Hello, I'm having the hardest time getting ProxyAuth working to FDS via the OpenLDAP slapd-ldap module.
I'm currently using Kerberos SASL bind to the OpenLDAP proxy server, which performs a search of the associated user DN on the FDS server. This part works fine. But when SLAPD attempted to perform proxyauth for that user, I receive the following error from FDS:
# search result search: 4 result: 2 Protocol error text: unable to parse proxied authorization control
I have tested proxyauth via other methods and they work fine.
I have the following in my slapd.conf file:
# SASL
sasl-realm CORP.COMPANY.COM http://corp.company.com/ sasl-host ldap03.corp.company.com sasl-secprops minssf=56 # Regexp for SASL authentication: authz-regexp uid=(.*),cn=corp.company.com,cn=gssapi,cn=auth ldap:///dc=corp,dc=company,dc=com??sub?(uid=$1)
authz-policy to authzTo=ldap:///dc=corp,dc=company,dc=com??sub?(objectclass=person) ####################################################################### # ldbm and/or bdb database definitions #######################################################################
database ldap suffix "dc=corp,dc=company,dc=com" #uri "ldaps://ldap01.corp.company.com/dc=corp,dc=company,dc=com" uri "ldap://ldap01.corp.company.com/" acl-bind bindmethod=simple
binddn="uid=proxyadmin,cn=users,cn=bindaccounts,dc=corp,dc=company,dc=com" credentials="password"
idassert-authzFrom "dn:*" idassert-bind bindmethod=simple
binddn="uid=proxyadmin,cn=users,cn=bindaccounts,dc=corp,dc=company,dc=com" credentials="password" mode=self
Not sure if it's helpful but here is the output in the logs at the event:
Apr 8 16:17:39 ldap03 slapd[3166]: ===>slap_sasl_match: comparing DN uid=dejongm,cn=opssec,cn=users,cn=accounts,dc=corp,dc=company,dc=com to rule dn:* Apr 8 16:17:39 ldap03 slapd[3166]: slap_parseURI: parsing dn:* Apr 8 16:17:39 ldap03 slapd[3166]: <===slap_sasl_match: comparison returned 0 Apr 8 16:17:39 ldap03 slapd[3166]: ===>slap_sasl_match: comparing DN uid=dejongm,cn=opssec,cn=users,cn=accounts,dc=corp,dc=company,dc=com to rule dn:* Apr 8 16:17:39 ldap03 slapd[3166]: slap_parseURI: parsing dn:* Apr 8 16:17:39 ldap03 slapd[3166]: <===slap_sasl_match: comparison returned 0 Apr 8 16:17:39 ldap03 slapd[3166]: send_ldap_result: conn=0 op=3 p=3 Apr 8 16:17:39 ldap03 slapd[3166]: send_ldap_result: err=2 matched="" text="unable to parse proxied authorization control" Apr 8 16:17:39 ldap03 slapd[3166]: send_ldap_response: msgid=4 tag=101 err=2 Apr 8 16:17:39 ldap03 slapd[3166]: conn=0 op=3 SEARCH RESULT tag=101 err=2 nentries=0 text=unable to parse proxied authorization control
Any suggestions would be appreciated.
-Mark