Besides ldap.conf, you also need to configure pam: apt-get install libpam-ldap -y apt-get install libnss-ldap -y apt-get install libpam-cracklib -y
Note: libpam-cracklib is not required for LDAP (it just enforces strong passwords) The following config files work, but you can change them to suit your needs: /etc/pam.d/common-auth: auth sufficient pam_ldap.so auth required pam_unix.so use_first_pass /etc/pam.d/common-account: account sufficient pam_ldap.so account required pam_unix.so /etc/pam.d/common-password: password required pam_cracklib.so retry=3 minlen=6 difok=3 password sufficient pam_ldap.so use_authtok try_first_pass password required pam_unix.so use_authtok try_first_pass md5 Also, if you intend to change user passwords with passwd via libpam-ldap, you will need to patch pam_ldap.so: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=284104 Good luck! --- Carlos Rodrigues <[EMAIL PROTECTED]> wrote: > Hi! > > I have a sarge install which I'm using to test some > things. One of those > things is LDAP authentication against Active > Directory. > > This works just fine on a bunch of SUSE 9.2 boxes > but I can't make it > work on the Debian Sarge box. > > If I just alter nsswitch.conf to change "passwd" and > "group" to "files > ldap", nothing seems to happen ("finger user" > returns nothing, for > instance). > > This is my /etc/ldap.conf, which is basically the > same I use in the SUSE > boxes (the only difference is the domain, because > I'm using a different > domain to test it out) and exactly the same as I'm > using in another test > box using CentOS 4: > > # > # ldap.conf - Active Directory authentication > # > > ldap_version 3 > > host ldapserver # in /etc/hosts > ssl no > > # Active Directory doesn't allow anonymous access: > binddn cn=ldap,cn=Users,dc=sandbox,dc=intranet,dc=pt > bindpw xxxxxx > > base cn=Users,dc=sandbox,dc=intranet,dc=pt > scope sub > > nss_base_passwd > cn=Users,dc=sandbox,dc=intranet,dc=pt?sub > nss_base_shadow > cn=Users,dc=sandbox,dc=intranet,dc=pt?sub > nss_base_group > cn=Users,dc=sandbox,dc=intranet,dc=pt?sub > > pam_password ad > > pam_login_attribute sAMAccountName > pam_member_attribute msSFU30PosixMember > > # only members of this group can access this server: > pam_groupdn cn=Domain > Users,dc=sandbox,dc=intranet,dc=pt > > pam_filter (objectclass=user) > > nss_map_objectclass posixAccount user > nss_map_objectclass shadowAccount user > nss_map_objectclass posixGroup Group > > nss_map_attribute uid sAMAccountName > nss_map_attribute uidNumber msSFU30UidNumber > nss_map_attribute gidNumber msSFU30GidNumber > nss_map_attribute loginShell msSFU30LoginShell > nss_map_attribute gecos msSFU30Gecos > nss_map_attribute userPassword msSFU30Password > nss_map_attribute homeDirectory msSFU30HomeDirectory > nss_map_attribute uniqueMember msSFU30PosixMember > > # EOF - ldap.conf > > > > -- > To UNSUBSCRIBE, email to > [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
