0

I'm trying to set centos to authenticate to a server 2003 AD. I run authconfig-gtk and select ldap for "User Information" and "Authentication" and configure it as such

base dn: dc=test,dc=com

ldap server: 192.168.0.1 and no TLS encryption (need to get it running first)

on the options page

Cache user information, use shadow passwords, password hashing algorithm md5, local authorization is sufficient for local users, create home directories on the first login

But it wont let me ssh into the box with an AD account. Even when i log onto a local account there is a HUGE delay. 1-5 mins.

I keep getting these errors in /var/log/secure but googling them doesn't help.

nss_ldap: Reconnecting to LDAP server (sleeping 4 seconds)

nss_ldap: Reconnecting to LDAP server (sleeping 8 seconds)

I have installed SFU3.5 on the AD and filled out the unix tab for the testing users.

3 Answers 3

1

Before beginning, make sure you tail both /var/log/secure AND /var/log/messages; secure will give you errors from pam, but messages will give you errors from ssh (i.e., errors from querying LDAP):

tail -f -n0 /var/log/{messages,secure} 

So, we have the same setup at work (Using AD server 2003). Since it sounds like you already have pam hitting LDAP (because its failing when you try to login), lets check some values in /etc/ldap.conf.

First off, set the bind_policy from hard to soft; hard will try connecting repeatedly, exponentially increasing the sleep time between attempts (these are the errors you saw in /var/log/secure). Setting it to soft will get rid of your delays when using a local account.

bind_policy soft 

Next, verify that you're using the correct settings for connecting (ssl, tls, etc.); you can use ldapsearch to test with a bit more verbosity as well. Unfortunately, without more debugging output (what server is setup, what error messages are being returned from the LDAP query, config files), I'm afraid nobody will be able to help much.

Hope this helps you get on the right track!

Andrew

0

Check settings in ldap.conf for SFU as detailed at

http://wiki.freaks-unidos.net/linux%20ldap%20howto#setting-up-sfu

Mapping AD schema to posix schema makes sense to me.

0

Another approach is to have the box join the AD and authenticate using winbind.

I'm pretty sure that authconfig will let you set up AD.

I've never used authconfig to do AD authentication I've always set it up by hand, so you may need to run some additional commands to start winbind and join the domain:

chkconfig winbind on service winbind start net ads join -U

This will only do auth, if you want to do account/group info you'l need to set that up to which may involve SFU as lucabotti suggests.

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.