difficulties authenticating after samba/openldap -> samba4 AD migration
Hi all, We've been running samba3/openldap in combo with koha for years, until the time came to upgrade to samba4 AD. Did that last weekend, and today I tried to connect koha (3.12.01, I know, we have to upgrade) to the samba4 ldap server. We're using auth_by_bind, which should be supported by Active Directory, checked principle name many times. However, I can't login, apache logs says: " LDAP Auth rejected : (uid=heupink) gets 0 hits". Using tcpflow, I can see that my dc1 answers "600002020: Operation unavailable without authentication". So, before I start doing bigger things (like updating koha, which has always been running fine) I'd like to know if I'm missing something obvious? I'm sure many people here are using (native) active directory to authenticate to? Any tips..? Here is my AD samba4 config: <ldapserver id="dc1"> <hostname>dc1.my.domain</hostname> <base>CN=Users,DC=samba,DC=my,DC=domain</base> <replicate>1</replicate> <update>1</update> <auth_by_bind>1</auth_by_bind> <principal_name>CN=%s,CN=Users,DC=samba,DC=my,DC=domain</principal_name> <mapping> <firstname is="givenName" ></firstname> <surname is="sn" ></surname> <address is="streetAddress" >our address</address> <city is="l" >our city</city> <zipcode is="postalCode" >our postcode</zipcode> <branchcode is="branch" >our_branch</branchcode> <userid is="uid" ></userid> <password is="userPassword" ></password> <email is="mail" ></email> <categorycode is="employeeType" >A</categorycode> <phone is="telephoneNumber"></phone> </mapping> </ldapserver> Regards, MJ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Hi Mourik I asked Andrew Bartlett, one of my colleagues here at Catalyst and a Samba developer about the issue, here is what he said ----- Forwarded message from Andrew Bartlett ----- The key differences between OpenLDAP as traditionally deployed and AD as traditionally deployed is not just the schema, but also that authentication is required for searches. (here needed to map between the user's username and their DN for the simple bind). However, there is a way around that, because AD is smart, and allows all sorts of things that are not a DN to be the 'bind DN', you can bind to LDAP as user@REALM or NT4DOM\username for example. -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba ----- End forwarded message -----
Hi list & chrisc@catalyst.net.nz, This message is to archive what our problem was: After making changes to koha-conf.xml, it's not enough to restart apache2, you also have to restart memcached. (if you are using it) After restarting memcached, the config as posted below works beautifully. Thanks! MJ On 04/01/2014 07:42 PM, mourik jan heupink - merit wrote:
Hi all,
We've been running samba3/openldap in combo with koha for years, until the time came to upgrade to samba4 AD. Did that last weekend, and today I tried to connect koha (3.12.01, I know, we have to upgrade) to the samba4 ldap server.
We're using auth_by_bind, which should be supported by Active Directory, checked principle name many times.
However, I can't login, apache logs says: " LDAP Auth rejected : (uid=heupink) gets 0 hits". Using tcpflow, I can see that my dc1 answers "600002020: Operation unavailable without authentication".
So, before I start doing bigger things (like updating koha, which has always been running fine) I'd like to know if I'm missing something obvious? I'm sure many people here are using (native) active directory to authenticate to? Any tips..?
Here is my AD samba4 config:
<ldapserver id="dc1"> <hostname>dc1.my.domain</hostname> <base>CN=Users,DC=samba,DC=my,DC=domain</base>
<replicate>1</replicate> <update>1</update> <auth_by_bind>1</auth_by_bind>
<principal_name>CN=%s,CN=Users,DC=samba,DC=my,DC=domain</principal_name>
<mapping> <firstname is="givenName" ></firstname> <surname is="sn" ></surname> <address is="streetAddress" >our address</address> <city is="l" >our city</city> <zipcode is="postalCode" >our postcode</zipcode> <branchcode is="branch" >our_branch</branchcode> <userid is="uid" ></userid> <password is="userPassword" ></password> <email is="mail" ></email> <categorycode is="employeeType" >A</categorycode> <phone is="telephoneNumber"></phone> </mapping> </ldapserver>
Regards, MJ
participants (2)
-
chrisc@catalyst.net.nz -
mourik jan heupink - merit