HPE Community
Operating System - HP-UX
1834449 Members
2451 Online
110067 Solutions
New Discussion

LDAPUX client and not going to the AD server

 
SOLVED
Go to solution
dev44
Regular Advisor

‎12-08-2009 05:15 AM

‎12-08-2009 05:15 AM

LDAPUX client and not going to the AD server

Hi,

I am in the process of setting up the ldapux client on my hpux box. I ran through the instructions, I think correctly. My nsswitch.conf points passwd and group to "files ldap". When I do a pwget or grget, I only get the userids and groups on the system - in the /etc/passwd and /etc/group files. So I am obviously missing something, I just don't know what....any ideas?

Thanks for the help folks!
whatever
0 Kudos
7 REPLIES 7
dev44
Regular Advisor

‎12-08-2009 05:48 AM

‎12-08-2009 05:48 AM

Re: LDAPUX client and not going to the AD server

This might have something to do with my problem:

# /opt/ldapux/contrib/bin/beq -k n -s grp -l /usr/lib/libnss_ldap.1 igrp1
nss_status .............. NSS_NOTFOUND
whatever
0 Kudos
Steven E. Protter
Exalted Contributor

‎12-08-2009 06:00 AM

‎12-08-2009 06:00 AM

Re: LDAPUX client and not going to the AD server

Shalom,

Please post the OS of the LDAP-UX client.

Was the system integrated in the past?

Note that LDAP Integration with Server 2003 boxes that are not Release Two is problematic and requires patches on the windows side.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
dev44
Regular Advisor

‎12-08-2009 06:40 AM

‎12-08-2009 06:40 AM

Re: LDAPUX client and not going to the AD server

HP-UX 11.11

No, not integrated in the past.

Yes, it is 2003 R2
whatever
0 Kudos
dev44
Regular Advisor

‎12-08-2009 10:08 AM

‎12-08-2009 10:08 AM

Re: LDAPUX client and not going to the AD server

The AD people created an id for me to test and it is not found...

# /usr/contrib/bin/nsquery passwd hptest

Using "files [NOTFOUND=continue] ldap" for the passwd policy.

Searching /etc/passwd for hptest
hptest was NOTFOUND

Switch configuration: Allows fallback

Searching ldap for hptest
hptest was NOTFOUND

Switch configuration: Allows fallback

All name services have been searched
whatever
0 Kudos
dev44
Regular Advisor

‎12-08-2009 10:44 AM

‎12-08-2009 10:44 AM

Re: LDAPUX client and not going to the AD server

# /opt/ldapux/bin/ldapcfinfo -t passwd
ERROR: CFI_SEARCH_BASE_NOT_EXIST:
LDAP Error 32: Configured LDAP-UX search base does not exist.

whatever
0 Kudos
Don Mallory
Trusted Contributor

‎12-09-2009 07:25 AM

‎12-09-2009 07:25 AM

Solution

Re: LDAPUX client and not going to the AD server

What does the ouput of "/opt/ldapux/config/ldap_proxy_config -v" show?

If it shows: File Credentials verified - INVALID

Your cost cannot authenticate against the AD to query the search base at all. You will need a proxy user with read priviledge (delegation of authority control for read) of the RFC2307 POSIX entries from the Users container in the AD.


A couple of tests I like from the host are:

/opt/ldapux/bin/ldapsearch -h ADSERVER.MYCOMPANY.COM -p 389 -b "CN=Users,DC=MYCOMPANY,DC=COM" -D "CN=ADMINISTRATOR,CN=Users,DC=MYCOMPANY,DC=COM" -w your_admin_password_in_plain_text -s base objectclass=*

This will show that you can connect to the AD, as a valid AD administrator, over LDAP plain text and query the base ObjectClass of the AD. It only proves that the ldapclientd is working and that the AD server is listening. You also can see that with full admin rights, you can connect.


/opt/ldapux/bin/ldapsearch -h ADSERVER.MYCOMPANY.COM -p 636 -Z -P /etc/opt/ldapux -b "CN=Users,DC=MYCOMPANY,DC=COM" -D "CN=ADMINISTRATOR,CN=Users,DC=MYCOMPANY,DC=COM" -w your_admin_password_in_plain_text -s base objectclass=*

Same as above, except that it tests SSL is okay too. You must have configured SSL with your keys in /etc/opt/ldapux.



Download your ldapuxprofile from the AD:

/opt/ldapux/config/get_profile_entry -s nss -D "CN=LDAP Proxy User,CN=Users,DC=MYCOMPANY,DC=COM" -w enter_proxy_user_password_in_plain_text


This shows that you have the proper authentication and access as the proxy user. Note, this user must be set to not expire, never change password, and you must ABSOLUTELY CHECK THAT IT'S NOT LOCKED OUT... (my biggest mistake, every time.)


After it downloads, display it:

/opt/ldapux/config/display_profile_cache | more




/opt/ldapux/bin/ldapsearch -h AADSERVER.MYCOMPANY.COM -b "CN=Users,DC=MYCOMPANY,DC=COM" -D "CN=LDAP Proxy User,CN=Users,DC=MYCOMPANY,DC=COM" -w enter_proxy_user_password_in_plain_text msSFU30Name=MYUSERNAME

This is a directed query of a specific user, in plain text LDAP, using the proxy user to check. Note that I have the seach item as msSFU30Name. If you are using a W2K3 R2 or later AD, this value will be different. Any LDAP entry will really do.

Once these all work, nsquery, pwget, grget and beq should start working.

0 Kudos
dev44
Regular Advisor

‎12-09-2009 07:32 AM

‎12-09-2009 07:32 AM

Re: LDAPUX client and not going to the AD server

I got it working. I had the wrong search base.
whatever
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.