Le 27/04/2010 07:46, repudi8or repu a écrit :
Maybe im having a conceptual issue here. What i am trying to do is ensure the backend functions prior to looking at the configuring the frontend correctly. I am configuring the solaris openldap slapd with back-ldap and pcache and am expecting to be able to simulate a fronted authentication process using ldapsearch to the solaris openldap proxy. The backend ldap service is AD @ backendldap.core.dir.mycompany.com http://backendldap.core.dir.mycompany.com/. the proxy box i will refer to as openldapproxy (openldapproxy.core.dir.mycompany.com http://openldapproxy.core.dir.mycompany.com/)" my database ldap section now looks like this :- backendldap.core.dir.mycompany.com http://backendldap.core.dir.mycompany.com/"
database ldap uri "ldap://backendldap.core.dir.mycompany.com http://backendldap.core.dir.mycompany.com/" suffix "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com" rootdn "dc=core,dc=dir,dc=mycompany,dc=com" idassert-bind bindmethod=simple binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com" credentials="password" mode=self i am testing by running ldapsearch on the openldapproxy host itself in the following manner :- # /usr/local/bin/ldapsearch -x -h localhost -b ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com employeeID=12345678 the proxied bind goes out to the backend AD as i have shown in the below discussion. The response returned is :- # filter: employeeID=12345678 # requesting: ALL # # search result search: 2 result: 48 Inappropriate authentication # numResponses: 1
Running slapd in diag mode i see the following in the debug output :- do_bind: v3 anonymous bind connection_get(11) connection_get(11): got connid=1014 connection_read(11): checking for input on id=1014 ber_get_next ber_get_next: tag 0x30 len 105 contents: op tag 0x63, time 1272346583 ber_get_next conn=1014 op=1 do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal:
<ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com> => ldap_bv2dn(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com,0) <= ldap_bv2dn(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(ou=people,ou=eprofile,dc=core,dc=dir,dc=mycompany,dc=com)=0 <<< dnPrettyNormal: <ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com>, <ou=people,ou=eprofile,dc=core,dc=dir,dc=mycompany,dc=com> SRCH "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com" 2 0 0 0 0 ber_scanf fmt ({mm}) ber: filter: (?=undefined) ber_scanf fmt ({M}}) ber: attrs: ==> limits_get: conn=1014 op=1 self="[anonymous]" this="ou=people,ou=eprofile,dc=core,dc=dir,dc=telstra,dc=com" send_ldap_result: conn=1014 op=1 p=3 send_ldap_result: err=48 matched="" text="" send_ldap_response: msgid=2 tag=101 err=48 Note the anonymous bind, I need this to be a simply authenticated bind using the idassert binddn and credentials Note the "self="[anonymous]"............... I was expecting that it should have been self=[USERID_THAT_RAN_THE_LDAPSEARCH]
"self" here is the user that authenticated to your local proxy server. Your ldapsearch has no -D option, so it's anonymous.
If you just want the proxy's clients to be able to access the AD server using the account you specified in idassert-bind, try mode=none.
Otherwise, you'll need to set up some appropriate authentication on the proxy side.
Regards, Jonathan