RE: Really strange LDAP and ADS problem

As a first guess (and I'm working on new experience too), the users are being 
read, but are trimmed if they don't have the required fields (uid, gid, 
homedir, shell). I believe only uid and gid are strictly required, but without 
homedir and shell there is very limited usefulness.

The homeDirectory mapping is almost right, it should either be 
unixHomeDirectory (Server 2003 R2), or msSFU30HomeDirectory (note the addition 
of the "30", yes, even for SFU 3.5...).

You would also need the following additional mappings (weren't included in your 
listing anyway):

SFU:
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell

Server 2003 R2:
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute loginShell loginShell

Hopefully that helps. You might also consider using the following:
nss_map_attribute gecos displayName

Joel Johnson

-----Original Message-----
From: owner-nssldap@xxxxxxxx on behalf of andbaum (sent by Nabble.com)
Sent: Thu 3/9/2006 5:58 AM
To: nssldap@xxxxxxxx
Subject: [nssldap] Really strange LDAP and ADS problem
 

hi together!

I have the following problem:
I need a linux server (debian sarge) in a network, managed by active
directory (windows server 2003). i want to access the AD user database via
ldap (nsswitch.conf)

libnss-ldap an pam-ldap are installed and imho configured well

my current problem is:
# getent passwd
only shows users from /etc/passwd.

but:
# strace -v getent passwd
shows, the AD users are read by getent, but not written do stdout:
[...]
read(4, "\2d\204\0\0\0m\4#CN=user1,CN=Users,DC="..., 116) = 116
time([1141871063]) = 1141871063
select(1024, [4], [], NULL, NULL) = 1 (in [4])
read(4, "0\204\0\0\0z\2\1", Cool = 8
read(4, "\2d\204\0\0\0q\4\'CN=user2,CN=Users"..., 120) = 120
time([1141871063]) = 1141871063
select(1024, [4], [], NULL, NULL) = 1 (in [4])
read(4, "0\204\0\0\0~\2\1", Cool = 8
read(4, "\2d\204\0\0\0u\4+CN=user3,CN=U"..., 124) = 124
time([1141871063]) = 1141871063
[...]
(i changed each real usernames to userx)

has anybody an idea, why there is no write command, like it should be?

the local users are all written to stdout:
[...]
write(1, "root:x:0:0:root:/root:/bin/bash\n", 32) = 32
write(1, "daemon:x:1:1:daemon:/usr/sbin:/b"..., 3Cool = 38
write(1, "bin:x:2:2:bin:/bin:/bin/sh\n", 27) = 27
write(1, "sys:x:3:3:sys:/dev:/bin/sh\n", 27) = 27
[...]

i already removed nscd. it did not help :(

when i try to access the linux machine with an AD account via ssh, i get the
following message in auth.log

sshd[7249]: nss_ldap: could not search LDAP server - Bad search filter 

and here are the files:

# egrep -v '^(#|$)' /etc/libnss-ldap.conf
@(#)$Id: ldap.conf,v 2.41 2005/03/23 08:30:16 lukeh Exp $
host ipadress
base dc=mydomain,dc=de
ldap_version 3
binddn CN=myuser,CN=Users,DC=mydomain,DC=de
bindpw mypasswd
port 389
scope one
nss_base_passwd CN=Users,DC=mydomain,DC=de
nss_base_shadow CN=Users,DC=mydomain,DC=de
nss_base_group CN=Group,DC=mydomain,DC=de

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName #msSFUName
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute cn sAMAccountName #msSFUName
nss_map_attribute uniqueMember member
pam_filter objectclass=user
pam_login_attribute sAMAccountName
pam_password ad



# egrep -v '^(#|$)' /etc/ldap/ldap.conf
BASE dc=mydomain,dc=de
URI ldap://host.mydomain.de


PS: i changed ipadress, mydomain, myuser, mypasswd (all these values are
correct). the host is in /etc/hosts

thanks in advance
--
View this message in context: 
http://www.nabble.com/Really-strange-LDAP-and-ADS-problem-t1252871.html#a3320266
Sent from the NSS LDAP forum at Nabble.com.