Hello
I've installed a openldap as proxy in a DMZ for authentication forwarding to an Active Directoy. The Proxy is used by a VPN gateway.
That all works very well, but password change from client fails with following error:
slapd[30661]: conn=1001 op=5 do_modify slapd[30661]: conn=1001 op=5 do_modify: dn (cn=XPTEST5,ou=Users,dc=myorg,dc=net) slapd[30661]: >>> dnPrettyNormal: <cn=TEST5,ou=Users,dc=myorg,dc=net> slapd[30661]: <<< dnPrettyNormal: <cn=TEST5,ou=Users,dc=myorg,dc=net>, <cn=xptest5,ou=users,dc=myorg,dc=net> slapd[30661]: conn=1001 op=5 modifications: slapd[30661]: delete: UnicodePwd slapd[30661]: one value, length 26 slapd[30661]: add: UnicodePwd slapd[30661]: one value, length 26 slapd[30661]: conn=1001 op=5 MOD dn="cn=TEST5,ou=Users,dc=myorg,dc=net" slapd[30661]: conn=1001 op=5 MOD attr=UnicodePwd UnicodePwd slapd[30661]: send_ldap_result: conn=1001 op=5 p=3 slapd[30661]: send_ldap_result: err=17 matched="" text="UnicodePwd: attribute type undefined" slapd[30661]: send_ldap_response: msgid=6 tag=103 err=17 slapd[30661]: conn=1001 op=5 RESULT tag=103 err=17 text=UnicodePwd: attribute type undefined slapd[30661]: daemon: activity on 1 descriptor slapd[30661]: daemon: activity on: slapd[30661]: slapd[30661]: daemon: epoll: listen=7 active_threads=0 tvp=zero slapd[30661]: daemon: activity on 1 descriptor slapd[30661]: daemon: activity on:
As I understand, UnicodePwd is a proprietary "standard" MS attribute in AD to store the password but the RFC attribute is the userPassword.
Is it possible, to get the proxy working to process this MOD request, may be that openldap proxy pass through the MOD operation with the attribute UnicodePwd from the VPN-gateway?
I use openldap 2.4.40, here is my configuration:
============================================================== include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args modulepath /usr/lib/openldap/modules moduleload back_ldap
disallow bind_anon require authc
TLSCACertificateFile /etc/openldap/certs/myorg.net.root.pem TLSCertificateFile /etc/openldap/certs/proxy1.myorg.net.pem TLSCertificateKeyFile /etc/openldap/certs/proxy1.myorg.net.pem.key TLSVerifyClient never TLSCipherSuite ALL:!DH:!EDH
database ldap security tls=256 rebind-as-user yes suffix "dc=myorg,dc=net" uri "ldap://dc1.myorg.net ldap://dc2.myorg.net" tls start tls_cacert=/etc/openldap/certs/adroot.pem chase-referrals no protocol-version 3
loglevel -1 ==============================================================
Thanks for help!!
Meike