ldap plugin - import from AD

  • Hello

    currently I can't import users from AD.
    at the same time I can request info via ldapsearch and ldapwhoami.
    when I do su $user - I see the traffic to my DC server.

    openmediavault-ldap 4.0.6-1
    openmediavault 4.1.12

  • ms 2008r2 standard.

    I made two dumps of traffic - in the case of successful ldapsearch and unsuccessful su $user.
    wireshark shows that in both cases binding is successful but searchrequest are not identical.
    in the unsuccessful case searchrequest includes attributes parameters and filter option such as (&(objectClass=posixAccount)(uid=$user)).
    As a result DC server returnes no result.

    So I think that the cause of the failure is in the wrong search request.

  • I don't know if it is the only way. It is just what I found to work for me. It would be interesting if you can do it without. I did not see anything like that when I was trying to figure this out.

  • Returned to this issue.
    And faced another one - I can't start smbd daemon.

    In all cases I see such error -

    smbd.service: Supervising process 24728 which is not our child. We'll most likely not notice when it exits.
    smbd.service: Start operation timed out. Terminating.

    smbd.service: Killing process 24728 (smbd) with signal SIGKILL.
    Failed to start Samba SMB Daemon.
    smbd.service: Unit entered failed state.
    smbd.service: Failed with result 'timeout'.

  • Resolved the issue with samba.

    As for the ldap plugin - achieved a bit of success, without connecting OMV server to AD domain
    with these additional options :
    nss_map_objectclass posixAccount user
    nss_map_objectclass shadowAccount user
    nss_map_objectclass posixGroup group
    nss_map_attribute uid sAMAccountName

    I collected traffic dump and Wireshark showed that AD server responded with all the information about users - it happened after the first searchrequest from OMV server
    Then OMV made several additional rearchrequests and got zero response.
    It's a strange behavior.
    And I got no users in the users tab.

    Any thoughts how to do further troubleshooting?
    I don't fully understand how the users are synchronized with AD.
    I guess the first import should create additional users and I should see changes in the files /etc/passwd, /etc/group, /etc/shadow

  • Now, when I try to connect, for example, to ftp server under my previously defined local user test (which is also defined in AD)
    I got this -
    Dec 5 14:53:56 nsk proftpd: nss_ldap: could not search LDAP server - Server is unavailable
    Dec 5 14:53:56 nsk proftpd: nss_ldap: could not search LDAP server - Server is unavailable
    Dec 5 14:53:56 nsk proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd14362 ruser=test rhost= user=test
    Dec 5 14:53:56 nsk proftpd: pam_sss(proftpd:auth): Request to sssd failed. Connection refused
    Dec 5 14:54:13 nsk proftpd[14362]: ([]) - USER test (Login failed): Incorrect password

    I don't know why but the binding goes with wrong credentials -

    Lightweight Directory Access Protocol
    LDAPMessage bindRequest(1) "<ROOT>" simple
    messageID: 1
    protocolOp: bindRequest (0)
    version: 3
    authentication: simple (0)
    [Response In: 6]

    And when I try to login under user test to WEB interface of OMV, I have success

  • The users may not be showing because the uid are greater than 60,000. You can change that in /etc/login.defs. UID_MAX 33554431. Do the same a few lines below for group.

    did that.

    I don't know if it helped or not but now
    - when I run "getent passwd" command I see only local users
    - when I run "getent shadow" command I see local users and ldap users

  • I imagine it is the nsswitch.conf config causing this but according to this code, they should act the same.

    If you aren't using the ldap plugin, then it still might be the nsswitch.conf.

    omv 5.5.22 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.4.4
    omv-extras.org plugins source code and issue tracker - github

    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

    Edited once, last by ryecoaaron ().

  • it is exactly the work of nssswitch.conf. When I remove ldap - in front of shadow - then I see no users from ldap.
    And I installed ldap plugin.

    As I understood one application can use nsswitch for authentication, another - pam and pam_ldap module (as for OMV it is ldap_plugin, I guess)
    But how it could be chosen I don't know.
    Now I'm trying to use authentication from ldap for ftp users and I see that authentication goes with nss_ldap module - with no success.
    So the target is to choose what OMV (and it's parts like proftp, samba etc) uses for ldap authentication - nss_ldap or pam_ldap.

    I guess the only way to do it is to remove libnss.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!