ok, I'll try again. I am using openldap 2.4.23 on RHEL6 server and trying to configure openldap to do simple user/password authentication to our Microsoft AD servers. I can authenticate and do commandline ldap searches with my windows test account and password ok. However, in trying to follow examples from the openldap.org website I cannot get it to work using the openldap config files. All I get from the AD servers then are the anonymous bind results.
If anyone has an actual working configuration, I would really appreciate info on how they did it. I am under a typical last minute deadline to get this going.
I am including latest slapd.conf iteration (there have been many :() for review.
thanks for any help/advice you might have.
John.
----------------------------------------------------------------------------------------------- # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/misc.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
###TLSCipherSuite HIGH:MEDIUM:+SSLv2 #TLSCACertificateFile /usr/var/openldap-data/cacert.pem # will do TLS after basic authentication working. TLSVerifyClient never
sizelimit unlimited
####################################################################### # BDB database definitions #######################################################################
database bdb suffix "dc=corp,dc=ad,dc=parc,dc=com" rootdn "cn=Manager,dc=corp,dc=ad,dc=parc,dc=com"
# Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA}EwrR01/GdI4+sdOVzZcK6Y94QbIXIw0j # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. ###sizelimit unlimited directory /var/lib/ldap # Indices to maintain index objectClass eq ### debug logging loglevel -1 moduleload translucent overlay translucent moduleload rwm overlay rwm uri ldap://blowfish.corp.ad.parc.com lastmod off # idassert-bind bindmethod=simple binddn="cn=ldapusr,OU=Pseudo_User_Accounts,OU=PARC_Users,DC=corp,DC=ad,DC=parc,DC=com" credentials=XXX authzID=dn:cn=ldapusr,OU=Pseudo_User_Accounts,OU=PARC_Users,DC=corp,DC=ad,DC=parc,DC=com
rwm-map objectclass * * rwm-map attribute * *