ipbrick - member of an ad domaindownloads.ipbrick.com/.../en/main_adsfuautofs_en.pdf · you must...

IPBrick - Member of an AD domainIPBRICK SA

October 4, 2016

2

Copyright c© IPBRICKAll rights reserved. 2015.

The information contained in this document is subject to alterations without priornotice. Statements, technical data, configurations and recommendations foundin this document are supposedly precise and reliable, but are presented withoutexpressed or implicit warranties.

IPBrick AD integration IPBRICK - 2015

Contents

1 Active Directory - LDAP 51.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.2 Microsoft Services For Unix . . . . . . . . . . . . . . . . . . . . . . 6

1.2.1 Installing SFU . . . . . . . . . . . . . . . . . . . . . . . . . . 61.2.2 Windows Server 2003 R1 . . . . . . . . . . . . . . . . . . . . 61.2.3 Windows Server 2003 R2 . . . . . . . . . . . . . . . . . . . . 71.2.4 Windows Server 2008 . . . . . . . . . . . . . . . . . . . . . . 91.2.5 Windows Server 2012 . . . . . . . . . . . . . . . . . . . . . . 121.2.6 SFU Configuration . . . . . . . . . . . . . . . . . . . . . . . 13

1.3 Active Directory - Schema SNAP-IN . . . . . . . . . . . . . . . . . 161.4 Windows 2003 Server Support Tools . . . . . . . . . . . . . . . . . 191.5 LDAP Schema update . . . . . . . . . . . . . . . . . . . . . . . . . 24

1.5.1 AD Schema Registration . . . . . . . . . . . . . . . . . . . . 251.5.2 Anonymous Access to LDAP . . . . . . . . . . . . . . . . . . 28

1.6 AD users management . . . . . . . . . . . . . . . . . . . . . . . . . 31

2 IPBrick configuration 372.1 AD Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372.2 IPBrick Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 38

3 Troubleshooting 413.1 FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413.2 Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

3.2.1 Scenario: 0 - Starting Point . . . . . . . . . . . . . . . . . . 423.2.2 Scenario - A . . . . . . . . . . . . . . . . . . . . . . . . . . . 433.2.3 Scenario - B . . . . . . . . . . . . . . . . . . . . . . . . . . . 433.2.4 Scenario - C . . . . . . . . . . . . . . . . . . . . . . . . . . . 433.2.5 Scenario - D . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

IPBRICK - 2015 IPBrick AD integration

4 CONTENTS


Chapter 1

Active Directory - LDAP

1.1 Introduction

Created by Microsoft Corporation, Active Directory (AD) provides the meansto manage the identities and relationships that make up your organization’s net-work. Active Directory stores information and settings in a central database andalso allows administrators to assign policies, organize available software, and applyvital updates to an organization.

When installed, IPBrick uses the local Lightweight Directory Access Protocol(LDAP) to authenticate the users (Advanced Configurations -> IPBrick ->

Authentication). It means that these users are created in IPBrick, so IPBrickwill be acting as the network PDC1. If the organization already has a PDC (eg:Windows 2003 Active Directory) and an IPBrick is being installed, it could benecessary to integrate the IPBrick with the Active Directory. The integrationlevel depends on the services that will be running in IPBrick:

• No integration: If the IPBrick is a communications server without servicesrequiring user authentication, these services serve as examples that will re-quire no integration:

– Mail relay

– Transparent/Standard Proxy

– VoIP

– Firewall

– Webserver.

• Partial integration: If the IPBrick needs to authenticate users, you mustchange the authentication type to AD Domain Member (IPBrick Master).It’s called a partial integration because the IPBrick only will need to querythe Windows LDAP for the authentication process (please consult Chapter1.2 and Chapter 2).

1Primary Domain Controller


6 Active Directory - LDAP

– These are some services/applications running in IPBrick that need thistype of integration:

– Proxy with authentication;

– PPTP VPN;

– Intranet applications running on IPBrick (Calendar, Contacts etc)

• Total integration: In a total integration, the IPBrick besides querying LDAPfor authentication, will have physically a user’s account. However the LDAPserver must be extended in order to support all the IPBrick requirements,such as:

– UNIX attributes: NIS domain, UID, GID, login shell and home direc-tory;

– Automount information LDAP attributes;

– Mail server LDAP attributes (qmail-ldap).

• Examples when a total integration is needed:

– The IPBrick will be the internal mail server: Windows Exchange servicewill be replaced by IPBrick qmail service.

– You will use the documentation management system developed by iPor-talMais - iPortalDoc

• If the goal is to do a total integration with AD, please follow all the stepspresented in this Manual.

1.2 Microsoft Services For Unix

1.2.1 Installing SFU

1.2.2 Windows Server 2003 R1

If you have installed a Windows 2003 Server (R1), you’ll need to install the Ser-vices for UNIX (SFU) version 3.5 that can be obtained from Microsoft’s Website at:

http://www.microsoft.com/en-us/download/details.aspx?id=274

You must login with a MSN passport, the same account information that en-ables you to login to the msn messenger service. The file size is about 217.6 MBand it is an auto-executable zip file.

To proceed with the installation you’ll need to login in Windows as a user ofthe ’Schema Admins’ group.

To install, you must follow these steps:


http://www.microsoft.com/en-us/download/details.aspx?id=274

1.2 Microsoft Services For Unix 7

1. Download the file to the server;

2. Uncompress it to c:\tempsfu;

3. Now you must close all Microsoft Management Consoles (MMC) as well asany AD Management windows you might have open;

4. Execute c:\tempsfu\setup.exe (you can delete this file later)

5. Select all the default options - Do not write anything in any of thefields!

6. For the modifications to take place, you must reboot the server. This can bedone at the end.

1.2.3 Windows Server 2003 R2

If you have installed a Windows 2003 Server (R2), the SFU is included withversion 4.0 so we just need to activate the service:

• Click Start, select Control Panel, and click Add or Remove Programs;

Figure 1.1: Start - Control Panel - Add or Remove Programs



• Click Add/Remove Windows Components. Next, select the Active DirectoryServices component and click Details;

Figure 1.2: Active Directory Services Component

• Check Identity Management for UNIX and click OK. Click Next to begininstallation. After it’s completion this prompt will appear, please click onFinish.



Figure 1.3: Installation complete

1.2.4 Windows Server 2008

The Identity Management for Unix is a role service which means it is basicallyand extra feature of the ADS role.

If you have Windows Server 2008, to install the Identity Management youshould follow these steps:

Start -> Administrative Tools-Server Manager



Figure 1.4: 2008 Server Manager

Start -> Administrator Tools -> Services for Network File System

Choose Roles

Scroll down to the Active Directory Domain Services



Figure 1.5: Active Directory Domain Services

Click the Add Role Services link.

On the the next screen Select Role Services Check the Indentity Manage-ment Checkbox.

Figure 1.6: Active Directory Domain Services

This will lead you through a wizard which will require a reboot of the server.



1.2.5 Windows Server 2012

From page:

http://technet.microsoft.com/en-us/library/cc731178.aspx

To install Identity Management for UNIX by using Dism.exe On a domaincontroller that runs Windows Server 2012, Right-click Windows PowerShell andclick Run as Administrator.

Type one of the following, and then press ENTER:

• To install the administration tools for Identity Management for UNIX.

Dism.exe /online /enable-feature /featurename:adminui /all

Note This installs only the the administration tools. Using Dism.exe, Serverfor NIS and Password Synchronization must be installed separately.

• To install Server for NIS:

Dism.exe /online /enable-feature /featurename:nis /all

• To install Password Synchronization:

Dism.exe /online /enable-feature /featurename:psync /all

A restart of the server is required when you install Identity Management forUNIX. The /quiet parameter restarts the computer automatically after installa-tion is finished.

Conflicts when migrationg the AD to 2008R2

In certain situations, when you run the AD automatic migration script to AD2008R2 certain conflicts with object (OID 1.3.6.1.1.1.1.9) may occur.

Shortly, in the first IPBRICK integrations with AD we used this OID, whichwas free (it was not used by MS). In the meantime, MS decided to start using thisidentifier.

In these situations it is necessary to release the OID so that automatic scriptcan run normally.

At this time the auto_r2.ldif no longer makes use of this ID.


http://technet.microsoft.com/en-us/library/cc731178.aspx


The following procedure is similar to that described in the following link (de-scribes a similar situation experienced with third-party software, Apple).

http://support.microsoft.com/?id=887426

1.2.6 SFU Configuration

SFU has tabs to the Active Directory that allows the editing and managementof unix properties, like User Identification (UID) and Group Identification (GID)of objects, like groups, users and machines.

It’s necessary to specify the Unix Attributes for:

• Users:

– NIS Domain: It’s the AD domain;

– UID: User identification;

– Login Shell: Default is /bin/sh;

– Home Directory: Users home directory in Unix;

– Primary group name/GID: The user group.

• Groups:

– NIS Domain: It’s the AD domain;

– GID: Group identification;

– Members: Group members.

This attribute definition is done in Active Directory at Users and Computers.

Groups example

Next we have an example of the user ’administrador’ that is a Domain Adminuser:

First in Domain Admins group:


http://support.microsoft.com/?id=887426


Figure 1.7: Domain Admins properties

Users example

Only after the definition of Unix Attributes for groups, it’s possible to definethe Unix Attributes for users, because each user has a Primary Group ID. For theuser ’administrador’ we have:



Figure 1.8: ’administrador’ properties

⇒ Note: To have groups in IPBrick that will include users belongingto those same groups, it’s necessary that:

• Those groups have the Unix Attributes defined;

• The users, members of these groups, have the Unix Attributesdefined;

• The users should be added to groups in the groups tab: UNIXAttributes, Members;

Additional information:

• GID Domain Users : Must be 513;

• GID Domain Admins : Must be 512;

• UID administrator : Must be 10000

• The other users will have the UID 100001, 100002 etc.

• If using other LDAP groups you can use GID 514, 515 etc.



1.3 Active Directory - Schema SNAP-IN

IMPORTANT NOTE: You may only advance from this stage onwards if theWindows Server is NOT an SBS (Small Business Server)!!!

To enable working in LDAP schema in AD, you must activate the correct MMCSnap-In. This must be done one time per server as follows:

start -> run

regsvr32 schmmgmt.dll

Figure 1.9: Start - Run

Figure 1.10: Run: ’regsvr32 schmmgmt.dll’


1.3 Active Directory - Schema SNAP-IN 17

Figure 1.11: ’regsvr32 schmmgmt.dll’ succeeded

To access the snap-in, please follow these steps:

1. Start -> Run : mmc

Figure 1.12: Run: ’mmc’

2. File -> Add/Remove Snap-in



Figure 1.13: File - Add/Remove Snap-in

3. Add

Figure 1.14: Add Snap-in


1.4 Windows 2003 Server Support Tools 19

4. Active Directory Schema

Figure 1.15: Active Directory Schema

5. Add

6. Close

7. Ok

1.4 Windows 2003 Server Support Tools

Active Directory Service Interfaces Editor (ADSI Edit) is part of Windows 2003Server Support Tools. It is a LDAP editor that you can use to manage objects andattributes in AD. ADSI Edit lets you have a view of every object and attribute inAD. You can query, view, and edit attributes that are not shown with other ADMMC snap-ins.

We will need ADSI Edit later on for several tasks. To use it you must installthe Windows 2003 Server Support Tools, and then:

1. press START -> Run : mmc



Figure 1.16: Run: ’mmc’

2. File -> Add/Remove Snap-in

Figure 1.17: File - Add/Remove Snap-in

3. Add

4. ADSI Edit



Figure 1.18: Adding ADSI Edit

5. Add

6. Close

7. Ok

If you want to work locally at the server, you must:

1. Right click at ADSI Edit



Figure 1.19: ADSI Edit - Connect to...

2. Select Connect To...

3. Then you should check:

• Connection Point: Domain and Configuration



Figure 1.20: ADSI Edit - Domain

Figure 1.21: ADSI Edit - Configuration

• Computer: Default or Domain domain.com



NOTE: Until the end of this chapter, we’ll work with Connection Point checkedfor both Domain and Configuration.

Figure 1.22: Domain and Configuration under ADSI Edit

If you dont have the standard ADSI Edit, you can download it athttp://tinyurl.com/yhgn9u and follow these steps:

• Extract all files to a folder;

• Copy the adsiedit.dll to c:\windows

• At Start - Run insert regsvr32 adsiedit

• Start using the ADSIEdit executing the file adsiedit.msc

1.5 LDAP Schema update

You must register the schema of Automount and Qmail service at WindowsLDAP. It’s necessary to do this, because these schema attributes don’t exist in thebase Windows LDAP schema. An application called ldifde will be used to addthese new LDAP attributes. A LDIF2 file is a LDAP standard that represents thedirectory content or some update requests for the LDAP service.

2LDAP Data Interchange Format


1.5 LDAP Schema update 25

1.5.1 AD Schema Registration

1. In some versions of Windows 2000/2003 we need to modify a variable inorder to have permission to update the AD schema. To do this you must usethe registry editor (Start ->Run -> regedt32 );

Figure 1.23: Run: ’regedt32’

2. Find the following key:

HKEY_LOCAL_MACHINE

SYSTEM

CurrentControlSet

Services

NTDS

Parameters

- Schema Update Allowed



Figure 1.24: Schema Update Allowed key location

3. If present, edit the variable named (Schema Update Allowed)

4. Click at Binary and change its value to 1.

Note: If ’Schema Update Allowed’ isn’t listed at the Registry, it means that itis already active and you won’t need to do any change.

Now, that the schema update is allowed, we can proceed:

1. If you got a Windows 2003 Release 1 download the auto_r1.ldif file on theDocumentation section at the IPBrick’s site:

http://eshop.ipbrick.com/

Downloads � Documentation � Other documentation

Note: Please bear in mind that you need to register at our site in order toaccess the Downloads page.

2. At the same location, please download the auto_r2.ldif file if it’s a Win-dows 2003 Release 2.


http://eshop.ipbrick.com/


3. Open the file in a text editor, such as Wordpad and do a Replace All of<DOMAIN_BASE_DN> to the domain you’re using. As an example, if you areusing a domain named domain.com you should have: DC=domain,DC=com.You can use the ADSI Edit tool to know the base DN.

Figure 1.25: .ldif file opened in Wordpad - Replace All

4. Go to Start - Run and hit cmd. At command line you must execute thefollowing command to add these attributes to AD (change the DC=domain,DC=com to your domain and the LDIF file path):

ldifde -i -k -c CN=Schema,CN=Configuration,DC=domain,DC=com CN=Schema,

CN=Configuration,DC=domain,DC=com -s localhost -f auto_r2.ldif



Figure 1.26: Command line input

1.5.2 Anonymous Access to LDAP

It’s mandatory to allow anonymous access to the LDAP’s information. Thiscan be done through the ADSI Edit in the Configuration connection point.

1. Rigth click over the following entrance and select Properties;

CN=Configuration, CN=Services, CN=Windows NT, CN=Directory Service

Figure 1.27: Configuration Connection Point - dsHeuristics



2. Edit the variable named dsHeuristics:

• If not set change it to - 0000002

• If set to 001 change it to - 0010002

3. Click OK

4. Click OK

Then you must configure the Access Lists at OU=auto.home:

1. At ADSI Edit confirm that the connection point is Domain;

2. Select the OU=auto.home entry and right click;

Figure 1.28: Domain Connection Point - OU=auto.home

3. Select Properties and choose Security;

4. Add an entry with the following information:

• Add: ANONYMOUS LOGON : Check: Read



Figure 1.29: ANONYMOUS LOGON

Figure 1.30: Check: Read

• Advanced

• Select the line ANONYMOUS LOGON


1.6 AD users management 31

• Change Apply into: This object and all child objects

Figure 1.31: ANONYMOUS LOGON - This object and all child objects

• Confirm all with OK

Atention: Anonymous logon permissions should be defined only forOU=auto.home and his childs.

1.6 AD users management

The users database is at the Domain Controller LDAP (Active Directory).The IPBrick servers configured in order to authenticate at the AD domain usethe LDAP authentication services. For that reason we did the AD LDAP schemaupdate to support the LINUX/UNIX authentication services. The additional in-formation needed for each LDAP user is:

• UID and GID - User and group identifier

• UNIX password - User password sincronized to Windows password

• Automount - Physical account location (homedir) (work area and server)

Note: The first two items are installed with Microsoft Services For Unix.



Create users

1. Create users in Active Directory:

Start -> All Programs -> Administrative Tools ->

Active Directory Users and Computers

Figure 1.32: Active Directory Users and Computers

(a) Right click over the Users folder: New -> User



Figure 1.33: Creating a new User

(b) Fill the Name and Email - used in internal contacts

(c) In Unix Attributes option, insert the user in NIS domain

(d) Identify the primary user group - If you have doubts choose ’DomainUsers’



Figure 1.34: User form

2. In the Master IPBrick, by the interface web access to IPBrick - Users Management

(a) Choose syncronize in AD

(b) Select the users that you want to syncronize (you can filter the usersview by selecting a group)

(c) For each user choose the server (local or remote) and work area

(d) Syncronize

(e) Update settings

ATTENTION: The Windows 2003 AD date must match the datedefined in IPBrick

Remove users

Remove the user information from IPBrick servers.

1. In the Master IPBrick:

(a) Access to IPBrick Web interface IPBrick - Users Management.

(b) Find the user(s) and click in the name;

(c) Hit Delete and Confirm

(d) Update settings



2. In the Windows AD:

(a) Remove the Unix Attributes information by selecting in NIS Domainthe option <none>


Chapter 2

IPBrick configuration

2.1 AD Data

An easy way to find the necessary Base DNs needed is using the ADSI Edittool refered in 1.4.

After connecting to server (refered in 1.4), a window like Figure 2.1 appearsand the domain in use is visible (dc=iporatal2003,dc=local).

Figure 2.1: ASDI Edit - Domain

In Figure 2.2 the users BASE DN is visible. In this case is the usernameadministrador. The BASE DN for that user is:

cn=administrador,cn=users,dc=iporatal2003,dc=local


38 IPBrick configuration

And the users BASE DN is:

cn=users,dc=iporatal2003,dc=local.

Figure 2.2: ASDI Edit - Users

In groups (Figure 2.2), the BASE DN is cn=builtin,dc=iporatal2003,dc=local.

2.2 IPBrick Configuration

In IPBrick the configuration should be in agreement to the AD. It will be donein the following menu:

Advanced Configurations -> IPBrick -> Authentication

Modify the authentication type to AD Domain Member (IPBrick Master).In Figure 2.4, the junction will be done to an AD with the following definitions:

• Services for Unix Version: v3.5 (used for Windows 2003 R1. You must choosev4.0 if you use Windows 2003 R2)

• AD Server IP Adress: 192.168.69.28

• Netbios Domain: iporatal2003

• Realm: iporatal2003.local

• Domain Administrator: administrador;


2.2 IPBrick Configuration 39

Figure 2.3: ASDI Edit - Groups

• Password:

• Base DN: dc=iporatal2003,dc=local;

• Administrator DN: cn=administrador,cn=users,dc=iporatal2003,dc=local;

• Users search base DN: cn=users,dc=iporatal2003,dc=local;

• Groups search base DN: ou=builtin,dc=iporatal2003,dc=local

An easy way to list all the users and groups is to set the Users and Groupssearch base DN to the Base DN.

E.g: dc=iporatal2003,dc=local

! Attention !: This data must be the same as the one in the AD con-figuration. The data presented here is just an example. Please contactthe AD administrator to know the correct BASE DNs, or alternativelyyou can obtain it through ADSI Edit.

! Attention !: Windows 2003 AD is usually the organization’sinternal DNS server, so IPBrick must resolve names there. At AdvancedConfigurations - Support Services - DNS - Name Resolution, the firstline must be destined to the Windows server IP. The second line canbe the IPBrick’s localhost IP (127.0.0.1). If needed you can alter theorder of the addresses.


40 IPBrick configuration

Figure 2.4: IPBrick as AD member


Chapter 3

Troubleshooting

3.1 FAQs

• Why is the machine so slow and with such a high load average?

– Because processes are beginning to accumulate due to the delay in thename resolution (UIDs, UID Numbers, Logins, etc..) caused by thepending query to the LDAP/AD server, that is, in itself, very timeconsuming

• What are the causes of those problems at AD level?

– The Performance of the server when responding to LDAP queries;

– A heavy structure with many users and changes done to the AD - whenthe clean installation was done, the performance was fast and efficient,however, and since so many alterations were implemented, such as;upgrades, new software installation, updates in the AD schema, softwareremoval, user creation, etc. that the performance has been hindered;

– Also noteworthy is the addition of new AD Domain Controllers (of thesame version as the original or not), the migration from one domaincontroller server to another, from one version to another, and the re-moval of other AD Domain Controllers (correctly removed or simplyterminated with or without important tasks attributed - OperationsMasters/Roles).

All these actions are normal practice in a modern organization, but that ’mistreat’of the database information - LDAP - will not help the AD to perform at its bestand also, historically, the AD/LDAP will keep record of all these ’ill-treatments’,creating thus, instability and unreliability in the system.

• So what can be done to minimize these problems?

– If the windows workstations are functioning unaware of the LDAP(AD), using just a service called Domain Controller (DC) that residesin the Samba server, they apparently work in a reasonably and accept-able manner! At least most of the time, unless someone tries to add a


42 Troubleshooting

new DC and/or migrate ’Roles’ (important AD tasks) from one serverto another. In this case there’s no solution in sight.

3.2 Scenarios

As we can see, the problems are inherent to the dependence on the AD’s LDAP.On the following subsection of this document we will present you with some sce-narios that have been helpful in solving some of this issues.

3.2.1 Scenario: 0 - Starting Point

In ALL integrations with the AD, the rule when configuring IPBrick is:

• DNS Domain: DNS matches the domain used by the AD (realm);

• Name resolution: use the IP of the domain’s DNS server (Usually the ADitself)

• Time: Synchronize the time by NTP via the AD’s server (NTP : AD_IP)

• AD’s DNS: The DNS server must be updated with ALL the IPBrick’s records- eg:

– IPBrick-name: ipbrick.domain.com

– Alias: iportaldoc.domain.com (contacts, etc.)

– IP: 192.168.69.199

– Do not forget to register the A record ipbrick.domain.com pointingto the IP: 192.168.69.199 as well as the respective PTR record

– All other aliases must be registered as such - CNAME

• Login link to AD: Domain Administrator Login (DN): the rule is to createa NEW user in AD exclusively for connecting to the AD - Do not use theadministrator’s login since it is typically used by many other services andthus the password tends to be regularly changed, and so IPBrick would haveto update and restart itself!

• Sometimes it is necessary to ’help’ the AD Domain Join and Kerberos, soyou should type at the console:

kinit [link to AD]

net ads join-U [AD Administor’s login]-S [AD_NAME]


3.2 Scenarios 43

3.2.2 Scenario - A

The AD has more than 1000 objects (active users,inactive users, groups, ma-chines).

By default the LDAP/AD only responds with up to 1000 items in each query.You must change this parameter in the configuration of the AD.

In the MS Windows server change the parameter MaxPageSize using the Ntdsutil.exetool.

For more information, please consult the following page:http://support.microsoft.com/kb/315071

3.2.3 Scenario - B

The AD has an unsatisfactory performance. However, by coincidence or not,the users/groups that will use the IPBrick services are all located in a specific OU(Organizational Unit) of the AD (and/or sub-OUs of this specific OU).

Eg: ou=myfavoritefolder,dc=domain,dc=com

In IPBrick, in the parameterization of the authentication mode we can changethe values for connecting to the AD.

Note: By default it is recommended that the DN of the groups search and theDN of the users’ search is identical to the base DN (top), because neither of themare always in the same OU and thus, working in all cases.

However, in some situations, like this one in scenario B, we find that makingthe following changes increases the AD’s (IPBrick) performance:

• DN User Search: ou=myfavoritefolder,dc=domain,dc=com

• DN Groups Search: ou=myfavoritefolder,dc=domain,dc=com

3.2.4 Scenario - C

At one point an organization had several AD DC servers, since then some wereterminated, but the other remaining ADs were not properly notified of that ter-mination. So, it’s more often than not, that in direct queries to the AD/LDAPreturns the same type of referral (Referred this request) to another server that isoff and in these situations the LDAP client tries to communicate with an inactiveIP and awaits for a tiemout.

In this situation the manual changes to be implemented in the IPBrick serverare:


http://support.microsoft.com/kb/315071

44 Troubleshooting

• Add/edit the line referrals no in the files:

– /etc/libnss-ldap.conf

– /etc/pam_ldap.conf

3.2.5 Scenario - D

After all the other presented scenarios, we are left with a manual patch thatcan be of use if all the other situations were not helpful:

/etc/qmail/ldapcluster - change from "0" to "1"


ipbrick - member of an ad domaindownloads.ipbrick.com/.../en/main_adsfuautofs_en.pdf · you must...

Documents