Hi to all,
for my companty I'm triing to setup a LDAP proxy to our Active Direcory implementation, after some time I have found several problems on some critical application that does not support multiple OU anche CN formed by "Surname Name" caused by the bad structure and nomenclature on the AD, but we cant change it.
To work around the problem I have used the rwm module to rewrite the client binddn query part to AD format name.surname@domain, but the proxy return:
[root@client ~]# ldapsearch -H ldap://192.168.29.134 ��-D "CN=Name.Surname,OU=subou,OU=Users HOUSE,DC=domain,DC=int" -W
ldap_bind: Invalid syntax (21)
�� �� �� �� additional info: bindDN massage error
���� ������ ��
some logs:
Nov ��3 21:32:33 proxy slapd[1309]: conn=1001 op=0 do_bind
Nov ��3 21:32:33 proxy slapd[1309]: >>> dnPrettyNormal: <CN=Name.Surname,OU=subou,OU=Users HOUSE,DC=domain,DC=int>
Nov ��3 21:32:33 proxy slapd[1309]: <<< dnPrettyNormal: <cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int>, <cn=Name.Surname,ou=subou,ou=users house,dc=domain,dc=int>
Nov ��3 21:32:33 proxy slapd[1309]: conn=1001 op=0 BIND dn="cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int" method=128
Nov ��3 21:32:33 proxy slapd[1309]: do_bind: version=3 dn="cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int" method=128
Nov ��3 21:32:33 proxy slapd[1309]: daemon: activity on 1 descriptor
Nov ��3 21:32:33 proxy slapd[1309]: daemon: activity on:
Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_context_apply [depth=1] string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int'
Nov ��3 21:32:33 proxy slapd[1309]:
Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_rule_apply rule='^([C,c][N,n]=)([^.]*)\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$' string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' [1 pass(es)]
Nov ��3 21:32:33 proxy slapd[1309]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov ��3 21:32:33 proxy slapd[1309]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Nov ��3 21:32:33 proxy slapd[1309]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Nov ��3 21:32:33 proxy slapd[1309]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_rule_apply rule='^([C,c][N,n]=)([^.]*)\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$' string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' [1 pass(es)]
Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_rule_apply rule='^([C,c][N,n]=)([^.]*)\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$' string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' [1 pass(es)]
Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_rule_apply rule='^([C,c][N,n]=)([^.]*)\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$' string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' [1 pass(es)]
Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_rule_apply rule='^([C,c][N,n]=)([^.]*)\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$' string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' [1 pass(es)]
Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_context_apply [depth=1] res={0,'Name.Surname(a)domain.int'}
Nov ��3 21:32:33 proxy slapd[1309]: [rw] bindDN: "cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int" -> "Name.Surname(a)domain.int"
Nov ��3 21:32:33 proxy slapd[1309]: >>> dnPrettyNormal: <Name.Surname(a)domain.int>
Nov ��3 21:32:33 proxy slapd[1309]: send_ldap_result: conn=1001 op=0 p=3
Nov ��3 21:32:33 proxy slapd[1309]: send_ldap_result: err=21 matched="" text="bindDN massage error"
Nov ��3 21:32:33 proxy slapd[1309]: send_ldap_response: msgid=1 tag=97 err=21
Nov ��3 21:32:33 proxy slapd[1309]: conn=1001 op=0 RESULT tag=97 err=21 text=bindDN massage error
I have downloaded the source code for try to remove or skip this check, but with my few programming skills after a month I haven't find the solution.
So there is a way (or a better way) to accomplish this need?
Best regards,
Giuseppe.
Config file of my test env:
### Schema includes ###########################################################
#include �� �� �� �� /etc/ldap/schema/corba.schema
#include �� �� �� �� /etc/ldap/schema/core.schema
#include �� �� �� �� /etc/ldap/schema/cosine.schema
#include �� �� �� �� /etc/ldap/schema/duaconf.schema
#include �� �� �� �� /etc/ldap/schema/dyngroup.schema
#include �� �� �� �� /etc/ldap/schema/inetorgperson.schema
#include �� �� �� �� /etc/ldap/schema/java.schema
#include �� �� �� �� /etc/ldap/schema/misc.schema
#include �� �� �� �� /etc/ldap/schema/nis.schema
#include �� �� �� �� /etc/ldap/schema/openldap.schema
#include �� �� �� �� /etc/ldap/schema/ppolicy.schema
#include �� �� �� �� /etc/ldap/schema/collective.schema
#include �� �� �� �� /etc/openldap/schema/ad.schema
include �� �� �� �� /etc/openldap/schema/corba.schema
include �� �� �� �� /etc/openldap/schema/core.schema
include �� �� �� �� /etc/openldap/schema/cosine.schema
#include �� �� �� �� /etc/ldap/schema/duaconf.schema
#include �� �� �� �� /etc/ldap/schema/dyngroup.schema
include �� �� �� �� /etc/openldap/schema/inetorgperson.schema
#include �� �� �� �� /etc/ldap/schema/java.schema
include �� �� �� �� /etc/openldap/schema/misc.schema
include �� �� �� �� /etc/openldap/schema/nis.schema
#include �� �� �� �� /etc/ldap/schema/openldap.schema
#include �� �� �� �� /etc/ldap/schema/ppolicy.schema
#include �� �� �� �� /etc/ldap/schema/collective.schema
include �� �� �� �� /etc/openldap/schema/ad.schema
#
## Module paths ##############################################################
#modulepath �� �� �� �� �� �� ��/usr/lib/ldap/
moduleload �� �� �� �� �� �� ��back_ldap
moduleload �� �� �� �� �� �� ��rwm
overlay �� �� �� �� �� �� �� �� rwm
rwm-rewriteEngine �� �� �� on
rwm-rewriteContext �� �� ��bindDN
rwm-rewriteRule �� �� "^([C,c][N,n]=)([^.]*)\\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$" "$2.$3(a)domain.int" ":@I"
#rwm-rewriteRule �� �� "^([C,c][N,n]=)([^.]*)\\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$" "domain\\$2.$3" ":@I"
#rwm-rewriteRule �� �� "^([C,c][N,n]=)([^.]*)\\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$" "CN=$3 $2$4$5" ":@I"
# Main settings ###############################################################
pidfile �� �� �� �� �� �� �� �� /var/run/openldap/slapd.pid
argsfile �� �� �� �� �� �� �� ��/var/run/openldap/slapd.args
allow bind_v2
### Database definition (Proxy to AD) #########################################
database �� �� �� �� �� �� �� ��config
database �� �� �� �� �� �� �� ��ldap
readonly �� �� �� �� �� �� �� ��yes
protocol-version �� �� �� ��3
rebind-as-user
uri �� �� �� �� �� �� �� �� �� �� "ldap://192.168.29.133:389"
suffix �� �� �� �� �� �� �� �� ��"dc=domain,dc=int"
rootdn �� �� �� �� �� �� �� �� ��"CN=Administrator,CN=Users,DC=domain,DC=int"
rootpw �� �� �� �� �� �� �� �� ��"hidden"
idassert-bind bindmethod=simple
�� ��binddn="CN=Administrator,CN=Users,DC=domain,DC=int"
�� ��credentials="hidden"
�� ��mode=none
�� ��flags=non-prescriptive
idassert-authzFrom "*"
#overlay �� �� �� �� �� �� �� �� rwm
rwm-map �� �� �� �� �� �� �� �� attribute �� �� �� uid �� �� sAMAccountName
rwm-map �� �� �� �� �� �� �� �� attribute �� �� �� mail �� ��proxyAddresses
### Logging ###################################################################
loglevel �� �� �� �� �� �� �� ��-1
