On 07/11/11 21:57 +0000, Gabriella Turek wrote:
Hello, I've set up an openLDAP server (2.4.23) which chains to an Active Directory (2008). I can successfully search for users, it will find them in Active Directory if they are not in openLDAP, but I cannot authenticate the Active Directory users. The error is "Invalid credentials (49)" Everything is currently configured with clear text ldapSearch works fine when pointed directly to the Active Directory.
The chaining configuration in the slapd.conf is:
overlay chain chain-uri ldap://aucwdfp01.niwa.local:389 chain-rebind-as-user TRUE chain-idassert-bind bindmethod="simple" binddn="cn=SDT Tester,ou=NIWA Staff Accounts,ou=User Accounts, dc=niwa,dc=local" credentials=xxxxxxx mode="self" flags=non-prescriptive chain-return-error TRUE
Does mode="none" work? If my reading of slapd-ldap(5) is correct, with any config other than 'none', slapd will attempt to assert the proxyAuthz control.
I checked our local AD server (2003) and it does not appear to support that control:
ldapsearch -LLL -x -H ldap://<AD.ip> -s "base" -b "" supportedControl dn: supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.840.113556.1.4.801 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 1.2.840.113556.1.4.528 supportedControl: 1.2.840.113556.1.4.417 supportedControl: 1.2.840.113556.1.4.619 supportedControl: 1.2.840.113556.1.4.841 supportedControl: 1.2.840.113556.1.4.529 supportedControl: 1.2.840.113556.1.4.805 supportedControl: 1.2.840.113556.1.4.521 supportedControl: 1.2.840.113556.1.4.970 supportedControl: 1.2.840.113556.1.4.1338 supportedControl: 1.2.840.113556.1.4.474 supportedControl: 1.2.840.113556.1.4.1339 supportedControl: 1.2.840.113556.1.4.1340 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.10 supportedControl: 1.2.840.113556.1.4.1504 supportedControl: 1.2.840.113556.1.4.1852 supportedControl: 1.2.840.113556.1.4.802 supportedControl: 1.2.840.113556.1.4.1907 supportedControl: 1.2.840.113556.1.4.1948
proxyAuthz control == 2.16.840.1.113730.3.4.18 (RFC 4370)