I am still running into issue when attempting to use openldap as a proxy to AD. When I do a TCP dump on the proxy server, it doesn't appear to be actually communicating with the AD server when I issue "id user" from a client server. When I issue the same command from the "proxy" it connects to the AD as the correct user and pulls the correct information. Any help or suggestions would be greatly appreciated. Below is a snippet of my slapd.conf from the proxy and also my ldap.conf from the client machine.
[slapd.conf]
database ldap suffix "cn=Users,dc=ldaptest,dc=local" #subordinate rebind-as-user uri "ldap://2008vm1.inetu.net"
acl-bind bindmethod=simple binddn="CN=Bind User,CN=Users,DC=ldaptest,DC=local" credentials="testing"
chase-referrals yes
idassert-bind bindmethod=simple authzID="u:bind" mode=self idassert-authzFrom "dn.regex:.*" binddn="CN=Bind User,CN=Users,DC=ldaptest,DC=local" credentials="testing"
idassert-authzFrom "dn.regex:.*"
[slapd.conf end]
[ldap.conf] host 10.100.223.63 port 389
base cn=Users,dc=ldaptest,dc=local ldap_version 3
scope sub
timelimit 10 bind_timelimit 5
idle_timeout 90
bind_policy soft
pam_filter objectClass=posixAccount pam_login_attribute uid pam_lookup_policy no
[ldap.conf end]
I can provide logs if needed.
Thanks in advance....
-----Original Message----- From: openldap-technical-bounces+lyork=inetu.net@openldap.org [mailto:openldap-technical-bounces+lyork=inetu.net@openldap.org] On Behalf Of Lynn York Sent: Wednesday, September 10, 2008 10:14 AM To: Pierangelo Masarati Cc: openldap-technical@openldap.org Subject: RE: LDAP proxy for AD
I am not worried about the client machine binding to the proxy server as long as the proxy server binds with a user to the AD server.
Right now what is happening is:
Issue " id user " on the client server, the connect then makes it to proxy server as anonymous, but the proxy never attempts to bind to the AD server to verify if "user" exists in AD. If I issues the same command " id user " from the proxy server, it binds to AD and give me information about the user. I can't figure out how to get the client server to bind to the AD server "through" the proxy?
-Lynn
-----Original Message----- From: Pierangelo Masarati [mailto:ando@sys-net.it] Sent: Wednesday, September 10, 2008 9:12 AM To: Lynn York Cc: openldap-technical@openldap.org Subject: Re: LDAP proxy for AD
Lynn York wrote:
When I issue "id user" from the client machine I can see the connection to the proxy server, but I do not see the connection from the proxy to the AD server. It also binds anonymously through the proxy and I need it to bind with a certain user.
[ SNIPPET FROM slapd.conf ]
database ldap suffix "dc=ldaptest,dc=local" uri "ldap://2008vm1.inetu.net"
acl-bind bindmethod=simple binddn="CN=Bind User,CN=Users,DC=ldaptest,DC=local" credentials="testing"
idassert-bind bindmethod=simple authzID="u:bind" mode=self binddn="CN=Bind User,CN=Users,DC=ldaptest,DC=local" credentials="testing"
First of all, authzID is only useful if "mode" is not given, as specified in the man page; it's ignored in your case.
Second, the idassert-bind directive is only honored if the user authenticates, while your application is probably binding anonymously to the proxy.
If you want idassert to work also for anonymous operations (not recommended, as this defeats the security model of the remote server, by letting it believe that the proxy authenticated users while it didn't), you need to explicitly enable it using an idassert-authzFrom rule that includes anonymous, like
idassert-authzFrom "dn.regex:.*"
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------