ADS and LDAP - Networking

This is a discussion on ADS and LDAP - Networking ; Hi, I've tried posting this in the Windows AD group with no help. I was wondering if someone in this group may be able to help. We have three sites in our network (site01,site02 and site03) and our master server ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: ADS and LDAP

  1. ADS and LDAP

    Hi, I've tried posting this in the Windows AD group with no help. I
    was wondering if someone in this group may be able to help.



    We have three sites in our network (site01,site02 and site03)
    and our master server is site01. Under the forest of site01 are site02
    and site03. I have enabled the GC on both site02 and site03. What I'm
    trying to setup is ldap on our Redhat Linux servers and am having a
    bit of a problem. If I setup the host and uri to point to the ADS
    server on site01 I can authenticate without any problems. If I try to
    use the site03 ADS server to authenticate a site03 Linux server I am
    unable to SSH into the server nor can I switch users from my remote
    access card. All of my users are stored under the site01 server and
    can not be seen on the site03 or site02 servers without pulling up the
    site01 domain. I have verified that port 3268 is working and if I
    change the port in my ldap.conf to 3268 the users can authenticate but
    only using the site01 server. Can anyone help out? Ideally I want to
    setup each network to authenticate against its own ADS server and in
    the event of a failure/reboot to use another ADS server on another
    network.

    All three networks can see each other through the VPN tunnel that we
    have established.

    Thanks,
    Nick

  2. Re: ADS and LDAP

    On Thu, 28 Aug 2008 09:37:59 -0400, nick@nowhere.com wrote:

    >Hi, I've tried posting this in the Windows AD group with no help. I
    >was wondering if someone in this group may be able to help.
    >
    >
    >
    >We have three sites in our network (site01,site02 and site03)
    >and our master server is site01. Under the forest of site01 are site02
    >and site03. I have enabled the GC on both site02 and site03. What I'm
    >trying to setup is ldap on our Redhat Linux servers and am having a
    >bit of a problem. If I setup the host and uri to point to the ADS
    >server on site01 I can authenticate without any problems. If I try to
    >use the site03 ADS server to authenticate a site03 Linux server I am
    >unable to SSH into the server nor can I switch users from my remote
    >access card. All of my users are stored under the site01 server and
    >can not be seen on the site03 or site02 servers without pulling up the
    >site01 domain. I have verified that port 3268 is working and if I
    >change the port in my ldap.conf to 3268 the users can authenticate but
    >only using the site01 server. Can anyone help out? Ideally I want to
    >setup each network to authenticate against its own ADS server and in
    >the event of a failure/reboot to use another ADS server on another
    >network.
    >
    >All three networks can see each other through the VPN tunnel that we
    >have established.
    >
    >Thanks,
    >Nick



    Also here is a copy of my ldap.conf whith the domains changed

    host 10.201.1.1
    base dc=domain,dc=com
    uri ldap://mwads01.domain.com/
    binddn mwldap@domain.com
    bindpw password
    scope sub
    timelimit 120
    bind_timelimit 120
    idle_timelimit 3600
    ssl no
    nss_base_passwd dc=domain,dc=com?sub
    nss_base_shadow dc=domain,dc=com?sub
    nss_base_group
    dc=domain,dc=com?sub?&(objectCategory=group)(gidnumber=*)
    nss_map_objectclass posixAccount user
    nss_map_objectclass shadowAccount user
    nss_map_objectclass posixGroup group
    nss_map_attribute gecos cn
    nss_map_attribute homeDirectory unixHomeDirectory
    nss_map_attribute uniqueMember member
    #pam_groupdn "cn=Unix Users,ou=Users,dc=domain,dc=com"
    pam_member_attribute member


    Ideally for our site02 it should look something like

    host 10.202.1.1
    base dc=domain,dc=com
    uri ldap://hwads01.domain.com/
    binddn mwldap@domain.com
    bindpw password
    scope sub
    timelimit 120
    bind_timelimit 120
    idle_timelimit 3600
    ssl no
    nss_base_passwd dc=domain,dc=com?sub
    nss_base_shadow dc=domain,dc=com?sub
    nss_base_group
    dc=domain,dc=com?sub?&(objectCategory=group)(gidnumber=*)
    nss_map_objectclass posixAccount user
    nss_map_objectclass shadowAccount user
    nss_map_objectclass posixGroup group
    nss_map_attribute gecos cn
    nss_map_attribute homeDirectory unixHomeDirectory
    nss_map_attribute uniqueMember member
    #pam_groupdn "cn=Unix Users,ou=Users,dc=domain,dc=com"
    pam_member_attribute member

  3. Re: ADS and LDAP

    On Thu, 28 Aug 2008 09:37:59 -0400, nick passed an empty day by writing:

    > Hi, I've tried posting this in the Windows AD group with no help. I was
    > wondering if someone in this group may be able to help.
    >
    >
    >
    > We have three sites in our network (site01,site02 and site03) and our
    > master server is site01. Under the forest of site01 are site02 and
    > site03. I have enabled the GC on both site02 and site03. What I'm trying
    > to setup is ldap on our Redhat Linux servers and am having a bit of a
    > problem. If I setup the host and uri to point to the ADS server on
    > site01 I can authenticate without any problems. If I try to use the
    > site03 ADS server to authenticate a site03 Linux server I am unable to
    > SSH into the server nor can I switch users from my remote access card.
    > All of my users are stored under the site01 server and can not be seen
    > on the site03 or site02 servers without pulling up the site01 domain. I
    > have verified that port 3268 is working and if I change the port in my
    > ldap.conf to 3268 the users can authenticate but only using the site01
    > server. Can anyone help out? Ideally I want to setup each network to
    > authenticate against its own ADS server and in the event of a
    > failure/reboot to use another ADS server on another network.
    >
    > All three networks can see each other through the VPN tunnel that we
    > have established.
    >
    > Thanks,
    > Nick


    I'm the wrong person to answer this as me and AD hate each other.
    Probably got nothing to do with anything but from memory LDAP runs on
    port 389. Also, does that AD crap not have SammyBloodymicrosoft (or
    similar) as the UID? - probably nothing to with anything.

    I can sympathise with your plight, if you get anywhere let us know. It's
    hard enough finding any of these so called 'MCEP's or whatever they are
    called who actually know f*ck all squared about AD, let alone LDAP proper.

    Good luck!

    --
    powered by Linux - bastardized by Window$ *THE* legacy operating system
    for the 20th Century - givemespam@wibblywobblyteapot.co.uk

  4. Re: ADS and LDAP

    nick@nowhere.com wrote:
    > On Thu, 28 Aug 2008 09:37:59 -0400, nick@nowhere.com wrote:
    >
    >> Hi, I've tried posting this in the Windows AD group with no help. I
    >> was wondering if someone in this group may be able to help.


    Really? Must have been under another subject because this same thread
    appears in the AD group 2 days (on august 30) *after* this one (august 28).

    >>
    >>
    >>
    >> We have three sites in our network (site01,site02 and site03)
    >> and our master server is site01. Under the forest of site01 are site02
    >> and site03. I have enabled the GC on both site02 and site03. What I'm
    >> trying to setup is ldap on our Redhat Linux servers and am having a
    >> bit of a problem. If I setup the host and uri to point to the ADS
    >> server on site01 I can authenticate without any problems. If I try to
    >> use the site03 ADS server to authenticate a site03 Linux server I am
    >> unable to SSH into the server nor can I switch users from my remote
    >> access card. All of my users are stored under the site01 server and
    >> can not be seen on the site03 or site02 servers without pulling up the
    >> site01 domain.


    That is likely your problem. A user's account must be in site02 if you
    want the user to authenticate to that domain.

    >> I have verified that port 3268 is working and if I
    >> change the port in my ldap.conf to 3268 the users can authenticate but
    >> only using the site01 server. Can anyone help out? Ideally I want to


    As I said in my other post in the AD group (and as someone already
    mentioned in this group), LDAP is port 389.

    >> setup each network to authenticate against its own ADS server and in
    >> the event of a failure/reboot to use another ADS server on another
    >> network.
    >>
    >> All three networks can see each other through the VPN tunnel that we
    >> have established.
    >>
    >> Thanks,
    >> Nick

    >
    >
    > Also here is a copy of my ldap.conf whith the domains changed
    >

    [snip]
    >
    > Ideally for our site02 it should look something like

    [snip]

    I responded to your post in the ADS newsgroup but you never responded
    back yet. I responded on august 31.

  5. Re: ADS and LDAP

    On Mon, 01 Sep 2008 21:44:44 -0400, Brandon McCombs wrote:



    Brandon, I can't find that AD group. My server may not carry it. What is
    it called? TIA.

    --

+ Reply to Thread