Hi all,
I have two OpenLDAP servers (2.4.34)
used by some applications to authenticate.
Both servers use the meta backend, that
is the frontend to two AD domains in separate forests.
Ldapsearch correctly finds the users
in both servers, while authentication works for one only.
I must say that I had to exclude some
portions of the trees in order to avoid duplicate names. My "correct"
users are in 15 subtrees.
In the working server I configured 15
URI's, one for each subtree, specifying for each of them the credentials,
the attribute mappings and the suffixmassage. The bad news is that slapd.conf
is 580 lines and its maintenance is error prone.
That's why I configured the second server
with two URI's only and with ACL's to limit the access to the 15 subtrees
only. The resulting slapd.conf is much more readable and easy to maintain,
but it does not work.
The ACL's are all of this type:
access to dn.subtree="ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com"
read
by dn.exact="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
read
There are no other ACL's, but I already
tried adding something like "access to * by * read" with no success.
As said before ldapsearch works fine,
while authentication does not. Please look at the excerpt from the log
files, for both servers, when I try to authenticate.
Both servers start the same sequence,
but one stops just after reading the same search result.
conn=1033 fd=10 ACCEPT from IP=10.31.222.106:38492
(IP=0.0.0.0:389)
conn=1033 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
method=128
conn=1033 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
mech=SIMPLE ssf=0
conn=1033 op=0 RESULT tag=97 err=0
text=
conn=1033 op=1 SRCH base="dc=Company,dc=com"
scope=2 deref=0 filter="(sAMAccountName=policastro)"
conn=1033 op=1 SRCH attr=sAMAccountName
conn=1033 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
conn=1033 op=2 UNBIND
conn=1033 fd=10 closed
===========================
conn=4960 fd=373 ACCEPT from IP=10.31.221.162:40893
(IP=0.0.0.0:389)
conn=4960 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
method=128
conn=4960 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
mech=SIMPLE ssf=0
conn=4960 op=0 RESULT tag=97 err=0
text=
conn=4960 op=1 SRCH base="dc=Company,dc=com"
scope=2 deref=0 filter="(sAMAccountName=policastro)"
conn=4960 op=1 SRCH attr=sAMAccountName
conn=4960 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
conn=4960 op=2 BIND anonymous
mech=implicit ssf=0
conn=4960 op=2 BIND dn="cn=Policastro
Francesco,ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com"
method=128
conn=4960 op=2 BIND dn="cn=Policastro
Francesco,ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com"
mech=SIMPLE ssf=0
conn=4960 op=2 RESULT tag=97 err=0
text=
conn=4960 op=3 UNBIND
conn=4960 fd=373 closed
conn=4961 fd=373 ACCEPT from IP=10.31.221.162:40894
(IP=0.0.0.0:389)
conn=4961 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
method=128
conn=4961 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
mech=SIMPLE ssf=0
conn=4961 op=0 RESULT tag=97 err=0
text=
conn=4961 op=1 SRCH base="dc=Company,dc=com"
scope=2 deref=0 filter="(&(!(?employeeID=-*))(employeeID=*)(mail=*)(givenName=*)(sn=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=policastro))"
conn=4961 op=1 SRCH attr=sAMAccountName
conn=4961 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
conn=4961 op=2 SRCH base="cn=Policastro
Francesco,ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com"
scope=0 deref=0 filter="(&(!(?employeeID=-*))(employeeID=*)(mail=*)(givenName=*)(sn=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
conn=4961 op=2 SRCH attr=givenName
sn mail employeeID sAMAccountName
conn=4961 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
conn=4961 op=3 UNBIND
conn=4961 fd=373 closed
conn=4962 fd=373 ACCEPT from IP=10.31.221.162:40895
(IP=0.0.0.0:389)
conn=4962 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
method=128
conn=4962 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
mech=SIMPLE ssf=0
conn=4962 op=0 RESULT tag=97 err=0
text=
conn=4962 op=1 SRCH base="dc=Company,dc=com"
scope=2 deref=0 filter="(sAMAccountName=policastro)"
conn=4962 op=1 SRCH attr=sAMAccountName
conn=4962 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
conn=4962 op=2 SRCH base="cn=Policastro
Francesco,ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com"
scope=0 deref=0 filter="(objectClass=*)"
conn=4962 op=2 SRCH attr=shadowExpire
conn=4962 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
conn=4962 op=3 UNBIND
Can anyone explain me what happens and
how to let the ACL version work?
Thanks, Francesco