Ok. With -d 32, I got some more info about pam as red color log.<br><br>There is "<span style="color: rgb(255, 0, 0);">Unknown user</span>" log info following the input of my user password. Feel confused since ldap is able to get user info from Active directory, why it turns out "Unknown user" here.<br>
<br>Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT size=23<br>Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey<br>Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no 3, flags 0x1<br>Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), Data length 11 (0xb)<br>
Mon Nov 23 15:21:16 2009 [3806]: End header<br>Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT<br>Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6), user_data_len 0 (0x0)<br>Mon Nov 23 15:21:16 2009 [3806]: flags=0x0<br>
Mon Nov 23 15:21:16 2009 [3806]: User msg:<br>Mon Nov 23 15:21:16 2009 [3806]: myusername<br>Mon Nov 23 15:21:16 2009 [3806]: User data:<br>Mon Nov 23 15:21:16 2009 [3806]: End packet<br>Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose default_fn<br>
Mon Nov 23 15:21:16 2009 [3806]: Calling authentication function<br>Mon Nov 23 15:21:16 2009 [3806]: <span style="color: rgb(255, 0, 0);">pam_verify myusername</span><br>Mon Nov 23 15:21:16 2009 [3806]: <span style="color: rgb(255, 0, 0);">pam_tacacs received 1 pam_messages</span><br>
Mon Nov 23 15:21:16 2009 [3806]: <span style="color: rgb(255, 0, 0);">Error 10.1.69.89 tty0: PAM_PROMPT_ECHO_OFF</span><br>Mon Nov 23 15:21:16 2009 [3806]: Writing AUTHEN/GETPASS size=28<br>Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey<br>
Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no 4, flags 0x1<br>Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), Data length 16 (0x10)<br>Mon Nov 23 15:21:16 2009 [3806]: End header<br>
Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1<br>Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, data_len=0<br>Mon Nov 23 15:21:16 2009 [3806]: msg:<br>Mon Nov 23 15:21:16 2009 [3806]: Password:<br>
Mon Nov 23 15:21:16 2009 [3806]: data:<br>Mon Nov 23 15:21:16 2009 [3806]: End packet<br>Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet<br>Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT size=30<br>Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey<br>
Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), type 1, seq no 5, flags 0x1<br>Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252 (0xbe977644), Data length 18 (0x12)<br>Mon Nov 23 15:21:21 2009 [3806]: End header<br>
Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT<br>Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 (0xd), user_data_len 0 (0x0)<br>Mon Nov 23 15:21:21 2009 [3806]: flags=0x0<br>Mon Nov 23 15:21:21 2009 [3806]: User msg:<br>
Mon Nov 23 15:21:21 2009 [3806]: mypassword<br>Mon Nov 23 15:21:21 2009 [3806]: User data:<br>Mon Nov 23 15:21:21 2009 [3806]: End packet<br>Mon Nov 23 15:21:22 2009 [3806]: <span style="color: rgb(255, 0, 0);">Unknown user</span><br>
Mon Nov 23 15:21:22 2009 [3806]: login query for 'myusername' tty0 from 10.1.69.89 rejected<br>Mon Nov 23 15:21:22 2009 [3806]: login failure: myusername10.1.69.89 (10.1.69.89) tty0<br>Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL size=18<br>
Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey<br>Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), type 1, seq no 6, flags 0x1<br>Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252 (0xbe977644), Data length 6 (0x6)<br>
Mon Nov 23 15:21:22 2009 [3806]: End header<br>Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2 (AUTHEN/FAIL) flags=0x0<br>Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0<br>Mon Nov 23 15:21:22 2009 [3806]: msg:<br>
Mon Nov 23 15:21:22 2009 [3806]: data:<br>Mon Nov 23 15:21:22 2009 [3806]: End packet<br>Mon Nov 23 15:21:22 2009 [3806]: <a href="http://10.1.69.89">10.1.69.89</a>: disconnect<br><br><br><div class="gmail_quote">On Mon, Nov 23, 2009 at 3:16 PM, john heasley <span dir="ltr"><<a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng:<br>
<div class="im">> I just saw some posts saying pam_krb winbind could be needed to get pam work<br>
> against active directory. Is this true? The post I was following actually is<br>
> for a LDAP server not Active Directory.<br>
<br>
</div>i dont know; each pam implementation seems to be [at least] slightly<br>
different. seems silly to need kerberos for ldap.<br>
<div><div></div><div class="h5"><br>
> On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng <<a href="mailto:hailumeng@gmail.com">hailumeng@gmail.com</a>> wrote:<br>
><br>
> > I think I need put my pam configuration here:<br>
> ><br>
> > I followed this post<br>
> > <a href="http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.html" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.html</a> to<br>
> > configure my pam module:<br>
> ><br>
> > /etc/pam.d/tacacs<br>
> ><br>
> > auth include system-auth<br>
> > account required pam_nologin.so<br>
> > account include system-auth<br>
> > password include system-auth<br>
> > session optional pam_keyinit.so force revoke<br>
> > session include system-auth<br>
> > session required pam_loginuid.so<br>
> ><br>
> > /etc/pam.d/system-auth<br>
> > #%PAM-1.0<br>
> > # This file is auto-generated.<br>
> > # User changes will be destroyed the next time authconfig is run.<br>
> > auth required pam_env.so<br>
> > auth sufficient pam_unix.so nullok try_first_pass<br>
> > auth requisite pam_succeed_if.so uid >= 500 quiet<br>
> > auth sufficient pam_ldap.so use_first_pass<br>
> > auth required pam_deny.so<br>
> ><br>
> > account required pam_unix.so broken_shadow<br>
> > account sufficient pam_succeed_if.so uid < 500 quiet<br>
> ><br>
> > account [default=bad success=ok user_unknown=ignore] pam_ldap.so<br>
> > account required pam_permit.so<br>
> ><br>
> > password requisite pam_cracklib.so try_first_pass retry=3<br>
> > password sufficient pam_unix.so md5 shadow nullok try_first_pass<br>
> > use_authtok<br>
> > password sufficient pam_ldap.so use_authtok<br>
> > password required pam_deny.so<br>
> ><br>
> > session optional pam_keyinit.so revoke<br>
> > session required pam_limits.so<br>
> > session [success=1 default=ignore] pam_succeed_if.so service in crond<br>
> > quiet use_uid<br>
> > session required pam_unix.so<br>
> > session optional pam_ldap.so<br>
> ><br>
> ><br>
> > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng <<a href="mailto:hailumeng@gmail.com">hailumeng@gmail.com</a>> wrote:<br>
> ><br>
> >> Hi John,<br>
> >><br>
> >> You mean issue commands like tac_plus -C /etct/tac_plus.conf -L -p 49 -d<br>
> >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't make any change. I got<br>
> >> same log info. By the way, I also saw the log info in /var/log/message:<br>
> >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config<br>
> >> Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19 Initialized 1<br>
> >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from 10.1.69.89 [10.1.69.89]<br>
> >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for 'myuser' tty0 from<br>
> >> 10.1.69.89 rejected<br>
> >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure: myuser 10.1.69.89<br>
> >> (10.1.69.89) tty0<br>
> >><br>
> >> Do we have option to see the log about PAM? I haven't found where it is.<br>
> >> if we can check the log of PAM, then we could find something useful. Right<br>
> >> now the log of tac_plus didn't tell too much about why login got failure.<br>
<br>
</div></div>add -d 32. -d x -d y ... will be logically OR'd together.<br>
<div><div></div><div class="h5"><br>
> >> Lou<br>
> >><br>
> >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley <<a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>> wrote:<br>
> >><br>
> >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng:<br>
> >>> > Thanks John for helping me check this issue.<br>
> >>> ><br>
> >>> > I just run tac_plus -C /path/to/tac_plus.conf -L -p 49 -d256 -g to see<br>
> >>> the<br>
> >>><br>
> >>> try -d 16 -d 256. which i think will log the pwd that pam received from<br>
> >>> the device. make its correct. the logs below do appear to be a<br>
> >>> reject/fail<br>
> >>> returned from pam.<br>
> >>><br>
> >>> > log in stdout and in log file. I can't see any suspicious log<br>
> >>> information<br>
> >>> > here. I paste the log below:<br>
> >>> ><br>
> >>> ><br>
> >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT size=23<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no 5,<br>
> >>> flags<br>
> >>> > 0x1<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 (0xc46868ce),<br>
> >>> Data<br>
> >>> > length<br>
> >>> > 11 (0xb)<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: End header<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6), user_data_len 0<br>
> >>> (0x0)<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg:<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: User data:<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose default_fn<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling authentication function<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing AUTHEN/GETPASS size=28<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no 6,<br>
> >>> flags<br>
> >>> > 0x1<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 (0xc46868ce),<br>
> >>> Data<br>
> >>> > length<br>
> >>> > 16 (0x10)<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: End header<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5 (AUTHEN/GETPASS)<br>
> >>> > flags=0x1<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, data_len=0<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: msg:<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: Password:<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: data:<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet<br>
> >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet<br>
> >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT size=30<br>
> >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey<br>
> >>><br>
> >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), type 1, seq no 7,<br>
> >>> flags<br>
> >>> > 0x1<br>
> >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910 (0xc46868ce),<br>
> >>> Data<br>
> >>> > length<br>
> >>> > 18 (0x12)<br>
> >>> > Sat Nov 21 22:28:34 2009 [3393]: End header<br>
> >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT<br>
> >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 (0xd), user_data_len 0<br>
> >>> > (0x0)<br>
> >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0<br>
> >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg:<br>
> >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword<br>
> >>> > Sat Nov 21 22:28:34 2009 [3393]: User data:<br>
> >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet<br>
> >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for 'myusername' tty0 from<br>
> >>> > 10.1.69.89 r<br>
> >>> > ejected<br>
> >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure: myusername 10.1.69.89<br>
> >>> > (10.1.69.89) t<br>
> >>> > ty0<br>
> >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL size=18<br>
> >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey<br>
> >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), type 1, seq no 8,<br>
> >>> flags<br>
> >>> > 0x1<br>
> >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910 (0xc46868ce),<br>
> >>> Data<br>
> >>> > length<br>
> >>> > 6 (0x6)<br>
> >>> > Sat Nov 21 22:28:36 2009 [3393]: End header<br>
> >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2 (AUTHEN/FAIL)<br>
> >>> > flags=0x0<br>
> >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0<br>
> >>> > Sat Nov 21 22:28:36 2009 [3393]: msg:<br>
> >>> > Sat Nov 21 22:28:36 2009 [3393]: data:<br>
> >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet<br>
> >>> > Sat Nov 21 22:28:36 2009 [3393]: <a href="http://10.1.69.89" target="_blank">10.1.69.89</a>: disconnect<br>
> >>> ><br>
> >>> ><br>
> >>> ><br>
> >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley <<a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>><br>
> >>> wrote:<br>
> >>> ><br>
> >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng:<br>
> >>> > > > Hi Adam,<br>
> >>> > > ><br>
> >>> > > > If the ldapsearch -D "" -w "" runs successfully, what do we suppose<br>
> >>> to<br>
> >>> > > get<br>
> >>> > > > from the output? I just got all of the user information in that<br>
> >>> group.<br>
> >>> > > Does<br>
> >>> > > > that means my password and username got authenticated successfully<br>
> >>> > > against<br>
> >>> > > > AD?<br>
> >>> > > ><br>
> >>> > > > This thing drives me crazy. I need solve it through this week<br>
> >>> before the<br>
> >>> > > > holiday...<br>
> >>> > ><br>
> >>> > > i havent followed this thread, as i know nearly zero about ldap.<br>
> >>> but,<br>
> >>> > > have you enabled authentication debugging in the tacacas daemon and<br>
> >>> > > checked the logs to determine what is coming back from pam? it very<br>
> >>> > > well may be that the ldap client is working just fine, but there is a<br>
> >>> > > pam module bug or a bug in the tacplus daemon or that your device<br>
> >>> > > simply doesnt like something about the replies.<br>
> >>> > ><br>
> >>> > > > Thanks a lot for the help.<br>
> >>> > > ><br>
> >>> > > > Lou<br>
> >>> > > ><br>
> >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng <<a href="mailto:hailumeng@gmail.com">hailumeng@gmail.com</a>><br>
> >>> wrote:<br>
> >>> > > ><br>
> >>> > > > > Still no clue how to turn on the log. binding seems good. See my<br>
> >>> > > findings<br>
> >>> > > > > below. Thanks a lot.<br>
> >>> > > > ><br>
> >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam <<a href="mailto:prozaconstilts@gmail.com">prozaconstilts@gmail.com</a>><br>
> >>> > > wrote:<br>
> >>> > > > ><br>
> >>> > > > >> Hailu Meng wrote:<br>
> >>> > > > >><br>
> >>> > > > >>> Adam,<br>
> >>> > > > >>><br>
> >>> > > > >>> I tried the su - "userid" in my tacacs+ server but I don't have<br>
> >>> that<br>
> >>> > > > >>> userid in CentOS. So the CentOS just don't want me log in. I<br>
> >>> think<br>
> >>> > > this will<br>
> >>> > > > >>> not ask tacacs server to authenticate against AD.<br>
> >>> > > > >>><br>
> >>> > > > >><br>
> >>> > > > >> You shouldn't need to have to define the user in CentOS, that's<br>
> >>> the<br>
> >>> > > point<br>
> >>> > > > >> of using ldap for authentication. The user is defined in ldap,<br>
> >>> not in<br>
> >>> > > > >> CentOS. Now that I think about it, su - <user> probably wouldn't<br>
> >>> work<br>
> >>> > > > >> anyway, as AD doesn't by default have the data needed by a linux<br>
> >>> box<br>
> >>> > > to<br>
> >>> > > > >> allow login...but see below for more options.<br>
> >>> > > > >><br>
> >>> > > > >><br>
> >>> > > > >><br>
> >>> > > > >>> Is there any other way to test ldap authentication against AD<br>
> >>> with<br>
> >>> > > the<br>
> >>> > > > >>> userid in AD? I tried ldapsearch. It did find my user id<br>
> >>> without<br>
> >>> > > problem.<br>
> >>> > > > >>> But I haven't found any option to try with password and<br>
> >>> authenticate<br>
> >>> > > against<br>
> >>> > > > >>> AD.<br>
> >>> > > > >>><br>
> >>> > > > >><br>
> >>> > > > >> Try using -D:<br>
> >>> > > > >><br>
> >>> > > > >> from `man ldapsearch`:<br>
> >>> > > > >><br>
> >>> > > > >> -D binddn<br>
> >>> > > > >> Use the Distinguished Name binddn to bind to the LDAP<br>
> >>> directory.<br>
> >>> > > > >><br>
> >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should let you try to<br>
> >>> authenticate<br>
> >>> > > > >> using whatever user you want to define. Just check and double<br>
> >>> check<br>
> >>> > > you get<br>
> >>> > > > >> the right path in that dn.<br>
> >>> > > > >><br>
> >>> > > > >><br>
> >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it just<br>
> >>> returned lots<br>
> >>> > > of<br>
> >>> > > > > users' information. It means successful?<br>
> >>> > > > ><br>
> >>> > > > ><br>
> >>> > > > >> Do you have ldap server setup or only the openldap library and<br>
> >>> > > openldap<br>
> >>> > > > >>> client? I don't understand why the log is not turned on. There<br>
> >>> must<br>
> >>> > > be some<br>
> >>> > > > >>> debugging info in the log which can help solve this issue.<br>
> >>> > > > >>><br>
> >>> > > > >><br>
> >>> > > > >> only the libs and client. You should not need the server. In the<br>
> >>> > > > >> ldapsearch, you can use -d <integer> to get debugging info for<br>
> >>> that<br>
> >>> > > search.<br>
> >>> > > > >> As before, higher number = more debug<br>
> >>> > > > >><br>
> >>> > > > >><br>
> >>> > > > >> If the user can authenticate, does ethereal capture some<br>
> >>> packets<br>
> >>> > > about<br>
> >>> > > > >>> password verification? Right now I only see the packets when<br>
> >>> ldap<br>
> >>> > > search for<br>
> >>> > > > >>> my user id and gets results back from AD.<br>
> >>> > > > >>><br>
> >>> > > > >><br>
> >>> > > > >> Ethereal should catch all data flowing between the client and<br>
> >>> server.<br>
> >>> > > If<br>
> >>> > > > >> you can search out the user in your AD right now, then one of<br>
> >>> two<br>
> >>> > > things is<br>
> >>> > > > >> happening:<br>
> >>> > > > >><br>
> >>> > > > >> 1. You are performing anonymous searches. In this case, no<br>
> >>> username<br>
> >>> > > and pw<br>
> >>> > > > >> is provided, and your AD is happy to hand over info to anyone<br>
> >>> who asks<br>
> >>> > > for<br>
> >>> > > > >> it. If this is the case, you will _not_ see authentication<br>
> >>> > > information. The<br>
> >>> > > > >> following MS KB article should probably help you determine on<br>
> >>> your AD<br>
> >>> > > if<br>
> >>> > > > >> anonymous queries are allowed:<br>
> >>> > > > >><br>
> >>> > > > >> <a href="http://support.microsoft.com/kb/320528" target="_blank">http://support.microsoft.com/kb/320528</a><br>
> >>> > > > >><br>
> >>> > > > >> It has exact instructions for how to get it going, but you can<br>
> >>> follow<br>
> >>> > > > >> along with it to check your current settings without making any<br>
> >>> > > changes.<br>
> >>> > > > >><br>
> >>> > > > ><br>
> >>> > > > > I checked our setting. Permission type for normal user is "Read &<br>
> >>> > > Execute".<br>
> >>> > > > > I click edit to check the detail about permission. I think it<br>
> >>> only<br>
> >>> > > allow the<br>
> >>> > > > > user to read the attributes, permission something and can't<br>
> >>> modify the<br>
> >>> > > > > AD.There is "Everyone" setting is also set as "Read & Execute".<br>
> >>> By the<br>
> >>> > > way,<br>
> >>> > > > > the AD is Win2003 R2.<br>
> >>> > > > ><br>
> >>> > > > ><br>
> >>> > > > >><br>
> >>> > > > >> 2. Authentication is happening. It will be the _very_ first<br>
> >>> thing the<br>
> >>> > > > >> client and server perform, after basic connection establishment.<br>
> >>> Look<br>
> >>> > > for it<br>
> >>> > > > >> at the very beginning of a dump.<br>
> >>> > > > >><br>
> >>> > > > >><br>
> >>> > > > >><br>
> >>> > > > >> Also, it's a bit overkill, but the following article is<br>
> >>> extremely<br>
> >>> > > > >> informative about all the different ways you can plug linux into<br>
> >>> AD<br>
> >>> > > for<br>
> >>> > > > >> authentication. It might offer some hints...<br>
> >>> > > > >><br>
> >>> > > > >><br>
> >>> > > > >><br>
> >>> > > > >><br>
> >>> > > > >>> Maybe I need dig into ldap.conf more. If you have any idea, let<br>
> >>> me<br>
> >>> > > know.<br>
> >>> > > > >>><br>
> >>> > > > >>> Thank you very much.<br>
> >>> > > > >>><br>
> >>> > > > >>> Lou<br>
> >>> > > > >>><br>
> >>> > > > >><br>
> >>> > > > >><br>
> >>> > > > >><br>
> >>> > > > ><br>
> >>> > > > -------------- next part --------------<br>
> >>> > > > An HTML attachment was scrubbed...<br>
> >>> > > > URL:<br>
> >>> > ><br>
> >>> <a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html</a><br>
> >>> > > > _______________________________________________<br>
> >>> > > > tac_plus mailing list<br>
> >>> > > > <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
> >>> > > > <a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br>
> >>> > ><br>
> >>><br>
> >><br>
> >><br>
> ><br>
</div></div></blockquote></div><br>