Hi all,
I am trying to configure OpenLDAP proxy to proxy searches to my 2 (two) different AD servers. I am testing/trying to login as domain user to application that is configured to verify users against this proxy.
Context is :
- allowed app users from AD1 will be placed to "AllowAPP group" on AD1 - i.e. - CN=AllowAPP,OU=Groups,OU=Something,DC=domain,DC=xy
- allowed app users from AD2 will be placed to "AllowAPP group" on AD2 - i.e. - CN=Allow,OU=App,OU=Group,DC=domain2,DC=local
- these two groups are be placed in different OUs on both ADs (Active Directories) so special rewriting have to be done on both URIs
Problem is that I don't know how to correctly authentificate users. App configuration is that it will allow login only to user which is member of CN=AllowAPP,OU=Groups,DC=grouped,DC=all "virtual” group.
All working fine when I am searching group membership of users with ldapsearch. I can find members of both groups by searching virtual group mentioned upper.
I suspect there is problem with passing user credentials to one of AD servers that I am proxying to. I am using sAMAccountName as user login.
This is debug search base when I am trying to login from app :
SRCH base="dc=grouped,dc=all" scope=2 deref=2 filter="(?SAMACCOUNTNAME=test.user)”
This is error produced while I am trying to login as user :
meta_back_search[0] match="" err=1 (Operations error) text="000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1".
Am I doing something wrong? Can you advise? I am probably missing something that refers to validating users credentials..
Thanks, BR,
Martin
This is my configuration so far :
database meta
suffix "dc=grouped,dc=all”
rootdn "cn=admin,dc=grouped,dc=all”
rootpw "password”
readonly yes
lastmod off
uri ldap://AD1/dc=grouped,dc=all
suffixmassage "dc=grouped,dc=all" "dc=domain,dc=xy"
idassert-bind bindmethod=simple
binddn="CN=bind,CN=Users,dc=domain,dc=xy"
credentials="password"
mode=none
flags=non-prescriptive
rewriteEngine on
chase-referrals yes
rewriteContext default
rewriteContext searchBase
rewriteRule "CN=AllowAPP,OU=Groups,DC=grouped,DC=all$" "CN=AllowAPP,OU=Groups,OU=Something,DC=domain,DC=xy" "@"
uri ldap://AD2/dc=grouped,dc=all
suffixmassage "dc=grouped,dc=all" "dc=domain2,dc=local"
idassert-bind bindmethod=simple
binddn="CN=binduser,CN=Users,dc=domain2,dc=local"
credentials=“password"
mode=none
flags=non-prescriptive
rewriteEngine on
chase-referrals yes
rewriteContext default
rewriteContext searchBase
rewriteRule "CN=AllowAPP,OU=Groups,DC=grouped,DC=all$" "CN=Allow,OU=App,OU=Group,DC=domain2,DC=local" "@"