Hi Dan, Thanks a lot for the comments. I want to authenticate anonymously, Not with SASL. Is there any pam configuration needed for this scenario? Could you share some link/doc to me? Thanks so much. When I use openldap user login, just run authconfig-gtk(modified the /etc/openldap/ldap.conf) and set the ldapserver/base DN can lead me login success.
Thanks, Leo ________________________________________ From: Dan White <[email protected]> Sent: Monday, June 15, 2015 9:59 PM To: Leo Xiao Cc: [email protected] Subject: Re: proxy to AD does not work during login client machine On 06/11/15 23:38 +0000, Leo Xiao wrote: >Hi technical, > >I hit a problem during configure proxy to AD. >I can run command: >$ldapsearch -x -h localhost -LLL -b dc=mydomain,dc=local -D >cn=open,cn=users,dc=mydomain,dc=local -W "(cn=open1)" cn sAMAccountName >which return the SAMACCOUNTNAME:open successfully. --- This may mean the proxy >works well. >But if I run command with out -D -D cn=open,cn=users,dc=mydomain,dc=local. The >search will failed. So you are attempting to authenticate anonymously? Or with SASL? >when I try to login my client machine with AD user. It always failed. --- I >can login with openldapuser successfully. You'll need to trouble shoot your nss/pam config, which ever one you're using. >I think I need some configuration to force the -D in slapd.con. Is there any >problems with my slapd.conf? Or any trouble shooting comments? Appreciate it >very much. > >Below is my slapd.conf: >####################################################################### ># database definitions >####################################################################### >database ldap >suffix "DC=mydomain,DC=local" >uri ldap://dc-ad.mydomain.local/ >chase-referrals no >rebind-as-user yes >idassert-bind bindmethod=simple > binddn="CN=open,OU=users,DC=mydomain,DC=local" > credentials=open > mode=none > flags=non-prescriptive >idassert-authzFrom "*" > > >Thanks, >Leo > -- Dan White
