Hi All,
First off, I am a beginner with OpenLDAP, so please bear with me as I try to explain what I am trying to achieve.
1) There are 2 Active Directory servers that I need to connect to. Both of these are NOT under my control. We shall call them AD1 and AD2 here.
2) I can connect to AD1 via testsaslauthd using both simple bind and saslbind using DIGEST-MD5.
2a) For simple bind, I know of an adminstrative read-only account that I use to perform the initial LDAP bind request in order to allow an LDAP searchRequest to authenticate any user with AD1. Below is a sample /etc/saslauthd.conf ( ldap_bind_dn and ldap_bind_pw altered slightly to protect the identity )
################################################################### #/etc/saslauthd.conf ldap_servers: ldap://172.21.128.49:3268 ldap_default_domain: ad1.priv ldap_search_base: DC=ad1,DC=priv ldap_bind_dn: CN=administrativero,OU=Service_Accounts,DC=ad1,DC=priv ldap_bind_pw: readonly ldap_deref: never ldap_restart: yes ldap_scope: sub ldap_use_sasl: no ldap_start_tls: no ldap_version: 3 ldap_auth_method: bind ldap_filter: sAMAccountName=%u ldap_password_attr: userPassword ldap_timeout: 10 ldap_cache_ttl: 30 ldap_cache_mem: 32768 #########################################################################
$ testsaslauthd -u salvojo -p mypassword 0: OK "Success."
... and what was captured by tshark ( I included port 53 for DNS queries as it was essential for finding out why digest-uri was only IP addresses instead of the hostname later on ):
$ sudo tshark -i any port 3268 or port 53 or port 389 <...time elapsed .. snipped..> 81336.300597 172.21.17.193 -> 172.21.128.49 TCP 76 44477 > msft-gc [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=50014473 TSecr=0 WS=128 81336.301498 172.21.128.49 -> 172.21.17.193 TCP 80 msft-gc > 44477 [SYN, ACK] Seq=0 Ack=1 Win=64512 Len=0 MSS=1460 WS=1 TSval=0 TSecr=0 SACK_PERM=1 81336.301626 172.21.17.193 -> 172.21.128.49 TCP 68 44477 > msft-gc [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=50014474 TSecr=0 81336.301840 172.21.17.193 -> 172.21.128.49 LDAP 141 bindRequest(1) "CN=administrativero,OU=Service_Accounts,DC=ad1,DC=priv" simple 81336.304464 172.21.128.49 -> 172.21.17.193 LDAP 90 bindResponse(1) success 81336.304559 172.21.17.193 -> 172.21.128.49 TCP 68 44477 > msft-gc [ACK] Seq=74 Ack=23 Win=14720 Len=0 TSval=50014474 TSecr=5446546 81336.304930 172.21.17.193 -> 172.21.128.49 LDAP 139 searchRequest(2) "DC=ad1,DC=priv" wholeSubtree 81336.305702 172.21.128.49 -> 172.21.17.193 LDAP 175 searchResEntry(2) "CN=John Salvo,OU=Users,OU=_Windows7 Pilot Group,DC=ad1,DC=priv" | searchResDone(2) success 81336.305972 172.21.17.193 -> 172.21.128.49 LDAP 154 bindRequest(3) "CN=John Salvo,OU=Users,OU=_Windows7 Pilot Group,DC=ad1,DC=priv" simple 81336.308982 172.21.128.49 -> 172.21.17.193 LDAP 90 bindResponse(3) success 81336.349661 172.21.17.193 -> 172.21.128.49 TCP 68 44477 > msft-gc [ACK] Seq=231 Ack=152 Win=14720 Len=0 TSval=50014486 TSecr=5446547
2b) For saslbind using DIGEST-MD5, I have no need for the administrative read-only account, as shown below by my /etc/saslauthd.conf: ( saslauthd was restarted in each case when saslauthd.conf was changed )
################################################################### #/etc/saslauthd.conf ldap_servers: ldap://172.21.128.49:3268 ldap_deref: never ldap_restart: yes ldap_scope: sub ldap_use_sasl: yes ldap_mech: DIGEST-MD5 ldap_start_tls: no ldap_version: 3 ldap_timeout: 10 ldap_cache_ttl: 30 ldap_cache_mem: 32768 #########################################################################
$ testsaslauthd -u salvojo -p mypassword 0: OK "Success."
$ sudo tshark -i any port 3268 or port 53 or port 389 <...time elapsed .. snipped..> 7.488292 172.21.17.193 -> 172.21.128.49 TCP 76 44478 > msft-gc [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=50082984 TSecr=0 WS=128 7.489163 172.21.128.49 -> 172.21.17.193 TCP 80 msft-gc > 44478 [SYN, ACK] Seq=0 Ack=1 Win=64512 Len=0 MSS=1460 WS=1 TSval=0 TSecr=0 SACK_PERM=1 7.489258 172.21.17.193 -> 172.21.128.49 TCP 68 44478 > msft-gc [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=50082985 TSecr=0 7.489757 172.21.17.193 -> 172.21.10.24 DNS 88 Standard query PTR 49.128.21.172.in-addr.arpa 7.490577 172.21.10.24 -> 172.21.17.193 DNS 120 Standard query response PTR aassydc01.ad1.priv 7.492610 172.21.17.193 -> 172.21.128.49 LDAP 94 bindRequest(1) "<ROOT>" sasl 7.493828 172.21.128.49 -> 172.21.17.193 LDAP 326 bindResponse(1) saslBindInProgress 7.493928 172.21.17.193 -> 172.21.128.49 TCP 68 44478 > msft-gc [ACK] Seq=27 Ack=259 Win=15744 Len=0 TSval=50082986 TSecr=5449287 7.494828 172.21.17.193 -> 172.21.128.49 LDAP 442 bindRequest(2) "<ROOT>" sasl 7.498503 172.21.128.49 -> 172.21.17.193 LDAP 132 bindResponse(2) success 7.536572 172.21.17.193 -> 172.21.128.49 TCP 68 44478 > msft-gc [ACK] Seq=401 Ack=323 Win=15744 Len=0 TSval=50082997 TSecr=5449287
All good so far with simple bind and saslauthd to AD1.
3) I can only connect to AD2, the second active directory server, via testsaslauthd using only sasl bind.
That is because I do not know of an adminstrative read-only account in AD2 that I can use to perform the initial LDAP bindRequest in order to allow an LDAP searchRequest. Here is the /etc/saslauthd.conf for saslbind to AD2:
################################################################### #/etc/saslauthd.conf # Your AD server adress # NOTE: This will only work IFF there is also a reverse DNS entry for this A record # Otherwise, the digest-uri in the LDAP SASL bind request will only contain the IP address instead of the hostname # which will result in "The digest-uri does not match any LDAP SPN's registered for this server" ldap_servers: ldap://ad2idcdc11.au.ad2.corp:3268 ldap_deref: never ldap_restart: yes ldap_scope: sub ldap_start_tls: no ldap_version: 3 ldap_use_sasl: yes ldap_mech: DIGEST-MD5 ldap_timeout: 10 ldap_cache_ttl: 30 ldap_cache_mem: 32768 #EOF #########################################################################
$ testsaslauthd -u anotheruser -p otherpassword 0: OK "Success."
$ sudo tshark -i any port 3268 or port 53 or port 389 <...time elapsed .. snipped..> 321.883648 172.21.17.193 -> 10.3.90.55 TCP 76 49226 > msft-gc [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=50161583 TSecr=0 WS=128 321.884343 10.3.90.55 -> 172.21.17.193 TCP 80 msft-gc > 49226 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=1 TSval=0 TSecr=0 SACK_PERM=1 321.884541 172.21.17.193 -> 10.3.90.55 TCP 68 49226 > msft-gc [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=50161583 TSecr=0 321.886323 172.21.17.193 -> 10.3.90.55 LDAP 94 bindRequest(1) "<ROOT>" sasl 321.887247 10.3.90.55 -> 172.21.17.193 LDAP 329 bindResponse(1) saslBindInProgress 321.887336 172.21.17.193 -> 10.3.90.55 TCP 68 49226 > msft-gc [ACK] Seq=27 Ack=262 Win=15744 Len=0 TSval=50161584 TSecr=65953794 321.888296 172.21.17.193 -> 10.3.90.55 LDAP 447 bindRequest(2) "<ROOT>" sasl 321.892567 10.3.90.55 -> 172.21.17.193 LDAP 132 bindResponse(2) success 321.933533 172.21.17.193 -> 10.3.90.55 TCP 68 49226 > msft-gc [ACK] Seq=406 Ack=326 Win=15744 Len=0 TSval=50161596 TSecr=65953794
4) I am using SASL because I currently have Subversion 1.8 configured to use SASL to authenticate users to AD1, but currently using simple bind. I will be changing this later on so that saslauthd will use sasl bind to AD1.
$ cat /etc/sasl2/svn.conf pwcheck_method: saslauthd mech_list: PLAIN
----------------------------------------------------- Now here is what I am trying to achieve with OpenLDAP:
I am using slapd.conf. I am also using the meta backend, as my instance of OpenLDAP will not really have its own LDAP database as I intended to use OpenLDAP for pass-through authentication.
5) I am able to use OpenLDAP as a proxy to AD1 for pass-through authentication via the meta backend, but only if OpenLDAP is configured to use simplebind to AD1. That is: testsaslauthd ( simple bind ) -> OpenLDAP ( simple bind ) -> AD1.
Here is my /etc/ldap/slapd.conf:
######################################################################### include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel stats modulepath /usr/lib/ldap moduleload back_meta.so moduleload back_ldap.so sizelimit 500 tool-threads 1 backend meta database meta access to * by * read suffix "dc=ad1,dc=priv" uri ldap://172.21.128.49:3268/dc=ad1,dc=priv chase-referrals no lastmod off protocol-version 3 #########################################################################
.. and here is my /etc/saslauthd.conf for this specific test: ( The only difference between this and [2a] is the ldap_servers entry, which now points to OpenLDAP, and the ldap_filter, which now has an OR condition )
################################################################### #/etc/saslauthd.conf # # Your AD server adress ldap_servers: ldap://127.0.0.1:389 ldap_default_domain: ad1.priv ldap_search_base: DC=ad1,DC=priv ldap_bind_dn: CN=administrativero,OU=Service_Accounts,DC=ad1,DC=priv ldap_bind_pw: readonly ldap_deref: never ldap_restart: yes ldap_scope: sub ldap_use_sasl: no ldap_start_tls: no ldap_version: 3 ldap_auth_method: bind ldap_filter: (|(uid=%U)(sAMAccountName=%U)) ldap_password_attr: userPassword ldap_timeout: 10 ldap_cache_ttl: 30 ldap_cache_mem: 32768 #EOF #########################################################################
$ testsaslauthd -u salvojo -p mypassword 0: OK "Success."
$ sudo tshark -i any port 3268 or port 53 or port 389 <...time elapsed .. snipped..> 1310.330189 127.0.0.1 -> 127.0.0.1 TCP 76 50279 > ldap [SYN] Seq=0 Win=32792 Len=0 MSS=16396 SACK_PERM=1 TSval=50408695 TSecr=0 WS=128 1310.330234 127.0.0.1 -> 127.0.0.1 TCP 76 ldap > 50279 [SYN, ACK] Seq=0 Ack=1 Win=32768 Len=0 MSS=16396 SACK_PERM=1 TSval=50408695 TSecr=50408695 WS=128 1310.330262 127.0.0.1 -> 127.0.0.1 TCP 68 50279 > ldap [ACK] Seq=1 Ack=1 Win=32896 Len=0 TSval=50408695 TSecr=50408695 1310.330612 127.0.0.1 -> 127.0.0.1 LDAP 141 bindRequest(1) "CN=administrativero,OU=Service_Accounts,DC=ad1,DC=priv" simple 1310.330640 127.0.0.1 -> 127.0.0.1 TCP 68 ldap > 50279 [ACK] Seq=1 Ack=74 Win=32768 Len=0 TSval=50408695 TSecr=50408695 1310.331106 172.21.17.193 -> 172.21.128.49 TCP 76 44485 > msft-gc [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=50408695 TSecr=0 WS=128 1310.332041 172.21.128.49 -> 172.21.17.193 TCP 80 msft-gc > 44485 [SYN, ACK] Seq=0 Ack=1 Win=64512 Len=0 MSS=1460 WS=1 TSval=0 TSecr=0 SACK_PERM=1 1310.332129 172.21.17.193 -> 172.21.128.49 TCP 68 44485 > msft-gc [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=50408695 TSecr=0 1310.332239 172.21.17.193 -> 172.21.128.49 LDAP 141 bindRequest(1) "cn=administrativero,ou=Service_Accounts,dc=ad1,dc=priv" simple 1310.335445 172.21.128.49 -> 172.21.17.193 LDAP 90 bindResponse(1) success 1310.335575 172.21.17.193 -> 172.21.128.49 TCP 68 44485 > msft-gc [ACK] Seq=74 Ack=23 Win=14720 Len=0 TSval=50408696 TSecr=5462316 1310.336554 127.0.0.1 -> 127.0.0.1 LDAP 82 bindResponse(1) success 1310.336634 127.0.0.1 -> 127.0.0.1 TCP 68 50279 > ldap [ACK] Seq=74 Ack=15 Win=32896 Len=0 TSval=50408697 TSecr=50408697 1310.336863 127.0.0.1 -> 127.0.0.1 LDAP 157 searchRequest(2) "DC=ad1,DC=priv" wholeSubtree 1310.337809 172.21.17.193 -> 172.21.128.49 LDAP 157 searchRequest(2) "dc=ad1,dc=priv" wholeSubtree 1310.339277 172.21.128.49 -> 172.21.17.193 LDAP 175 searchResEntry(2) "CN=John Salvo,OU=Users,OU=_Windows7 Pilot Group,DC=ad1,DC=priv" | searchResDone(2) success 1310.339581 127.0.0.1 -> 127.0.0.1 LDAP 141 searchResEntry(2) "cn=John Salvo,ou=Users,ou=_Windows7 Pilot Group,dc=ad1,dc=priv" 1310.339871 127.0.0.1 -> 127.0.0.1 LDAP 82 searchResDone(2) success 1310.339966 127.0.0.1 -> 127.0.0.1 TCP 68 50279 > ldap [ACK] Seq=163 Ack=102 Win=32896 Len=0 TSval=50408697 TSecr=50408697 1310.340053 127.0.0.1 -> 127.0.0.1 LDAP 154 bindRequest(3) "cn=John Salvo,ou=Users,ou=_Windows7 Pilot Group,dc=ad1,dc=priv" simple 1310.340698 172.21.17.193 -> 172.21.128.49 TCP 76 44486 > msft-gc [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=50408698 TSecr=0 WS=128 1310.341883 172.21.128.49 -> 172.21.17.193 TCP 80 msft-gc > 44486 [SYN, ACK] Seq=0 Ack=1 Win=64512 Len=0 MSS=1460 WS=1 TSval=0 TSecr=0 SACK_PERM=1 1310.341977 172.21.17.193 -> 172.21.128.49 TCP 68 44486 > msft-gc [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=50408698 TSecr=0 1310.342157 172.21.17.193 -> 172.21.128.49 LDAP 154 bindRequest(1) "cn=John Salvo,ou=Users,ou=_Windows7 Pilot Group,dc=ad1,dc=priv" simple 1310.345643 172.21.128.49 -> 172.21.17.193 LDAP 90 bindResponse(1) success 1310.345733 172.21.17.193 -> 172.21.128.49 TCP 68 44486 > msft-gc [ACK] Seq=87 Ack=23 Win=14720 Len=0 TSval=50408699 TSecr=5462316 1310.346198 127.0.0.1 -> 127.0.0.1 LDAP 82 bindResponse(3) success 1310.377558 172.21.17.193 -> 172.21.128.49 TCP 68 44485 > msft-gc [ACK] Seq=163 Ack=130 Win=14720 Len=0 TSval=50408707 TSecr=5462316 1310.384549 127.0.0.1 -> 127.0.0.1 TCP 68 50279 > ldap [ACK] Seq=249 Ack=116 Win=32896 Len=0 TSval=50408709 TSecr=50408699
You can see from the above that: * The initial administrative simple bind to OpenLDAP was delegated by OpenLDAP to AD1. * The searchRequest to OpenLDAp was delegated by OpenLDAP to AD1. * The second bindRequest ( that is authenticating the user that I specified with testsaslauthd ) to OpenLDAP was delegated by OpenLDAP to AD1.
That is, on all 3 cases above, OpenLDAP only returned success back to testsaslauthd only if AD1 only returned success. So far so good.
6) I am unable to use ... or rather confused on how to use .. OpenLDAP as a proxy to AD1 so that OpenLDAP will use sasl bind to AD1.
This is where I am stuck. Here is my /etc/saslauthd.conf for this test: The only difference between this and saslauthd.conf in [2b] is the ldap_servers entry, which is now pointing to OpenLDAP.
################################################################### #/etc/saslauthd.conf # # Your AD server adress ldap_servers: ldap://127.0.0.1:389 ldap_deref: never ldap_restart: yes ldap_scope: sub ldap_use_sasl: yes ldap_mech: DIGEST-MD5 ldap_start_tls: no ldap_version: 3 ldap_timeout: 10 ldap_cache_ttl: 30 ldap_cache_mem: 32768 #EOF #########################################################################
Here is my /etc/ldap/slapd.conf for this test: ( The only difference between this file and the slapd.conf file in [5] is the addition of the idassert-bind line )
######################################################################### include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel stats modulepath /usr/lib/ldap moduleload back_meta.so moduleload back_ldap.so sizelimit 500 tool-threads 1 backend meta database meta access to * by * read suffix "dc=ad1,dc=priv" uri ldap://172.21.128.49:3268/dc=ad1,dc=priv chase-referrals no lastmod off protocol-version 3 idassert-bind bindmethod=sasl saslmech=DIGEST-MD5 mode=none #########################################################################
$ testsaslauthd -u salvojo -p mypassword 0: NO "authentication failed"
$ sudo tshark -i any port 3268 or port 53 or port 389 <...time elapsed .. snipped..> 401.111261 127.0.0.1 -> 127.0.0.1 TCP 76 50299 > ldap [SYN] Seq=0 Win=32792 Len=0 MSS=16396 SACK_PERM=1 TSval=51388330 TSecr=0 WS=128 401.111304 127.0.0.1 -> 127.0.0.1 TCP 76 ldap > 50299 [SYN, ACK] Seq=0 Ack=1 Win=32768 Len=0 MSS=16396 SACK_PERM=1 TSval=51388330 TSecr=51388330 WS=128 401.111332 127.0.0.1 -> 127.0.0.1 TCP 68 50299 > ldap [ACK] Seq=1 Ack=1 Win=32896 Len=0 TSval=51388330 TSecr=51388330 401.113332 127.0.0.1 -> 127.0.0.1 LDAP 94 bindRequest(1) "<ROOT>" sasl 401.113419 127.0.0.1 -> 127.0.0.1 TCP 68 ldap > 50299 [ACK] Seq=1 Ack=27 Win=32768 Len=0 TSval=51388330 TSecr=51388330 401.113806 127.0.0.1 -> 127.0.0.1 LDAP 304 bindResponse(1) saslBindInProgress (SASL(0): successful result: ) 401.114023 127.0.0.1 -> 127.0.0.1 TCP 68 50299 > ldap [ACK] Seq=27 Ack=237 Win=32768 Len=0 TSval=51388331 TSecr=51388330 401.114362 127.0.0.1 -> 127.0.0.1 LDAP 393 bindRequest(2) "<ROOT>" sasl 401.114671 127.0.0.1 -> 127.0.0.1 LDAP 130 bindResponse(2) invalidCredentials (SASL(-13): user not found: no secret in database) 401.153939 127.0.0.1 -> 127.0.0.1 TCP 68 50299 > ldap [ACK] Seq=352 Ack=299 Win=32768 Len=0 TSval=51388341 TSecr=51388331
As you can see from the above tshark, OpenLDAP did not even try to communicate at all to AD1 ! What should I have in slapd.conf ? Maybe the problem is that, I am using testsaslauthd, which uses saslauthd to connect to OpenLDAP, but also need OpenLDAP to use saslauthd to AD1 ( e.g. It is using the same saslauthd daemon ) ?
I also read about at ( Section 14.5 ):
http://www.openldap.org/doc/admin24/security.html ... about setting the userPassword attribute to something of the form:
userPassword: {SASL}user@realm ... but:
*) I am using a meta backend, and thus I have no internal users, so I cannot set the userPassword attribute .... or is this saying that I need a "copy" of the DN name of the users from AD1 to my local OpenLDAP ?
It also says:
"Since OpenLDAP 2.0 slapd has had the ability to delegate password verification to a separate **PROCESS** ( emphasis mine ). This uses the sasl_checkpass(3) function so it can use any back-end server that Cyrus SASL supports for checking passwords." .. but:
*) How was OpenLDAP able to delegate password verification in the simple-bind proxy as I have demonstrated above WITHOUT going through a separate proccess but going straight through a TCP/IP connection ? *) Is the statement saying that OpenLDAP will use saslauthd to connect to a remote LDAP/AD ? If so, since I am using testsaslauthd and I am already using saslauthd to connect to OpenLDAP, and saslauthd.conf is configured to point to the local OpenLDAP, does this mean I need another instance of saslauthd with its own unix socket and its own saslauthd.conf ? If so, what's the point of having the uri in slapd.conf when the separate instance of saslauthd.conf will have its own entry of the remote ldap / AD1 anyway ?
Anyway, as you can see .. I am confused on how to do item [6] above. All I really need to happen is ( from a tcp capture / wireshark perspective ), something like ( similar to the simple bind PTA ):
127.0.0.1 -> 127.0.0.1 TCP 76 44478 > msft-gc [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=50082984 TSecr=0 WS=128 127.0.0.1 -> 127.0.0.1 TCP 80 msft-gc > 44478 [SYN, ACK] Seq=0 Ack=1 Win=64512 Len=0 MSS=1460 WS=1 TSval=0 TSecr=0 SACK_PERM=1 127.0.0.1 -> 127.0.0.1 TCP 68 44478 > msft-gc [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=50082985 TSecr=0 127.0.0.1 -> 127.0.0.1 LDAP 94 bindRequest(1) "<ROOT>" sasl 172.21.17.193 -> 172.21.128.49 TCP 76 44478 > msft-gc [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=50082984 TSecr=0 WS=128 172.21.128.49 -> 172.21.17.193 TCP 80 msft-gc > 44478 [SYN, ACK] Seq=0 Ack=1 Win=64512 Len=0 MSS=1460 WS=1 TSval=0 TSecr=0 SACK_PERM=1 172.21.17.193 -> 172.21.128.49 TCP 68 44478 > msft-gc [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=50082985 TSecr=0 172.21.17.193 -> 172.21.128.49 LDAP 94 bindRequest(1) "<ROOT>" sasl 172.21.128.49 -> 172.21.17.193 LDAP 326 bindResponse(1) saslBindInProgress 172.21.17.193 -> 172.21.128.49 TCP 68 44478 > msft-gc [ACK] Seq=27 Ack=259 Win=15744 Len=0 TSval=50082986 TSecr=5449287 127.0.0.1 -> 127.0.0.1 LDAP 326 bindResponse(1) saslBindInProgress 127.0.0.1 -> 127.0.0.1 TCP 68 44478 > msft-gc [ACK] Seq=27 Ack=259 Win=15744 Len=0 TSval=50082986 TSecr=5449287 127.0.0.1 -> 127.0.0.1 LDAP 442 bindRequest(2) "<ROOT>" sasl 172.21.17.193 -> 172.21.128.49 LDAP 442 bindRequest(2) "<ROOT>" sasl 172.21.128.49 -> 172.21.17.193 LDAP 132 bindResponse(2) success 172.21.17.193 -> 172.21.128.49 TCP 68 44478 > msft-gc [ACK] Seq=401 Ack=323 Win=15744 Len=0 TSval=50082997 TSecr=5449287 127.0.0.1 -> 127.0.0.1 LDAP 132 bindResponse(2) success 127.0.0.1 -> 127.0.0.1 TCP 68 44478 > msft-gc [ACK] Seq=401 Ack=323 Win=15744 Len=0 TSval=50082997 TSecr=5449287
7) If I can find out how to do item [6] above with help from this list, then I will try to do the same for AD2.
8) The end goal therefore is to use OpenLDAP as a dumb proxy that will authenticate users to either AD1 or AD2.
Any help / hints appreciated,
Jesus Salvo