Author Topic: Authenticating an ubuntu desktop against ebox in ad slave mode  (Read 2877 times)

jneves

  • Zen Apprentice
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Is it possible to authenticate an ubuntu desktop against ebox in ad slave mode?

As anyone done it? Any reason not to work?

Can I do it through ldap? Or do I have to go through winbind?

Thanks in advance,
João Miguel Neves

J. A. Calvo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1986
  • Karma: +67/-3
    • View Profile
    • http://blogs.zentyal.org/jacalvo
Re: Authenticating an ubuntu desktop against ebox in ad slave mode
« Reply #1 on: May 03, 2010, 12:41:12 pm »
I think it should work through ldap without problem. An ad-slave behaves like an eBox master more than as an slave.
Zentyal Server Lead Developer

jneves

  • Zen Apprentice
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Re: Authenticating an ubuntu desktop against ebox in ad slave mode
« Reply #2 on: May 03, 2010, 12:53:22 pm »
Thanks.

I haven't tried to debug the authentication after importing it (the 1st attempt I had the wrong dc in /etc/ldap.conf).

At the moment I'm fighting with the LDAP's homeDirectory attribute being defined as /nonexistent. Any clues on how to work around that?

loginShell was also undefined, but nss_default_attribute_value worked well for that case.

Thanks in advance,
João Miguel Neves

J. A. Calvo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1986
  • Karma: +67/-3
    • View Profile
    • http://blogs.zentyal.org/jacalvo
Zentyal Server Lead Developer

igama

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Authenticating an ubuntu desktop against ebox in ad slave mode
« Reply #4 on: May 03, 2010, 06:45:58 pm »
(Im with jneves)

Ok some more information...

When I try to login I get the following message:

Code: [Select]
pam_ldap: error trying to bind as user "uid=marco.silva,ou=Users,dc=servidor,dc=eb23,dc=net" (Invalid credentials)
In ldap.secret I have the secret that is available at the "LDAP info" section in ebox.

rootbinddn is commented out, what is the "cn" I should use? admin? ebox?

jneves

  • Zen Apprentice
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Re: Authenticating an ubuntu desktop against ebox in ad slave mode
« Reply #5 on: May 03, 2010, 07:16:48 pm »
Have a look at: http://trac.ebox-platform.com/wiki/Document/Documentation/EBoxDesktop#ChangesonServerSidetoMakeitWork

I had already reviewed those. Our current issues are:

1) When syncing from AD, the homeDirectory variable in LDAP is set to the default in the UsersAndGroups module (/nonexistent). I'm building a script to reset that.

2) pam_ldap is refusing to bind with any user. This is getting fun... I'll update the info as soon as I have more information. getent passwd works, showing up all users.

Thanks,
João Miguel Neves

jneves

  • Zen Apprentice
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Re: Authenticating an ubuntu desktop against ebox in ad slave mode
« Reply #6 on: May 03, 2010, 07:37:55 pm »
Current situation: this works:

ldapsearch -h localhost  -D "cn=ebox,dc=mydc" -x -W -b "dc=mydc" '(objectClass=*)' dn

Replacing the -D for one user, fails with "ldap_bind: Invalid credentials (49)".

Any clues are welcome,
João Miguel Neves

jneves

  • Zen Apprentice
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Re: Authenticating an ubuntu desktop against ebox in ad slave mode
« Reply #7 on: May 03, 2010, 11:04:00 pm »
http://trac.ebox-platform.com/ticket/1872 - I'm starting to suspect that I'm finding the same problem as this bug report.