Differences

This shows you the differences between two versions of the page.

--- ldap_integration [2009/08/17 08:03] – aorth
+++ ldap_integration [2009/08/20 08:31] – 172.26.0.166
@@ Line 1: / Line 1: @@
 ===== LDAP Integration =====
-ILRI uses an Active Directory server for user authentication, which is primarily used for Exchange e-mail services.  Active Directory is Microsoft's version of LDAP with a little special sauce.  Currently users have an Active Directory username and password for their Windows-centric single sign on and e-mail, and then they have a separate account for use with the HPC.  There exists functionality in Linux to look at Active Directory for user authentication.
+ILRI uses an Active Directory server for user authentication, which is primarily used for Exchange e-mail services.  Active Directory is Microsoft's proprietary version of LDAP with a little extra special sauce.  Currently users have an Active Directory username and password for their Windows-centric single sign on and e-mail, and then they have a separate account for use with the HPC.  There exists functionality in Linux to look at Active Directory for user authentication.
-This was working once, using a //slightly// customized PAM module.  In order to use the module several steps are needed.  Download the module source and compile it as shown below:
+<note warning>80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
-  * Compile the code:  ''gcc -fPIC  -c pam_cgiar_ldap.c''
+HEX: 0×525 – user not found
-  * Link the code:  ''ld -x --shared -o pam_cgiar_ldap.so pam_cgiar_ldap.o –lldap''
+DEC: 1317 – ERROR_NO_SUCH_USER (The specified account does not exist.)
+NOTE: Returns when username is invalid.</note>
-The Active Directory server must not only be a domain controller, but must be running the [[http://technet.microsoft.com/en-us/library/cc978012.aspx|global catalog service]] (port 3268) in order for our LDAP queries to work properly.  ILRI Kenya's Active Directory servers are:
+==== pam_cgiar_ldap.c ====
-  * 172.26.0.218 <- running a global catalog server (port 3268)
-  * 172.26.0.219
+<note warning>This no longer works! It relied on anonymous access to the AD server, but ILRI's Active Directory servers are configured to [[http://support.microsoft.com/kb/326690|disallow anonymous binds]].  These notes have been left here for reference only!</note>
-  * 172.26.0.220 <- running a global catalog server (port 3268)
+This was working once, using a //slightly// customized PAM module, but broken when IT services disabled anonymous binding.  In order to use the module several steps are needed.  Download the module source and edit the code to point to the correct server, then compile it as shown below:
+  * Compile the code:  ''gcc -fPIC  -c pam_cgiar_ldap.c''
+  * Link the code:  ''ld -x --shared -o pam_cgiar_ldap.so –lldap pam_cgiar_ldap.o''
 **pam_cgiar_ldap.c**:
@@ Line 53: / Line 57: @@
   ldap_set_option( NULL, LDAP_OPT_PROTOCOL_VERSION, &version);
   ldap_set_option( NULL, LDAP_OPT_NETWORK_TIMEOUT, &timeOut);
-  ld = ldap_init("172.26.12.11" , 389 );
+  ld = ldap_init("172.26.0.218" , 389 );
   if (ld==NULL) printf("\nproblems connecting\n");
   int rc;