Zentyal Forum, Linux Small Business Server

Zentyal Server => Installation and Upgrades => Topic started by: jneves on May 03, 2010, 08:21:35 am

Title: Authenticating an ubuntu desktop against ebox in ad slave mode
Post by: jneves on May 03, 2010, 08:21:35 am

Is it possible to authenticate an ubuntu desktop against ebox in ad slave mode?

As anyone done it? Any reason not to work?

Can I do it through ldap? Or do I have to go through winbind?

Thanks in advance,
João Miguel Neves

Title: Re: Authenticating an ubuntu desktop against ebox in ad slave mode
Post by: J. A. Calvo on May 03, 2010, 12:41:12 pm

I think it should work through ldap without problem. An ad-slave behaves like an eBox master more than as an slave.

Title: Re: Authenticating an ubuntu desktop against ebox in ad slave mode
Post by: jneves on May 03, 2010, 12:53:22 pm

Thanks.

I haven't tried to debug the authentication after importing it (the 1st attempt I had the wrong dc in /etc/ldap.conf).

At the moment I'm fighting with the LDAP's homeDirectory attribute being defined as /nonexistent. Any clues on how to work around that?

loginShell was also undefined, but nss_default_attribute_value worked well for that case.

Thanks in advance,
João Miguel Neves

Title: Re: Authenticating an ubuntu desktop against ebox in ad slave mode
Post by: J. A. Calvo on May 03, 2010, 05:08:14 pm

Have a look at: http://trac.ebox-platform.com/wiki/Document/Documentation/EBoxDesktop#ChangesonServerSidetoMakeitWork

Title: Re: Authenticating an ubuntu desktop against ebox in ad slave mode
Post by: igama on May 03, 2010, 06:45:58 pm

(Im with jneves)

Ok some more information...

When I try to login I get the following message:

Code: [Select]

pam_ldap: error trying to bind as user "uid=marco.silva,ou=Users,dc=servidor,dc=eb23,dc=net" (Invalid credentials)
In ldap.secret I have the secret that is available at the "LDAP info" section in ebox.

rootbinddn is commented out, what is the "cn" I should use? admin? ebox?

Title: Re: Authenticating an ubuntu desktop against ebox in ad slave mode
Post by: jneves on May 03, 2010, 07:16:48 pm

Quote from: J. A. Calvo on May 03, 2010, 05:08:14 pm

Have a look at: http://trac.ebox-platform.com/wiki/Document/Documentation/EBoxDesktop#ChangesonServerSidetoMakeitWork

I had already reviewed those. Our current issues are:

1) When syncing from AD, the homeDirectory variable in LDAP is set to the default in the UsersAndGroups module (/nonexistent). I'm building a script to reset that.

2) pam_ldap is refusing to bind with any user. This is getting fun... I'll update the info as soon as I have more information. getent passwd works, showing up all users.

Thanks,
João Miguel Neves

Title: Re: Authenticating an ubuntu desktop against ebox in ad slave mode
Post by: jneves on May 03, 2010, 07:37:55 pm

Current situation: this works:

ldapsearch -h localhost  -D "cn=ebox,dc=mydc" -x -W -b "dc=mydc" '(objectClass=*)' dn

Replacing the -D for one user, fails with "ldap_bind: Invalid credentials (49)".

Any clues are welcome,
João Miguel Neves

Title: Re: Authenticating an ubuntu desktop against ebox in ad slave mode
Post by: jneves on May 03, 2010, 11:04:00 pm

http://trac.ebox-platform.com/ticket/1872 - I'm starting to suspect that I'm finding the same problem as this bug report.