Hello,

Sorry, I tried posting this yesterday but it didn't seem to make it on the list - trying again.

currently have OpenLDAP (2.4.28) running on a Linux box with a local database and a meta backend which represents the local database along with a remote Active Directory server (2008 R2).  Below is a snapshot of my slapd.conf. 

#------------------------------------------------------------

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

loglevel -1

modulepath /usr/lib/openldap/


allow bind_v2
database        bdb
suffix              "dc=local,dc=example,dc=com"
directory        /var/lib/ldap
rootdn            "cn=root,dc=local,dc=example,dc=com"
rootpw           secret


database       meta
suffix             "dc=example,dc=com"
rootdn           "cn=root,dc=example,dc=com"
rootpw          secret

## Local
uri                   ldap://localhost/ou=Users,dc=local,dc=example,dc=com
idassert-bind   bindmethod=simple binddn="cn=root,dc=local,dc=example,dc=com" credentials=secret


##Remote Active Directory
uri                 ldap://ad.example.com/cn=Users,dc=example,dc=com
idassert-bind bindmethod=simple
                    binddn="cn=sync,cn=users,dc=example,dc=com"
                    credentials=secret
#                   tls_cacert=/etc/openldap/cacerts/ad-ca.cer
#                   tls_cert=/etc/openldap/local.pem
#                   tls_key=/etc/openldap/local.key

#----------------------------------------------------------- 

When I run the following command:

ldapsearch -x -D "cn=root, dc=example,dc=com" -w secret -b " dc=example,dc=com "  -H ldap://localhost 

Everything works as expected with the above config , meaning I see the  local and remote/proxied entries on AD  with the root credentials specified above. Logs on AD indicate that a user sync preformed a search.  As I understand, id-assertion is working??

Now if I  change the remote  entry to the following (enable ssl):

##Remote Active Directory
uri                 ldaps://ad.example.com/cn=Users,dc=example,dc=com
idassert-bind bindmethod=simple
                    binddn="cn=sync,cn=users,dc=example,dc=com"
                    credentials=secret
                    tls_cacert=/etc/openldap/cacerts/ad-ca.cer
                    tls_cert=/etc/openldap/local.pem
                    tls_key=/etc/openldap/local.key


The same command (ldapsearch -x -D "cn=root, dc=example,dc=com" -w secret -b " dc=example,dc=com "  -H ldap://localhost) binds locally successfully but does not list any remote attributes from AD.
Verbose logging enabled on Active Directory indicates an anonymous bind and subsequent failure.  This is what I'm trying to understand.

However, if I search using an account that resides on the AD server (-D " cn=sync,cn=users,dc=example,dc=com" -w secret)  it works and the traffic is encrypted.  The root account "seems" to be ignored when it comes to the assertion butonly when ssl is enabled.

Now, if I use TLS instead, 

##Remote Active Directory
uri                 ldap://ad.example.com/cn=Users,dc=example,dc=com
tls                 start
idassert-bind bindmethod=simple
                    binddn="cn=sync,cn=users,dc=example,dc=com"
                    credentials=secret
                    tls_cacert=/etc/openldap/cacerts/ad-ca.cer
                    tls_cert=/etc/openldap/local.pem
                    tls_key=/etc/openldap/local.key


Everything works, and I see the remote entries in AD using the meta root credentials. I've verified the network traffic to ensure it was indeed encrypted.  I've also verified that using ldapsearch directly  (ex: -H ldaps://ad.exmaple.com) to AD and it also functions as intended.  I did play around with slapd-ldap and it seemed behave the same as meta regarding ldaps. In my eyes, something in my configuration makes the proxy seemingly ignore ldaps entries.  Hopefully I didn't miss anything painfully obvious in the docs :)

Thanks,