Full_Name: Christian Palacios Version: LTB package version 2.4.45 OS: Debian "Stretch" URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (104.129.192.55)
We have an OpenLDAP server configured as a proxy so that it can be used to authenticate against three Active Directory domains. We are able to get it configured with two of the domains, but it fails with the third one. The problem that I have been told is that the binddn definition cannot have a comma in the DN. Unfortunately we don't have control over this third domain and all of the accounts, including service accounts, have a format that includes a comma in their DN. For example: binddn="CN=gisadmin, CNE (SVC),OU=CNE-Calgary FDSCI,OU=NASA,OU=Service Accounts,DC=int,DC=cgg,DC=com" credentials="" mode="legacy" flags="non-prescriptive". As you can see, the DN has a comma next to the gisadmin value. We have been told that this is a problem so we want to see if anyone has a fix for this so that the defined binddn can have a comma in it. It's going to be hard to get another user account created in a different format that will work, so we're hoping there is a quick fix for OpenLDAP.
From the OpenLDAP Log file:
Oct 16 10:11:17 CNE-LDA01 slapd[5501]: @(#) $OpenLDAP: slapd 2.4.45 (Jun 10 2017 17:54:31) $#012#011root@stretch:/opt/openldap-deb/debian/paquet-openldap-debian/openldap-ltb-2.4.45/servers/slapd Oct 16 10:11:17 CNE-LDA01 slapd[5501]: invalid bind config value binddn=CN=gisadmin, CNE (SVC),OU=CNE-Calgary FDSCI,OU=NASA,OU=Service Accounts,DC=int,DC=cgg,DC=com Oct 16 10:11:17 CNE-LDA01 slapd[5501]: /usr/local/openldap/etc/openldap/slapd.conf: line 65: "idassert-bind <args>": unable to parse field "binddn=CN=gisadmin, CNE (SVC),OU=CNE-Calgary FDSCI,OU=NASA,OU=Serv$ Oct 16 10:11:17 CNE-LDA01 slapd[5501]: slapd stopped.