0

I am trying to configure libnss-ldap to provide AD authentication to my Linux Debian servers. This is working fine if user exists locally, I want to make it work for Domain users.

Here is my /etc/ldap.conf file content:

host $AD_IP
base ou=Users,dc=MY,dc=DOMAIN
uri ldap:///$AD_IP
ldap_version 3
binddn $user@MY.DOMAIN
bindpw $password
pam_filter objectclass=user

nss_base_passwd ou=Users,dc=MY,dc=DOMAIN
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uniqueMember Member
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_objectclass posixGroup Group
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

Here is my /etc/nsswitch.conf

passwd: compat ldap
group:  compat ldap
shadow: compat ldap
...

When I enter the command

getent passwd

The output is the local /etc/passwd file. But tcpdump shows that the request is correctly made to the AD and the AD returns the whole list of users. I think data retrieve by the getent command are incorrectly interpreted (nss_map_* incorrectly configured?) and hence getent finally returns local informations (nsswitch first tries ldap then compat).

How to correct this /etc/ldap.conf configuration to make it work?

Many thanks

philippe
  • 2,131
  • 4
  • 30
  • 53

1 Answers1

0

If you can I recommend changing how to authenticate users in your AD.

libnss-ldap is a very old library with a lot of memory leaks and it hasn't been updated in years. I don't know why this still available in the distributions and people keep suggesting to use it when we have way better solutions.

I've never used AD, but I'm sure sssd can handle that very well.

First link I got from google: https://blog.dlasley.net/2013/06/configure-linux-for-active-directory-authentication-with-sssd/

I just started using sssd to connect to my OpenLDAP server after I almost killed myself making patches to libnss-ldap and libpam-ldap.

Another library that might work for you if for some reason you're not able to get sssd working. It's libnss-ldapd, it's a version based on libnss-ldap and still gets updates, definitely better than libnss-ldap and the latest version (0.9) has pratically all features that libnss-ldap has.

Be aware that even when sssd is properly configured when you use getent passwd to get the whole list you don't get the users list from LDAP.

To test you can use $ id <ldap_user> or $ getent passwd <ldap_user>

getent alone only works with libnss-ldap or libnss-ldapd.

Erico
  • 156
  • 2
  • 12