server you are able to interface with AD via TLS. Also - using the supplied utility that comes with Directory Server (PassSync.msi) you are able to sync passwords back and forth between Linux and AD. It also allows you to synchronize users and groups and it remaps attributes appropriately for consistency between the two directories.

IISADMPWD is a HUGE security risk and should not be used on a Windows box. In fact, delete the file. That's unless you are running an OWA Exchange server on it.

So, i've read through this entire thread, and followed the above tutorial. I am running centos4, and trying to authenticate to a Windows 2000 DC. I seem to have encountered one little bump, and i think things will work if i can overcome it.

When i try to login, the following error is generated (in /var/log/messages)

sshd: nss_ldap: could not search LDAP server - Referral

This is of course if i try to login using SSH. I assume a similar error is produced if i try to login at the console.

Here is my /etc/ldap.conf


# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
# This file should be world readable but not world writable.
base cn=Users,dc=my_domain,dc=com
host one.ofmydomain.controlers
scope sub
ssl no
#TLS_CACERT /etc/ssl/certs/adcert.pem
binddn cn=my_AD_user,cn=Users,dc=my_domain,dc=com
bindpwd my_AD_users_password
#rootbinddn cn=administrator,cn=Users,dc=example,dc=com
referrals yes
#
# Active Directory Mappings
#
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
nss_base_passwd cn=Users,dc=my_domain,dc=com
nss_base_shadow cn=Users,dc=my_domain,dc=com
nss_base_group cn=Users,dc=my_domain,dc=com
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute cn sAMAccountName
nss_map_attribute uniqueMember member
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_objectclass posixGroup Group



we do not have an SSL cert on our domain controler, at least not that i've been able to find (it wasnt setup by me)

The error mentions referals, so i tried adding the "referrals yes" line to ldap.conf, but it didnt help.

This is quite annoying, it seems to be so close to working.

Thanks for any input.

Here are some other places where I have discussed this topic:

http://www.winlinanswers.com/communi...topic.php?t=37
http://blog.scottlowe.org/2006/04/27...erver-2003-r2/
http://blog.scottlowe.org/2006/08/08...-r2-revisited/

Maybe these sites will give you a hint with what your are missing. Are you using kerberos and using keytab files?

Have you run openldap commands to test that you can browse your Active Directory with the user you have selected as your bind user?

You should be able to run 'id username' and 'getent passwd username' before you try to log in. If those commands do not work, you are not going to be able to log in.

Try your ldapsearch commands:

ldapsearch -x -W -D "cn=binduser,cn=GroupName,dc=domain,dc=name" -LLL "(sAMAccountName=AccountToSearchFor)"