So I've made *some* progress. I created a new user in AD, and used this
new account to bind with. And, using simple authentication and password
prompting, my search worked correctly:
ldapsearch -Hldap://dim-win2300.dacrib.local -tt -x -D
"ldap-proxy(a)dacrib.local" -b "dc=dacrib,dc=local" -W -L
"(objectClass=user)" dn
However, I can't seem to get it to work, if I don't specify the ID and
password to bind with:
----------------------------
ldapsearch -v -x -Hldap://dim-win2300.dacrib.local "(objectClass=user)"
sAMAccountName
ldap_initialize( ldap://dim-win2300.dacrib.local:389/??base )
filter: (objectClass=user)
requesting: sAMAccountName
# extended LDIF
#
# LDAPv3
# base <dc=DaCrib,dc=local> (default) with scope subtree
# filter: (objectClass=user)
# requesting: sAMAccountName
#
# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform
this operation a successful bind must be completed on the connection.,
data 0, vece
# numResponses: 1
--------------------------
I thought perhaps the problem was that SASL was interferring, so I tried
to turn it off in ldap.conf, but that didn't seem to work.
As an aside, where does ldap.conf live, in Ubuntu 9.04? I have 2, one in
/etc and one in /etc/ldap. And I don't know which one (if either) is
being read ... is there any way to tell which one is in use?
-------------------
host 10.0.0.60
base dc=DaCrib,dc=local
#binddn CN=ldap-proxy,CN=Users,DC=DaCrib,DC=local
binddn ldap-proxy(a)dacrib.local
bindpw XXXXXXXX
use_sasl off
SASL_SECPROPS none
SSL no
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
# rootbinddn cn=Administrator,dc=dacrib,dc=local
# RFC 2307 (AD) mappings
# <to> <from>
nss_map_attribute userPassword sambaPassword
nss_map_attribute gecos name
nss_map_attribute uid unixName
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
pam_filter objectclass=User
pam_password crypt
nss_initgroups_ignoreusers
avahi,backup,bin,daemon,dhcp,dovecot,festival,games,gnats,haldaemon,hplip,irc,klog,li
buuid,list,lp,mail,man,messagebus,mysql,news,polkituser,postfix,proxy,root,saned,sshd,sync,sys,syslog,uucp,www-d
ata
-----------------------
Anyone? I feel I am close, but can't figure out why doing it
interactively from the command line binds and searches, and relying on
the ldap.conf to supply that information does not ...
Thanks