Dysan 67 wrote:

Hello,
I have a problem with acl and group.
I configured a proxy slapd and add acl (see slapd.conf below)

Read the slapd-ldap(5) manpage. Since your remote server is AD you must configure explicit Bind credentials for any access of the remote server. In this case, back-ldap cannot look up the remote group memberships because you have failed to configure acl-bind.

Run slapd with -d7 and it will be obvious that this is the problem.

When I run a ldapsearch command with user 'Test User' the attributes are
displayed. It's Ok

But when I run the same ldapsearch command with user 'Synchro1 User' the
message 'Insufficient access (50)' are displayed. It's not ok
The user 'Synchro1 User' is member of
CN=Grp_Users_UG,OU=Gina,OU=Applications,DC=activedir,DC=example,DC=ch

Are you an idea ?
Thank you for you help
Dysan

My environment
---------------------
ldapproxy server is CentOS release 5.9 (Final) openldap version 2.3.43
dc1-test Windows Server 2008 R2 (Domain Controler)

Ldapsearch command
-------------------
$ ldapsearch -x -LLL -H ldaps://ldapproxy.example.ch:636

<http://ldapproxy.example.ch:636>  -D "CN=Test

User,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch" -W -b
"dc=activedir,dc=example,dc=ch" -s sub cn=*
Enter LDAP Password:
dn: ........
...

$ ldapsearch -x -LLL -H ldaps://ldapproxy.example.ch:636

<http://ldapproxy.example.ch:636>  -D "CN=Synchro1

User,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch" -W -b
"dc=activedir,dc=example,dc=ch" -s sub cn=*
Enter LDAP Password:
Insufficient access (50)

slapd.conf
----------
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
allow bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
TLSCipherSuite  HIGH:-SSLv2
TLSCACertificateFile /etc/openldap/cacerts/cacerts.crt
TLSCertificateFile /etc/openldap/cacerts/ldapproxy.example.ch.crt
TLSCertificateKeyFile /etc/openldap/cacerts/ldapproxy.example.ch.key

loglevel -1
disallow        bind_anon

# AD
database        ldap
suffix          "dc=activedir,dc=example,dc=ch"

uri             "ldaps://dc1-test.example.ch/ <http://dc1-test.example.ch/>"

readonly on
rebind-as-user
lastmod  off

access to attrs=displayname,sn,givenname,mail,telephoneNumber
   by dn.exact="CN=Test User,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch" read
   by
group.exact="CN=Grp_Users_UG,OU=Gina,OU=Applications,DC=activedir,DC=example,DC=ch"
read
   by * none

# The users must see the entry itself
access to attrs=entry
   by dn.exact="CN=Test User,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch" read
   by
group.exact="CN=Grp_Users_UG,OU=Gina,OU=Applications,DC=activedir,DC=example,DC=ch"
read
   by * none

# Other attributes, others users have no access
access to *
   by * none
#---------------------------------------------------------------------------------------------------------------
slapd.conf end

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/