Thanks for your reponse, Dieter. Basically, you said "RTFM" just using more polite words. But I already do that, man! I played with a few combination of idassert-bind option but it doesn't help to me. B-)
Dieter Kluenter wrote:
Martin Rubáš mrubas@kerio.com writes:
If I use ldapsearch -D "cn=The Root,..." -b "cn=The User,..." then slapd binds to "cn=The Bind". That's correct, I guess... But when I use some other DN for -D parameter then the response is "LdarErr: DSID-0C090627 ... " (I saw that one many time in archives). It doesn't matter if it was "cn=The User,..." or "cn=The Bind".
This Error seems to be not a slapd error, so you should check some other services in your network. The configuration parameters for translucent overlay are incorrect, see man slapo-translucent(5) and man slapd-ldap(5), you should probably use idassert-bind parameters.
Yes, I know that this error is returned by Active Directory LDAP server. It says, that data were requested using unbinded connection and AD server on Win2003 requires to bind. See the second half of this (and also the original email)...
#====================================================================== database ldap suffix "dc=domain,dc=net" uri ldap://pdc.domain.net:389 chase-referrals yes rebind-as-user yes
database relay suffix "dc=alias,dc=net" relay "dc=domain,dc=net" overlay rwm rwm-suffixmassage "dc=domain,dc=net" #----------------------------------------------------------------------
In the first case you where requesting the ldap backend, in the second case the relay backend. If a request to relay backend failed but where successful to the ldap backend, than something is wrong with your relay backend configuration. Debug slapd's acl parsing to find the reason.
"man slapd-relay" shows only one option that I already used - relay <real.naming.ctx>. other option mentioned in "man slapd.conf" under section related to backends doesn't talk about anything related to binding (except sync-replication which is no matter now).
---
If I understood man pages and FAQs well the identity assertion mechanism allows to specify (through idassert-bind, idassert-authzFrom, etc.) which identity will be used to bind on remote server. As I want to use the identity that was used to access slapd I have to use idassert-bind with mode=self or mode=legacy. That's correct, isnt't?
So, what's wrong with my config that binding to raw ldap backend works and binding to relay doesn't (yes, I use proper DNs with correct suffix):
1. ldapsearch ... -D "cn=The User,cn=Users,dc=domain,dc=net" - is successful and TCP stream looks something like that: connect(srcport=44111) bind(44111)["The User"] -> success request(44111) -> success
2. ldapsearch .... -D "cn=The User,cn=Users,dc=alias,dc=net" - ends with failure and TCP stream is pretty weird: connect(44111) bind(44111)["The User"] -> success connect(33666) --- why??? bind(33666)["<ROOT>"] -> success --- huh ??? anonymous bind??? request(33666) -> LdapErr: DSID-0C090627 --- no-binding = no-data from Active Directory
... and consecutive searches are similar to this one:
connect(44222) --- another connection??? why??? the 44111 was not closed yet... bind(44222)["The User"] -> success request(33666) -> LdapErr: DSID-0C090627 --- reusing incorrectly binded connection?? very nice :-(
For more details on TCP stream see original email (there is a packet dump from Wireshark).
So, what I have not been able to do yet... I want to use the slapd with "The User" and its own credentials to forward LDAP request to remote Active Directory with the identity of "The User" using slapd-relay/slapo-rwm or slapd-hdb/slapo-translucent exactly same way as it works for raw slapd-ldap.
The only way was to specify some account using idassert-bind. The search through slapd-relay returned the requested data but the "doubled connection" was still in play but "The IdAssert" identity was used instead of the strange "<ROOT"> for binding. Unfortunately, this is not desired but "The User" biding is preferred.
I hope I explained my problem well. Could someone help me, please?
Martin