According to my slapd debug logs, after the account is not found locally, the search continues in active directory. I can bind under the admin query only account and successfully retrieve the user account information (I have verified this) from active directory; however, I can't then rebind-as-user with the user password in order to authenticate.
I get a "Proxy operation retry failed" error:
slapd[22555]: conn=1000 fd=8 ACCEPT from IP=127.0.0.1:35848 (IP=127.0.0.1:389) slapd[22555]: conn=1001 fd=9 ACCEPT from IP=127.0.0.1:35850 (IP=127.0.0.1:389) slapd[22555]: conn=1000 op=0 BIND dn="cn=xxxx,ou=local" method=128 slapd[22555]: conn=1000 op=0 BIND dn="cn=xxxx,ou=local" mech=SIMPLE ssf=0 slapd[22555]: conn=1000 op=0 RESULT tag=97 err=0 text= slapd[22555]: conn=1000 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(uid=xxxx0029)" slapd[22555]: conn=1002 fd=11 ACCEPT from IP=127.0.0.1:35852 (IP=127.0.0.1:389) slapd[22555]: conn=1002 op=0 BIND dn="cn=xxxx,ou=local" method=128 slapd[22555]: conn=1002 op=0 BIND dn="cn=xxxx,ou=local" mech=SIMPLE ssf=0 slapd[22555]: conn=1002 op=0 RESULT tag=97 err=0 text= slapd[22555]: conn=1003 fd=13 ACCEPT from IP=127.0.0.1:35854 (IP=127.0.0.1:389) slapd[22555]: conn=1003 op=0 BIND dn="cn=xxxx,ou=local" method=128 slapd[22555]: conn=1003 op=0 BIND dn="cn=xxxx,ou=local" mech=SIMPLE ssf=0 slapd[22555]: conn=1003 op=0 RESULT tag=97 err=0 text= slapd[22555]: conn=1002 op=1 SRCH base="ou=xxxx,dc=sooner,dc=net,dc=ou,dc=edu" scope=2 deref=0 filter="(uid=xxxx0029)" slapd[22555]: conn=1003 op=1 SRCH base="ou=local" scope=2 deref=0 filter="(uid=xxxx0029)" slapd[22555]: conn=1003 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= slapd[22555]: conn=1000 op=1 meta_back_search[1] match="" err=32 (No such object) text="". slapd[22555]: conn=1002 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[22555]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[22555]: conn=1001 op=0 BIND dn="cn=11079,ou=xxxx,dc=a,dc=example,dc=com" method=128 slapd[22555]: conn=1004 fd=16 ACCEPT from IP=127.0.0.1:35858 (IP=127.0.0.1:389) slapd[22555]: conn=1004 op=0 BIND dn="cn=11079,ou=General,ou=xxxx,dc=sooner,dc=net,dc=ou,dc=edu" method=128 slapd[22555]: conn=1004 op=0 ldap_back_retry: retrying URI="ldaps://active.directory" DN="" slapd[22555]: conn=1004 op=0 RESULT tag=97 err=52 text=Proxy operation retry failed slapd[22555]: conn=1004 op=1 UNBIND slapd[22555]: conn=1001 op=0 RESULT tag=97 err=52 text= slapd[22555]: conn=1004 fd=16 closed
Here is my meta configuration:
database meta suffix dc=example,dc=com # The last rwm-map line maps all other attributes to nothing. overlay rwm rwm-map attribute uid sAMAccountname rwm-map attribute * #rwm-map objectclass posixGroup group #rwm-map objectclass posixAccount person #rwm-map objectclass memberUid member
## uri "ldap://127.0.0.1/dc=a,dc=example,dc=com" suffixmassage "dc=a,dc=example,dc=com" "ou=xxxx,dc=sooner,dc=net,dc=ou,dc=edu" rebind-as-user true idassert-bind bindmethod=simple binddn="cn=XXXX,ou=local" credentials=XXXX mode=none idassert-authzFrom "dn.regex:.*"
## uri "ldap://127.0.0.1/dc=b,dc=example,dc=com" suffixmassage "dc=b,dc=example,dc=com" "ou=local" rebind-as-user true idassert-bind bindmethod=simple binddn="cn=XXXX,ou=local" credentials=XXXX mode=none idassert-authzFrom "dn.regex:.*"
## database ldap uri ldaps://active.directory suffix ou=xxxx,dc=sooner,dc=net,dc=ou,dc=edu rebind-as-user true idassert-bind bindmethod=simple binddn="cn=XXXX,ou=it,ou=services,ou=accounts,dc=sooner,dc=net,dc=ou,dc=edu" credentials=XXXX tls_reqcert=allow tls_cacert=/etc/letsencrypt/live/lmamr-lims.rccc.ou.edu/fullchain.pem tls_cert=/etc/letsencrypt/live/lmamr-lims.rccc.ou.edu/cert.pem tls_key=/etc/letsencrypt/live/lmamr-lims.rccc.ou.edu/privkey.pem mode=none idassert-authzFrom "dn.regex:.*"