Hi,
Martin Rubáš mrubas@kerio.com writes:
Hello,
[...]
Notes: ~ using slapd version 2.4.15 on Ubuntu (9.04/jaunty;64-bit;localhost)
- using Windows 2003 Server as PDC (pdc.domain.net)
~ command used to query: ldapsearch -x -w secret -H ldap://localhost:389 \ -D 'CN=The Root,CN=Users,DC=domain,DC=net' \ -b 'CN=The User,CN=Users,DC=domain,DC=net' \ -s sub -a always '(objectClass=*)' ~ all used accounts (The Root, The User, The Bind & Administrator) exists in Windows domain (AD) and have set password to 'secret'. 'The Root' is also member 'Domain Admins', so it should have the same access rights as 'Administrator' (at least, for AD/LDAP operations)
=== Case A ===
I started with slapd-hdb and slapo-translucent to combine data from Active Directory repository with other data from local DB. It finally got it working but only when ldapsearch command was binding with "rootdn" from slapd-hdb configuration. But I want to do binding with the (proper) user DN to slapd (local repository) as well as to AD (remote one).
#====================================================================== database hdb suffix "dc=domain,dc=net" rootdn "cn=The Root,cn=Users,dc=domain,dc=net" rootpw secret directory /var/lib/ldap/lib-trans index objectClass eq index cn eq
overlay translucent uri ldap://pdc.domain.net:389 binddn "cn=The Bind,cn=Users,dc=domain,dc=net" bindpw heslo lastmod off chase-referrals true rebind-as-user true #----------------------------------------------------------------------
If I use ldapsearch -D "cn=The Root,..." -b "cn=The User,..." then slapd binds to "cn=The Bind". That's correct, I guess... But when I use some other DN for -D parameter then the response is "LdarErr: DSID-0C090627 ... " (I saw that one many time in archives). It doesn't matter if it was "cn=The User,..." or "cn=The Bind".
This Error seems to be not a slapd error, so you should check some other services in your network. The configuration parameters for translucent overlay are incorrect, see man slapo-translucent(5) and man slapd-ldap(5), you should probably use idassert-bind parameters.
I also tried to combine slapd-ldap together with slapd-relay extended by slapo-rwm, to get something like "domain-alias" (2 names for one repository).
#====================================================================== database ldap suffix "dc=domain,dc=net" uri ldap://pdc.domain.net:389 chase-referrals yes rebind-as-user yes
database relay suffix "dc=alias,dc=net" relay "dc=domain,dc=net" overlay rwm rwm-suffixmassage "dc=domain,dc=net" #----------------------------------------------------------------------
In this case, I was able to get result with -D option set to "cn=The User,cn=Users,dc=domain,dc=net" but I got the same error while using the aliased DN "cn=The Users,cn=Users,dc=alias,dc=net".
In the first case you where requesting the ldap backend, in the second case the relay backend. If a request to relay backend failed but where successful to the ldap backend, than something is wrong with your relay backend configuration. Debug slapd's acl parsing to find the reason.
[...]
-Dieter