Hi to all,
for my companty I'm triing to setup a LDAP proxy to our Active Direcory implementation, after some time I have found several problems on some critical application that does not support multiple OU anche CN formed by "Surname Name" caused by the bad structure and nomenclature on the AD, but we cant change it. To work around the problem I have used the rwm module to rewrite the client binddn query part to AD format name.surname@domain, but the proxy return:
[root@client ~]# ldapsearch -H ldap://192.168.29.134 ��-D "CN=Name.Surname,OU=subou,OU=Users HOUSE,DC=domain,DC=int" -W ldap_bind: Invalid syntax (21) �� �� �� �� additional info: bindDN massage error ���� ������ �� some logs:
Nov ��3 21:32:33 proxy slapd[1309]: conn=1001 op=0 do_bind Nov ��3 21:32:33 proxy slapd[1309]: >>> dnPrettyNormal: <CN=Name.Surname,OU=subou,OU=Users HOUSE,DC=domain,DC=int> Nov ��3 21:32:33 proxy slapd[1309]: <<< dnPrettyNormal: <cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int>, <cn=Name.Surname,ou=subou,ou=users house,dc=domain,dc=int> Nov ��3 21:32:33 proxy slapd[1309]: conn=1001 op=0 BIND dn="cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int" method=128 Nov ��3 21:32:33 proxy slapd[1309]: do_bind: version=3 dn="cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int" method=128 Nov ��3 21:32:33 proxy slapd[1309]: daemon: activity on 1 descriptor Nov ��3 21:32:33 proxy slapd[1309]: daemon: activity on: Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_context_apply [depth=1] string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' Nov ��3 21:32:33 proxy slapd[1309]: Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_rule_apply rule='^([C,c][N,n]=)([^.]*).([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$' string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' [1 pass(es)] Nov ��3 21:32:33 proxy slapd[1309]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov ��3 21:32:33 proxy slapd[1309]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov ��3 21:32:33 proxy slapd[1309]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Nov ��3 21:32:33 proxy slapd[1309]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_rule_apply rule='^([C,c][N,n]=)([^.]*).([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$' string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' [1 pass(es)] Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_rule_apply rule='^([C,c][N,n]=)([^.]*).([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$' string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' [1 pass(es)] Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_rule_apply rule='^([C,c][N,n]=)([^.]*).([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$' string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' [1 pass(es)] Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_rule_apply rule='^([C,c][N,n]=)([^.]*).([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$' string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' [1 pass(es)] Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_context_apply [depth=1] res={0,'Name.Surname@domain.int'} Nov ��3 21:32:33 proxy slapd[1309]: [rw] bindDN: "cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int" -> "Name.Surname@domain.int" Nov ��3 21:32:33 proxy slapd[1309]: >>> dnPrettyNormal: Name.Surname@domain.int Nov ��3 21:32:33 proxy slapd[1309]: send_ldap_result: conn=1001 op=0 p=3 Nov ��3 21:32:33 proxy slapd[1309]: send_ldap_result: err=21 matched="" text="bindDN massage error" Nov ��3 21:32:33 proxy slapd[1309]: send_ldap_response: msgid=1 tag=97 err=21 Nov ��3 21:32:33 proxy slapd[1309]: conn=1001 op=0 RESULT tag=97 err=21 text=bindDN massage error
I have downloaded the source code for try to remove or skip this check, but with my few programming skills after a month I haven't find the solution. So there is a way (or a better way) to accomplish this need?
Best regards, Giuseppe.
Config file of my test env:
### Schema includes ########################################################### #include �� �� �� �� /etc/ldap/schema/corba.schema #include �� �� �� �� /etc/ldap/schema/core.schema #include �� �� �� �� /etc/ldap/schema/cosine.schema #include �� �� �� �� /etc/ldap/schema/duaconf.schema #include �� �� �� �� /etc/ldap/schema/dyngroup.schema #include �� �� �� �� /etc/ldap/schema/inetorgperson.schema #include �� �� �� �� /etc/ldap/schema/java.schema #include �� �� �� �� /etc/ldap/schema/misc.schema #include �� �� �� �� /etc/ldap/schema/nis.schema #include �� �� �� �� /etc/ldap/schema/openldap.schema #include �� �� �� �� /etc/ldap/schema/ppolicy.schema #include �� �� �� �� /etc/ldap/schema/collective.schema #include �� �� �� �� /etc/openldap/schema/ad.schema
include �� �� �� �� /etc/openldap/schema/corba.schema include �� �� �� �� /etc/openldap/schema/core.schema include �� �� �� �� /etc/openldap/schema/cosine.schema #include �� �� �� �� /etc/ldap/schema/duaconf.schema #include �� �� �� �� /etc/ldap/schema/dyngroup.schema include �� �� �� �� /etc/openldap/schema/inetorgperson.schema #include �� �� �� �� /etc/ldap/schema/java.schema include �� �� �� �� /etc/openldap/schema/misc.schema include �� �� �� �� /etc/openldap/schema/nis.schema #include �� �� �� �� /etc/ldap/schema/openldap.schema #include �� �� �� �� /etc/ldap/schema/ppolicy.schema #include �� �� �� �� /etc/ldap/schema/collective.schema include �� �� �� �� /etc/openldap/schema/ad.schema #
## Module paths ############################################################## #modulepath �� �� �� �� �� �� ��/usr/lib/ldap/ moduleload �� �� �� �� �� �� ��back_ldap moduleload �� �� �� �� �� �� ��rwm
overlay �� �� �� �� �� �� �� �� rwm rwm-rewriteEngine �� �� �� on rwm-rewriteContext �� �� ��bindDN rwm-rewriteRule �� �� "^([C,c][N,n]=)([^.]*)\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$" "$2.$3@domain.int" ":@I" #rwm-rewriteRule �� �� "^([C,c][N,n]=)([^.]*)\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$" "domain\$2.$3" ":@I" #rwm-rewriteRule �� �� "^([C,c][N,n]=)([^.]*)\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$" "CN=$3 $2$4$5" ":@I"
# Main settings ############################################################### pidfile �� �� �� �� �� �� �� �� /var/run/openldap/slapd.pid argsfile �� �� �� �� �� �� �� ��/var/run/openldap/slapd.args allow bind_v2
### Database definition (Proxy to AD) ######################################### database �� �� �� �� �� �� �� ��config database �� �� �� �� �� �� �� ��ldap readonly �� �� �� �� �� �� �� ��yes protocol-version �� �� �� ��3 rebind-as-user uri �� �� �� �� �� �� �� �� �� �� "ldap://192.168.29.133:389" suffix �� �� �� �� �� �� �� �� ��"dc=domain,dc=int" rootdn �� �� �� �� �� �� �� �� ��"CN=Administrator,CN=Users,DC=domain,DC=int" rootpw �� �� �� �� �� �� �� �� ��"hidden"
idassert-bind bindmethod=simple �� ��binddn="CN=Administrator,CN=Users,DC=domain,DC=int" �� ��credentials="hidden" �� ��mode=none �� ��flags=non-prescriptive idassert-authzFrom "*"
#overlay �� �� �� �� �� �� �� �� rwm rwm-map �� �� �� �� �� �� �� �� attribute �� �� �� uid �� �� sAMAccountName rwm-map �� �� �� �� �� �� �� �� attribute �� �� �� mail �� ��proxyAddresses
### Logging ################################################################### loglevel �� �� �� �� �� �� �� ��-1