Hi all,
I have two OpenLDAP servers (2.4.34) used by some applications to
authenticate.
Both servers use the meta backend, that is the frontend to two AD domains
in separate forests.
Ldapsearch correctly finds the users in both servers, while authentication
works for one only.
I must say that I had to exclude some portions of the trees in order to
avoid duplicate names. My "correct" users are in 15 subtrees.
In the working server I configured 15 URI's, one for each subtree,
specifying for each of them the credentials, the attribute mappings and
the suffixmassage. The bad news is that slapd.conf is 580 lines and its
maintenance is error prone.
That's why I configured the second server with two URI's only and with
ACL's to limit the access to the 15 subtrees only. The resulting
slapd.conf is much more readable and easy to maintain, but it does not
work.
The ACL's are all of this type:
access to
dn.subtree="ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com" read
by dn.exact="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com" read
There are no other ACL's, but I already tried adding something like
"access to * by * read" with no success.
As said before ldapsearch works fine, while authentication does not.
Please look at the excerpt from the log files, for both servers, when I
try to authenticate.
Both servers start the same sequence, but one stops just after reading the
same search result.
conn=1033 fd=10 ACCEPT from IP=10.31.222.106:38492 (IP=0.0.0.0:389)
conn=1033 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
method=128
conn=1033 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
mech=SIMPLE ssf=0
conn=1033 op=0 RESULT tag=97 err=0 text=
conn=1033 op=1 SRCH base="dc=Company,dc=com" scope=2 deref=0
filter="(sAMAccountName=policastro)"
conn=1033 op=1 SRCH attr=sAMAccountName
conn=1033 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1033 op=2 UNBIND
conn=1033 fd=10 closed
===========================
conn=4960 fd=373 ACCEPT from IP=10.31.221.162:40893 (IP=0.0.0.0:389)
conn=4960 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
method=128
conn=4960 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
mech=SIMPLE ssf=0
conn=4960 op=0 RESULT tag=97 err=0 text=
conn=4960 op=1 SRCH base="dc=Company,dc=com" scope=2 deref=0
filter="(sAMAccountName=policastro)"
conn=4960 op=1 SRCH attr=sAMAccountName
conn=4960 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=4960 op=2 BIND anonymous mech=implicit ssf=0
conn=4960 op=2 BIND dn="cn=Policastro
Francesco,ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com"
method=128
conn=4960 op=2 BIND dn="cn=Policastro
Francesco,ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com"
mech=SIMPLE ssf=0
conn=4960 op=2 RESULT tag=97 err=0 text=
conn=4960 op=3 UNBIND
conn=4960 fd=373 closed
conn=4961 fd=373 ACCEPT from IP=10.31.221.162:40894 (IP=0.0.0.0:389)
conn=4961 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
method=128
conn=4961 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
mech=SIMPLE ssf=0
conn=4961 op=0 RESULT tag=97 err=0 text=
conn=4961 op=1 SRCH base="dc=Company,dc=com" scope=2 deref=0
filter="(&(!(?employeeID=-*))(employeeID=*)(mail=*)(givenName=*)(sn=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=policastro))"
conn=4961 op=1 SRCH attr=sAMAccountName
conn=4961 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=4961 op=2 SRCH base="cn=Policastro
Francesco,ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com" scope=0
deref=0
filter="(&(!(?employeeID=-*))(employeeID=*)(mail=*)(givenName=*)(sn=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
conn=4961 op=2 SRCH attr=givenName sn mail employeeID sAMAccountName
conn=4961 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=4961 op=3 UNBIND
conn=4961 fd=373 closed
conn=4962 fd=373 ACCEPT from IP=10.31.221.162:40895 (IP=0.0.0.0:389)
conn=4962 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
method=128
conn=4962 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
mech=SIMPLE ssf=0
conn=4962 op=0 RESULT tag=97 err=0 text=
conn=4962 op=1 SRCH base="dc=Company,dc=com" scope=2 deref=0
filter="(sAMAccountName=policastro)"
conn=4962 op=1 SRCH attr=sAMAccountName
conn=4962 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=4962 op=2 SRCH base="cn=Policastro
Francesco,ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com" scope=0
deref=0 filter="(objectClass=*)"
conn=4962 op=2 SRCH attr=shadowExpire
conn=4962 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=4962 op=3 UNBIND
Can anyone explain me what happens and how to let the ACL version work?
Thanks, Francesco