Guillaume,
You wrote: The second URL seems invalid, unless you managed to make your server reply without SSL on port 636.
My Answer: So, should I removed it so I can make it reply with SSL ?
You wrote: Which seems to be a valid AD answer. Did you managed to successfully execute the same query against AD directly ?
My Answer: That answer is unknown user or password. When you say against AD, you mean using Ldp.exe ? It does reply successfully with simple bind authentication. See Below.
ld = ldap_open("", 389);
Established connection to .
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=gerf02,DC=local;
currentTime: 9/10/2012 6:14:02 AM Mountain Daylight Time;
defaultNamingContext:
DC=gerf02,DC=local;
dnsHostName: DC1SRV2K8.gerf02.local;
domainControllerFunctionality: 4 = ( WIN2008R2 );
domainFunctionality: 2 = ( WIN2003 );
dsServiceName: CN=NTDS Settings,CN=DC1SRV2K8,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gerf02,DC=local;
forestFunctionality: 2 = ( WIN2003 );
highestCommittedUSN: 408626;
isGlobalCatalogReady: TRUE;
isSynchronized: TRUE;
ldapServiceName: gerf02.local:dc1srv2k8$@GERF02.LOCAL;
namingContexts (5): DC=gerf02,DC=local; CN=Configuration,DC=gerf02,DC=local; CN=Schema,CN=Configuration,DC=gerf02,DC=local; DC=DomainDnsZones,DC=gerf02,DC=local; DC=ForestDnsZones,DC=gerf02,DC=local;
rootDomainNamingContext: DC=gerf02,DC=local;
schemaNamingContext: CN=Schema,CN=Configuration,DC=gerf02,DC=local;
serverName: CN=DC1SRV2K8,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gerf02,DC=local;
subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=gerf02,DC=local;
supportedCapabilities (5): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080;
supportedControl (29): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = (
SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS );
supportedLDAPPolicies (14): MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange;
supportedLDAPVersion (2): 3; 2;
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
-----------
res = ldap_simple_bind_s(ld, 'LDAP Bind Account', <unavailable>); // v.3
Authenticated as: 'GERF02\lba'.
But another questions prompts. Why through 389, should not be 636 for a secure connection ?
I am sorry but I am totally new with this. Thanks for your help.
G
From: Guillaume Rousse <guillomovitch@gmail.com>
To: openldap-technical@openldap.org
Sent: Monday, September 10, 2012 2:35 AM
Subject: Re: OpenLdap Proxy with CentOS 6.3
Le 10/09/2012 02:38, GERF a écrit :
> Hello all,
>
> I have been working with this project for a straight two weeks and i
> feel lost or stuck.
>
> The goal is to query Windows AD from the linux box located in the DMZ
>
> So, in my virtual lab I have the following:
>
> Windows AD with ip 172.16.5.16 ldap1.gerf02.local
> CentOS 6.3 with ip 172.16.5.32 upildap01.gerf02.local
>
> So, my configuration files are as follows:
>
> -*-*-*-*-*-*-*-*-*/etc/openldap/ldap.conf:-*-*-*-*-*-*-*-*-*-*
>
> BASE dc=gerf02,dc=local
> URI ldap://172.16.5.16 ldap://172.16.5.16:636
The second URL seems invalid, unless you managed to make your server
reply without SSL on port 636
[..]
> So, when I execute the following, I get
this message
>
> ldapsearch -x -b dc=gerf02,dc=local -D cn=Ldap Bind
> Account,dc=gerf02,dc=local -W
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
> additional info: 80090308: LdapErr: DSID-0C0903A9, comment:
> AcceptSecurityContext error, data 52e, v1db1
Which seems to be a valid AD answer. Did you managed to successfuly
execute the same query against AD directly ?
You should also quote the -D argument value, as it contains spaces...
--
BOFH excuse #367:
Webmasters kidnapped by evil cult.