Configuring Amazon Linux authenticate to LDAP server

openldap

I was wondering if anyone had success in configuring Amazon Linux to authenticate to an LDAP server?

EDIT:
For more information on what I have done:

I disabled anonymous access on my OpenLDAP server, so I am trying to have my openldap client on Amazon Linux connect to the OpenLDAP server with a binddn to authenticate. But when I check the logs on the OpenLDAP server, the binddn is empty. I have added my binddn and bindpw to /etc/pam_ldap.conf.

Part of my /etc/nsswitch.conf

passwd:     files ldap
shadow:     files ldap
group:      files ldap

my /etc/pam_ldap.conf

base dc=example,dc=com
bindnd uid=test_client,ou=System,dc=example,dc=com
bindpw secret
scope sub
pam password md5

nss_base_passwd ou=System,dc=example,dc=com?one
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_shadow ou=People,dc=example,dc=com?one
nss_base_shadow ou=System,dc=example,dc=com?one

tls_checkpeer no
uri ldap://ec2-00-00-00-00.compute.amazonaws.com
ssl no
tls_cacertdir /etc/openldap/cacerts

Best Answer

I got it working by configuring /etc/nslcd.conf with my binddn and bindpw

Related Solutions

Ldap – Using OpenLDAP to proxy to an Novell eDirectory LDAP Server

Since you are having issues with eDirectory, you are quite lucky, since you can use DSTrace with the LDAP option on to see what is going on, from the eDirectory server view.

Once you know what is being asked, and what the server is responding you can effectively troubleshoot the issue.

Basic eDirectory schema is complaint with LDAP and any standard LDAP schema should work for the most part. To get some specific features you might need some additional support, but that does not sound like your issue.

If you have access to the 10.10.1.27 box, try and look at it via http://10.10.1.27:8008 (or possibly port 8010, or 8028 depending if you are running eDirectory on Netware, Windows or a Unix variant respectively). This should redirect you to an https:// connection one port number higher (8009, 8010, or 8030 (ya 2 not 1)). Look for iMonitor or Dstrace, and then clear all the other flags, and enable the LDAP flag. Then the Dstrace Live icon will refresh on each click with the latest transactions.

Now as to your issue of:

there's almost no hierarchy. (I can set a base DN and view a particular object... but if I set the real base DN... I can only see it... and no children.)

I would suspect this issue is more about not doing the right kind of query. Sounds like you are doing Entry not Subtree queries. This will be very obvious in Dstrace, as you will see a query event that looks something like:

10:19:01 B68BEBA0 LDAP: (10.1.1.42:55133)(0x0002:0x63) Search request:
base: "ou=people,o=acme,dc=com"
scope:2 dereference:3 sizelimit:1 timelimit:0 attrsonly:0
filter: "(&(objectClass=inetorgperson)(acme7DigitName=gxc1234))"
no attributes
10:19:01 B68BEBA0 LDAP: (10.1.1.42:55133)(0x0002:0x63) Empty attribute list implies all user attributes
10:19:01 B68BEBA0 LDAP: (10.1.1.42:55133)(0x0002:0x63) Sending search result entry "cn=gxc1234,ou=UNK,ou=People,o=acme,dc=com" to connection 0xa07e6c0

There the scope: 2 tells you it is an entry search. You want to see it do a subtree (0) level search in order to get what you are looking for.

You can read more about how I used this sort of tooling to debug the nonsense that SAP's GRC web interface does for LDAP data retrieval.

Configuring openldap multimaster replication using cn=config

This thread led me to the idea that the olcMirrorMode definition needs to be placed after the olcSyncrepl lines. I stopped the ldap servers and edited the olcDatabase ldif files manually. This seems to have gotten replication of the data working in both directions now.

Best Answer

Related Solutions

Ldap – Using OpenLDAP to proxy to an Novell eDirectory LDAP Server

Configuring openldap multimaster replication using cn=config

Related Topic