On Tue, Apr 27, 2010 at 3:43 PM, repudi8or repu <repudi8or@gmail.com> wrote:
Thanks for the response Masarati,
 
I have setup with mode=self, but still the same error.
 
Maybe im having a conceptual issue here. What i am trying to do is ensure the backend functions prior to looking at the configuring the frontend correctly. I am configuring the solaris openldap slapd with back-ldap and pcache and am expecting to be able to simulate a fronted authentication process using ldapsearch to the solaris openldap proxy. The backend ldap service is AD @ backendldap.core.dir.mycompany.com. the proxy box i will refer to as openldapproxy  (openldapproxy.core.dir.mycompany.com)"
 
my database ldap section now looks like this :-
backendldap.core.dir.mycompany.com"

database ldap
uri "ldap://backendldap.core.dir.mycompany.com"
suffix "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com"
rootdn "dc=core,dc=dir,dc=mycompany,dc=com"
idassert-bind bindmethod=simple binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com" credentials="password" mode=self
 
i am testing by running ldapsearch on the openldapproxy host itself in the following manner :-
# /usr/local/bin/ldapsearch -x -h localhost -b ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com employeeID=12345678
 
the proxied bind goes out to the backend AD as i have shown in the below discussion. The response returned is :-
# filter: employeeID=12345678
# requesting: ALL
#
# search result
search: 2
result: 48 Inappropriate authentication
# numResponses: 1

Running slapd in diag mode i see the following in the debug output :-
do_bind: v3 anonymous bind
connection_get(11)
connection_get(11): got connid=1014
connection_read(11): checking for input on id=1014
ber_get_next
ber_get_next: tag 0x30 len 105 contents:
op tag 0x63, time 1272346583
ber_get_next
conn=1014 op=1 do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com>
=> ldap_bv2dn(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com,0)
<= ldap_bv2dn(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=people,ou=eprofile,dc=core,dc=dir,dc=mycompany,dc=com)=0
<<< dnPrettyNormal: <ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com>, <ou=people,ou=eprofile,dc=core,dc=dir,dc=mycompany,dc=com>
SRCH "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com" 2 0    0 0 0
ber_scanf fmt ({mm}) ber:
    filter: (?=undefined)
ber_scanf fmt ({M}}) ber:
    attrs:
==> limits_get: conn=1014 op=1 self="[anonymous]" this="ou=people,ou=eprofile,dc=core,dc=dir,dc=telstra,dc=com"
send_ldap_result: conn=1014 op=1 p=3
send_ldap_result: err=48 matched="" text=""
send_ldap_response: msgid=2 tag=101 err=48
Note the anonymous bind, I need this to be a simply authenticated bind using the idassert binddn and credentials
Note the "self="[anonymous]"............... I was expecting that it should have been self=[USERID_THAT_RAN_THE_LDAPSEARCH]
 
Regards Rep
On Tue, Apr 27, 2010 at 1:55 PM, <masarati@aero.polimi.it> wrote:
>  Hi Folks,
>
> I am having troubles configuring openladp to my requirements.
>
> I am setting up an openldap server running on solaris 10 x86 to use as
> a ldap proxy authentication server.
>
> My issue is that i cant get it to send authenticated simple binds to the
> backend ldap system. I am running wireshark and when i ldapsearch direct
> to
> the backend ldap i see a bind which looks like this :-
> Lightweight-Directory-Access-Protocol
>     LDAPMessage bindRequest(1)
> "cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com" simple
>         messageID: 1
>         protocolOp: bindRequest (0)
>             bindRequest
>                 version: 3
>                 name:
> cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com
>                 authentication: simple (0)
>                     simple: 384174656C73747261316732
>
> However when i initiate an ldapsearch to my local solaris slapd and
> capture
> the proxied backldap bind to the backend ldap system it looks like this :-
> Lightweight-Directory-Access-Protocol
>     LDAPMessage bindRequest(1) "<ROOT>" simple
>         messageID: 1
>         protocolOp: bindRequest (0)
>             bindRequest
>                 version: 3
>                 name:
>                 authentication: simple (0)
>                     simple: <MISSING>
>
> I am having trouble working out from the documentation if it should be
> acl-bind or idassert-bind or some other option which influences the
> backend
> bind. I have tried both those to no avail.
> Here is the "database ldap" section from my slapd.conf
>
> #######################################################################
> # ldap database definitions
> #######################################################################
> database ldap
> uri "ldap://backendldap.core.dir.mycompany.com"
> suffix "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com"
> rootdn "dc=core,dc=dir,dc=mycompany,dc=com"
> acl-bind bindmethod=simple
> binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com"
> credentials="password"
> idassert-bind bindmethod=simple
> binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com"
> credentials="password"

The relevant directive is "idassert-bind", since you appear to be looking
for an identity assertion.  I hope what you posted was screwed up by the
mailer: continuation lines must start with whitespace.  What is missing
above is the "mode=self" parameter to "idassert-bind".  Try something like

idassert-bind bindmethod=simple
   binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com"
   credentials="password"
   mode=self

p.

> overlay pcache
> proxycache bdb 400 1 50 1200
> directory       /var/openldap-data
> cachesize 10000
> index cn,sn,uid pres,eq,sub
> index objectclass eq
>
> proxycachequeries 400
> proxyattrset 0 uid mail cn sn givenName
> proxytemplate (uid=) 0 600
> proxytemplate (mail=) 0 600
> proxytemplate (&(uid=)(mail=)) 0 600
>
> Any help would be greatly appreciated
>
> Regards Rep
>