ldaplist -d group \* - Not Working (Object not found) from Solaris 10to Windows 2008 R2 Active Direc

Discussion in 'Active Directory' started by Brian Jester, Jan 20, 2012.

  1. Brian Jester

    Brian Jester Guest

    Our Solaris 10 clients are using Windows 2008 R2 Active Directory for authentication (Kerberos) and (attempting) authorization (LDAP), but the LDAP part is erroring out. Here's the sequence of events:

    On Solaris 10 client:

    ldaplist passwd \*

    -Works correctly, and lists all users from Windows 2008 R2 Active Directory

    However, when I do the same command for groups, it errors out:

    ldaplist group \*

    -Errors out with:

    ldaplist: Object not found

    The AD groups for UNIX I've chosen the NIS domain on the UNIX Attributes tab, just like I did with AD UNIX users.

    Other commands that do work between Solaris 10 and Win 2008 R2 AD:

    kinit <user>
    klist
    klist -k
    ldapsearch -h <DC> -D cn=proxy,cn=users,dc=mydomain,dc=com -w <PASSWD> -b dc=mydomain,dc=com -s sub '(cn=tst*)'
    ldapsearch -h <DC> -s base -b "" "(objectclass=*)"

    The ldapsearch will actually list my groups (my groups are named tstgrp1, tstgrp2, tstgrp3, tstgrp4), but I think this works because it's searching for the Common Name (CN) tst*, and not for a type of object (group).

    These commands do not work as expected:

    getent passwd

    -This only shows local UNIX users

    getent group

    -This only shows local UNIX users

    The /etc/nsswitch.conf is set up for:

    passwd: files ldap [TRYAGAIN=continue]
    group: files ldap [TRYAGAIN=continue]
    hosts: files dns
    My references are:
    "Windows Security and Directory Services for UNIX v1.0", Microsoft
    http://technet.microsoft.com/en-us/library/bb496504.aspx
    "Authenticating UNIX/Linux to Windows 2008R2. Part 1 : Set up Windows"
    "Authenticating UNIX/Linux to Windows 2008R2. Part 2 : Solaris 10"
    http://osdude.wordpress.com/2011/08/

    Systems:
    Solaris 10 (sparc)
    Windows 2008 R2 with Identity Management for UNIX Role added.
     
    Brian Jester, Jan 20, 2012
    #1
    1. Advertisements

  2. Brian Jester

    Brian Jester Guest

    I found a mistake in our /var/ldap/ldap_client_file, I had:

    group:posixAccount=group

    And it should have read:

    group:posixGroup=group

    Once I made the change, I could query groups.
     
    Brian Jester, Jan 20, 2012
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.