Reader Jeffrey Spear contacted me a while back with some problems he was experiencing in trying to integrate some Linux systems into Active Directory. Basically, Kerberos was working but LDAP wasn’t. He was able to use “kinit <AD username>” to generate a Kerberos ticket, but using the “getent passwd <AD username>” was not working. No error messages, nothing; it just didn’t work.
We traded e-mails back and forth for a while, and eventually he found the solution himself:
We work with a locked down version of OSs and in this case a domain policy on the Windows server was preventing the RHEL machines from accessing account info. Â The policy was “Domain controller: LDAP server signing requirements” which was set to “Require signature.” Â When I changed this setting to “None” it worked great.
This is good information and important to keep in mind; I’ll be sure to incorporate this into the next revision of the Linux-AD integration instructions. (No, I don’t have a timeframe on when that will be!)
In the meantime, if anyone has a workaround for this problem that will allow LDAP to work with signatures enabled or required, I’d love to hear it. Speak up in the comments below!
Tags: ActiveDirectory, Interoperability, Kerberos, LDAP, Linux, Security
2 comments
Comments feed for this article
Trackback link
http://blog.scottlowe.org/2008/03/17/ldap-signing-in-ad-integration-situations/trackback/
Tuesday, March 18, 2008 at 9:04 pm
Ron Terren
Scott,
Is this at a all helpful?
http://technet2.microsoft.com/windowsserver/en/library/56044016-3123-4859-8fd9-c5a461a1c5c81033.mspx?mfr=true
Ron
Tuesday, March 18, 2008 at 10:28 pm
slowe
Ron,
Sort of. That page does clearly state that requiring LDAP signing will break LDAP simple bind, which is what nss_ldap does from the UNIX/Linux side. So that page reinforces the behavior that Jeffrey was seeing–with LDAP signing turned on, the UNIX/Linux clients can’t bind to LDAP and they don’t work.