5:20 a.m.
Guillaume,
You wrote: The second URL seems invalid, unless you managed to make your server reply
without SSL on port 636.
My Answer: So, should I removed it so I can make it reply with SSL ?
You wrote: Which seems to be a valid AD answer. Did you managed to successfully execute
the same query against AD directly ?
My Answer: That answer is unknown user or password. When you say against AD, you mean
using Ldp.exe ? It does reply successfully with simple bind authentication. See Below.
ld = ldap_open("", 389);
Established connection to .
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=gerf02,DC=local;
currentTime: 9/10/2012 6:14:02 AM Mountain Daylight Time;
defaultNamingContext: DC=gerf02,DC=local;
dnsHostName: DC1SRV2K8.gerf02.local;
domainControllerFunctionality: 4 = ( WIN2008R2 );
domainFunctionality: 2 = ( WIN2003 );
dsServiceName: CN=NTDS
Settings,CN=DC1SRV2K8,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gerf02,DC=local;
forestFunctionality: 2 = ( WIN2003 );
highestCommittedUSN: 408626;
isGlobalCatalogReady: TRUE;
isSynchronized: TRUE;
ldapServiceName: gerf02.local:dc1srv2k8$@GERF02.LOCAL;
namingContexts (5): DC=gerf02,DC=local; CN=Configuration,DC=gerf02,DC=local;
CN=Schema,CN=Configuration,DC=gerf02,DC=local; DC=DomainDnsZones,DC=gerf02,DC=local;
DC=ForestDnsZones,DC=gerf02,DC=local;
rootDomainNamingContext: DC=gerf02,DC=local;
schemaNamingContext: CN=Schema,CN=Configuration,DC=gerf02,DC=local;
serverName:
CN=DC1SRV2K8,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gerf02,DC=local;
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=gerf02,DC=local;
supportedCapabilities (5): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY );
1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = (
ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 );
1.2.840.113556.1.4.2080;
supportedControl (29): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 =
( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION
); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT );
1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN );
1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET
); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME );
1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE );
1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = (
PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 =
( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = (
QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = (
SHUTDOWN_NOTIFY );
1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = (
FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = (
DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = (
SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS );
supportedLDAPPolicies (14): MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer;
InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxQueryDuration;
MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn;
MaxNotificationPerConn; MaxValRange;
supportedLDAPVersion (2): 3; 2;
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
-----------
res = ldap_simple_bind_s(ld, 'LDAP Bind Account', <unavailable>); // v.3
Authenticated as: 'GERF02\lba'.
But another questions prompts. Why through 389, should not be 636 for a secure connection
?
I am sorry but I am totally new with this. Thanks for your help.
G
________________________________
From: Guillaume Rousse <guillomovitch(a)gmail.com>
To: openldap-technical(a)openldap.org
Sent: Monday, September 10, 2012 2:35 AM
Subject: Re: OpenLdap Proxy with CentOS 6.3
Le 10/09/2012 02:38, GERF a écrit :
Hello all,
I have been working with this project for a straight two weeks and i
feel lost or stuck.
The goal is to query Windows AD from the linux box located in the DMZ
So, in my virtual lab I have the following:
Windows AD with ip 172.16.5.16 ldap1.gerf02.local
CentOS 6.3 with ip 172.16.5.32 upildap01.gerf02.local
So, my configuration files are as follows:
-*-*-*-*-*-*-*-*-*/etc/openldap/ldap.conf:-*-*-*-*-*-*-*-*-*-*
BASE dc=gerf02,dc=local
URI ldap://172.16.5.16 ldap://172.16.5.16:636
The second URL seems invalid,
unless you managed to make your server
reply without SSL on port 636
[..]
So, when I execute the following, I get this message
ldapsearch -x -b dc=gerf02,dc=local -D cn=Ldap Bind
Account,dc=gerf02,dc=local -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1
Which seems to be a valid AD answer.
Did you managed to successfuly
execute the same query against AD directly ?
You should also quote the -D argument value, as it contains spaces...
--
BOFH excuse #367:
Webmasters kidnapped by evil cult.