Re: OpenLdap Proxy with CentOS 6.3

Guillaume,

You wrote: The second URL seems invalid, unless you managed to make your server reply without SSL on port 636.

My Answer: So, should I removed it so I can make it reply with SSL ?

You wrote: Which seems to be a valid AD answer. Did you managed to successfully  execute the same query against AD directly ?

My Answer: That answer is unknown user or password. When you say against AD, you mean using Ldp.exe ? It does reply successfully with simple bind authentication. See Below.

ld = ldap_open("", 389); Established connection to . Retrieving base DSA information... Getting 1 entries: Dn: (RootDSE) configurationNamingContext: CN=Configuration,DC=gerf02,DC=local; currentTime: 9/10/2012 6:14:02 AM Mountain Daylight Time; defaultNamingContext: DC=gerf02,DC=local; dnsHostName: DC1SRV2K8.gerf02.local; domainControllerFunctionality: 4 = ( WIN2008R2 ); domainFunctionality: 2 = ( WIN2003 ); dsServiceName: CN=NTDS Settings,CN=DC1SRV2K8,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gerf02,DC=local; forestFunctionality: 2 = ( WIN2003 ); highestCommittedUSN: 408626; isGlobalCatalogReady: TRUE; isSynchronized: TRUE; ldapServiceName: gerf02.local:dc1srv2k8$@GERF02.LOCAL; namingContexts (5): DC=gerf02,DC=local; CN=Configuration,DC=gerf02,DC=local; CN=Schema,CN=Configuration,DC=gerf02,DC=local; DC=DomainDnsZones,DC=gerf02,DC=local; DC=ForestDnsZones,DC=gerf02,DC=local; rootDomainNamingContext: DC=gerf02,DC=local; schemaNamingContext: CN=Schema,CN=Configuration,DC=gerf02,DC=local; serverName: CN=DC1SRV2K8,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gerf02,DC=local; subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=gerf02,DC=local; supportedCapabilities (5): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080; supportedControl (29): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS ); supportedLDAPPolicies (14): MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; supportedLDAPVersion (2): 3; 2; supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;

----------- res = ldap_simple_bind_s(ld, 'LDAP Bind Account', <unavailable>); // v.3 Authenticated as: 'GERF02\lba'.

But another questions prompts. Why through 389, should not be 636 for a secure connection ?

I am sorry but I am totally new with this. Thanks for your help.

G

________________________________ From: Guillaume Rousse guillomovitch@gmail.com To: openldap-technical@openldap.org Sent: Monday, September 10, 2012 2:35 AM Subject: Re: OpenLdap Proxy with CentOS 6.3

Le 10/09/2012 02:38, GERF a écrit :

Hello all,

I have been working with this project for a straight two weeks and i feel lost or stuck.

The goal is to query Windows AD from the linux box located in the DMZ

So, in my virtual lab I have the following:

Windows AD with ip  172.16.5.16 ldap1.gerf02.local CentOS 6.3 with ip 172.16.5.32 upildap01.gerf02.local

So, my configuration files are as follows:

-*-*-*-*-*-*-*-*-*/etc/openldap/ldap.conf:-*-*-*-*-*-*-*-*-*-*

BASE dc=gerf02,dc=local URI    ldap://172.16.5.16 ldap://172.16.5.16:636

The second URL seems invalid, unless you managed to make your server reply without SSL on port 636

[..]

So, when I execute the following, I get this message

ldapsearch -x -b dc=gerf02,dc=local -D cn=Ldap Bind Account,dc=gerf02,dc=local -W Enter LDAP Password: ldap_bind: Invalid credentials (49)           additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

Which seems to be a valid AD answer. Did you managed to successfuly execute the same query against AD directly ?

You should also quote the -D argument value, as it contains spaces...