Howto Ldap Auth: Difference between revisions
From Pumping Station One
| Line 54: | Line 54: | ||
| (userAccountControl:1.2.840.113556.1.4.803:=2) | | (userAccountControl:1.2.840.113556.1.4.803:=2) | ||
| Filters on not disabled account. Sometimes this needs to be preceded with a <code>!</code> to negate the filter. | | Filters on not disabled account. Sometimes this needs to be preceded with a <code>!</code> to negate the filter. | ||
|- | |||
| Account Suffix | |||
| @PS1 | |||
| When attempting to check password, the sAMAccountName needs the suffix appeneded to it. | |||
|- | |- | ||
| mail | | mail | ||
| mail | | mail | ||
| ldap field that stores the user's email address | | ldap field that stores the user's email address | ||
| Minimum password length | |||
| 1 | |||
| AD lets users bind to ldap with 0 length passwords. It's fscked up, but accepted. | |||
|} | |} | ||
| Line 64: | Line 71: | ||
* You almost always want to get debug info for ldap when setting up. There are a lot of things that can go wrong. | * You almost always want to get debug info for ldap when setting up. There are a lot of things that can go wrong. | ||
* Start without the filter field, add it later. | * Start without the filter field, add it later. | ||
* When a service checks a password, it usually attempts to bind to samba as that user. To bind successfully, it needs to bind as user@PS1 | |||
* If you try and bind to ldap with a 0 length password, it "works", sort of. There is no error, but you can't access anything substantial. This is enough to fool services into thinking that the password was correct. | |||
