Re: [Rivendell] idassert-bind not working as expected?

Your setup, with minor changes (the naming contexts, and the remote server is OpenLDAP as well) works just fine with current re23 and HEAD code, using either slapd-meta(5) (why?) or slapd-ldap(5) with slapo-rwm(5). So the devil must be in the details. In any case, since OpenLDAP 2.3.30 there were at least 10 fixes/ehnahcement to slapd-ldap(5) and at least 6 to slapd-meta(5), so an upgrade might help.

p.

Federico Grau wrote:

With minimal information as requested by the moderators multiple times. Why doesn't idassert-bind work as expected? When I try an anonymous query to an "LDAP" server via an OpenLDAP server configured as a proxy (backend meta , or backend ldap), the query fails because the OpenLDAP server does not bind (even when I try setting the "idassert-bind" option).

# sample failed anonymous query to AD via OpenLDAP
ldapsearch  -H "ldap://localhost/" -b "ou=windows,dc=rfa,dc=org" -x

# expected query to be performed by ldap server

ldapsearch -H "ldap://dc1.rfa.org/" -b "cn=users,dc=rfa,dc=org" \ -D "CN=LDAP Proxy user account,OU=Windows,DC=rfa,DC=org" -W \ -x

# using (tcpdump -x -s0 port 389) I never see a bind sent from OpenLDAP,
# and instead I see an error returned from the "LDAP" server because a
# bind not successful.


# backend meta portion of the slapd.conf file
##database    ldap
database    meta

suffix      "ou=windows,dc=rfa,dc=org"
uri         "ldap://dc1.rfa.org/ou=windows,dc=rfa,dc=org"

suffixmassage   ou=windows,dc=rfa,dc=org
                cn=users,dc=rfa,dc=org

idassert-authzFrom "dn:*"
#Xidassert-bind   bindmethod=simple binddn="ldap-proxy@rfa.org" credentials="222222"
idassert-bind   bindmethod=simple binddn="CN=LDAP Proxy user account,OU=Windows,DC=rfa,DC=org" credentials="222222"  mode=none
dncache-ttl     60

My environment is made up of Debian stable (4.0 Etch) on the workstations and OpenLDAP server, OpenLDAP 2.3.30-5 on the server. "LDAP" Server on the remote end.

thank you, donfede

Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------