PDA

View Full Version : LDAP Client Configuration - Login with UPN



helptec
14-Nov-2012, 14:15
Hi everybody,

i've been searching for hours now and still didn't find a solution to my problem:

I successfully configured the LDAP Client on a SLES 11 SP2 for VMWare machine and can authenticate against our Windows Server 2008 R2 Domain. What I want is to login with the userprincipalname instead of the samaccountname.

I tried to change a few settings in ldap.conf, but that doesn't seem to change anything. I can successfully login with "domain\username". But I want to login with username@domain.com which would be the UPN attribute.

Where can I change the mapping? Here is a part of my ldap.conf where i tried to change the mapping (which obviously didn't work):


# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
nss_map_attribute uid userPrincipalName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
pam_login_attribute userPrincipalName
#pam_filter objectclass=User
#pam_password ad

Any help is greatly appreciated!
tia Christian

ab
14-Nov-2012, 15:07
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anything showing up on the LDAP server in the logs/traces that would
indicate why it's not working? I assume since sAMAccountName works the
connection is happening properly and everything else is configured
properly. I don't have a MAD server around to check on things but I
assume UPN is something that can be accessed anonymously (without
authentication) like sAMAccountName, but if not that may be an issue.
If this was something like eDirectory's LDAP interface I'd check the
trace from the server to see what was passed in and then sent back to
the client, but other than a LAN trace with tcpdump (or similar) I'm not
sure how to do that in with MAD.

What do you get (if anything) in /var/log/messages or the like during
the authentication attempt?

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQo6WhAAoJEF+XTK08PnB51ygQAMTQc/nTF8mO+UH4o7WKm/Tg
nLcI+Jo9GWwgLufAvj4gsif7MKoYq17i2UUZwzxu9FaRtiRh+C Fl+fo24gJ1JOIg
vvLiYCNPS6X6rowT6DmePlVBUf2KuZiLmHFR8+W74g7ph14Enk j5KkKPJifzmNel
SnIe7xIXJ70Lck9syO9jLet6JEfVRF/+QkekuJ6+Ai/8OI9RSBO2dtBwO48yljaz
xvvzuVcGaVrQI5hVnDbr1ACZGEk2AkejfigR31nl+82LCQzxnJ +730R5ORD69sry
zcCzz6DRbL7EJsr4J1nLTRoorubGSs1smZJRcIngNMfGfoSbmj 7PaJgnAvXwT2qW
AbZika8ZNGrUJD5bwjLmTOcDmyVh/SKGTjoFp30EIletm9GOzu0mdVA0qD9/agBV
jPSyESf/ZzhEm/utKy7Oo4xJgydq7ww5W2yPRuI5jSNdCmLrixFnkUdj8lyGjNY6
Qc/lqqZGP4TbLfNpPWwkiB1ABHGA2AOSl1v6LnQekOvgtuQNmX8an nQjhuuzuEKJ
nMhZk3ZUIhY7Je53kUJhDyiNMM8sBj6BwZoddKLe1TuubqSAvy JizkYhzHaR4jIp
F7D5hQkc9pWK56UwxVhGngVXp8JzARWgh9ShqemrjewG5us4OV BB9VF3e0vw7ge5
I1q9iIWdDXWPOm5zvRos
=KHRw
-----END PGP SIGNATURE-----

helptec
14-Nov-2012, 15:47
Hi,
here is the output from var/log/messages when i try to login with upn:

sshd[4382]: Invalid user xxx@xxx.com from 192.168.xxx.xxx
sshd[4382]: error: PAM: User not known to the underlying authentication module for illegal user xxx@xxx.com from xxx
sshd[4382]: Failed keyboard-interactive/pam for invalid user xxx@.com from 192.168.xxx.xxx port 49516 ssh2

ab
14-Nov-2012, 16:11
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So if this worked using sAMAccountName why didn't the search work with
the other attribute? That's the question that comes to my mind, anyway.
What does the server side show for this query compared to the previous
one that did work for sAMAccountName?

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQo7S+AAoJEF+XTK08PnB5obgP/1MRn0u3JT74jQDrI+3nuQlC
by9bnHiTCrFJyAN/5IyvLuzlPRno/maBRc5nEx+PvWIXgR0aisYIPzc0IDBi+dOK
L7ddjb3XsTgDNso4+bPhOnP3Yx4cEPRrS5T4GJr6/HhcDsbSUa0QCwRpMGIN+AQO
szvjgIL9hLoD1dT0jGqUoCe9WV5rbvXjpXMKw8uduYQWhkTAhE U0LS978NgvJVZH
OqZmouRIrmgrQSm6IEAPwb8eufARcGXBz/DVFLAZ6X4MrUjEeed9IuKqr8thoF32
rQEPHof50gy+XKaw7eiBke2jEZ+QWoeQGuVyiIg4Y7FCx4hoMY QAGIJexjSHn8fJ
C2aIi9aOR8l+FNFTbCB5B+6gfQzFDakAWknee5dwK3PWZvDk/aTsp5d9z6XlUSaH
sG5COkUcZvj0UhYmhc9r3riSFz4fqBMjHBs1mFfxO6UCFN5hXI R+xYuD8lmAfNzL
14YpowQz2pR6B6m7kNe9F+RfnELjXfnaLlmfBEhMGZvnbtZ+Vy Lr5l7B3AyI1HOG
z/xlcfZpuAcfDWofFdzb+i/vISOSq5W3bHrV9j1om8E2AqWftSBqtOdQ1BA4HzpR
/xz8+6KZPUgSFQ7gECfW3QFp88RndY0YB+7CAGe8IMVjS6MKlQF rUKjNHVxL5Brb
Xj5F8rZ63LwSGzbWolaX
=brLs
-----END PGP SIGNATURE-----

helptec
14-Nov-2012, 16:33
well it seems that the ldap query doesn't even use the ldap.conf file to map the attributes. What am i missing here?

helptec
19-Nov-2012, 08:58
any other ideas? Help is really appreciated!