# awk '! /^$/ && ! /^#/' /etc/ldap.conf base OU=MyOrg,DC=myit,DC=localuri ldap

1. # awk '! /^$/ && ! /^#/' /etc/ldap.conf
2. base OU=MyOrg,DC=myit,DC=local
3. uri ldaps://ad.myit.local:636/
4. ldap_version 3
5. binddn ldap@myit.local
6. bindpw XXXXX
7. pam_lookup_policy yes
8. pam_password md5
9. nss_base_passwd ou=MyOrg,dc=local?sub
10. nss_base_shadow ou=MyOrg,dc=myit,dc=local?sub
11. nss_base_group ou=MyOrg,dc=myit,dc=local?sub
12. nss_map_objectclass posixAccount user
13. nss_map_objectclass shadowAccount user
14. nss_map_attribute uid sAMAccountName
15. nss_map_attribute homeDirectory unixHomeDirectory
16. nss_map_attribute shadowLastChange pwdLastSet
17. nss_map_objectclass posixGroup group
18. nss_map_attribute uniqueMember member
19. pam_login_attribute sAMAccountName
20. pam_filter objectclass=User
21. pam_password ad
22. nss_map_attribute userPassword authPassword
23. ssl on
24. debug 10
25. logdir /var/log/ldap
26.  
27. # /etc/nsswitch.conf
28. #
29. # Example configuration of GNU Name Service Switch functionality.
30. # If you have the `glibc-doc-reference' and `info' packages installed, try:
31. # `info libc "Name Service Switch"' for information about this file.
32.  
33. passwd: files ldap
34. group: files ldap
35. shadow: files ldap
36. gshadow: files
37.  
38. hosts: files mdns4_minimal [NOTFOUND=return] dns
39. networks: files
40.  
41. protocols: db files
42. services: db files
43. ethers: db files
44. rpc: db files
45.  
46. netgroup: nis
47.  
48. #
49. # /etc/pam.d/common-auth - authentication settings common to all services
50. #
51. # This file is included from other service-specific PAM config files,
52. # and should contain a list of the authentication modules that define
53. # the central authentication scheme for use on the system
54. # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
55. # traditional Unix authentication mechanisms.
56. #
57. # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
58. # To take advantage of this, it is recommended that you configure any
59. # local modules either before or after the default block, and use
60. # pam-auth-update to manage selection of other modules. See
61. # pam-auth-update(8) for details.
62.  
63. # here are the per-package modules (the "Primary" block)
64. auth [success=2 default=ignore] pam_unix.so nullok_secure
65. auth [success=1 default=ignore] pam_ldap.so use_first_pass
66. # here's the fallback if no module succeeds
67. auth requisite pam_deny.so
68. # prime the stack with a positive return value if there isn't one already;
69. # this avoids us returning an error just because nothing sets a success code
70. # since the modules above will each just jump around
71. auth required pam_permit.so
72. # and here are more per-package modules (the "Additional" block)
73. auth optional pam_ecryptfs.so unwrap
74. # end of pam-auth-update config
75.  
76. # ldapsearch -H ldaps://ad.myit.local:636 -b 'ou=MyOrg,dc=myit,dc=local' -D ldap@myit.local -W | grep -P 'distinguishedName.*DUFFEZ'
77. Enter LDAP Password: (XXXX)
78. distinguishedName: CN=Benoit DUFFEZ,OU=MyOrg,DC=myit,DC=local
79.  
80. # ldapsearch -H ldaps://ad.myit.local:636 -b 'ou=MyOrg,dc=myit,dc=local' -D "CN=Benoit DUFFEZ,OU=MyOrg,DC=myit,DC=local" -W | grep -P 'distinguishedName.*DUFFEZ'
81. Enter LDAP Password: (my password)
82. distinguishedName: CN=Benoit DUFFEZ,OU=MyOrg,DC=myit,DC=local
83.  
84. Jun 26 14:28:21 xxx sshd[6925]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.177
85. Jun 26 14:28:21 xxx sshd[6925]: pam_ldap: error trying to bind as user "CN=Benoit DUFFEZ,OU=MyOrg,DC=myit,DC=local" (Invalid credentials)
86. Jun 26 14:28:23 xxx sshd[6925]: Failed password for invalid user bdu from 192.168.5.177 port 48780 ssh2
87.  
88. LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1