Hi all -
Thanks in advance. I know this topic has been discussed at length but
I'm fairly new to it and haven't been able to find enough information
to get my implementation working. I've been piecing together bits and
pieces of what seems like the correct parameters, but I've had no
luck... and now that I've resorted to guessing, I'd like to ask for
So here's what I'm trying to achieve:
One OpenLDAP server that will A) proxy for a backend AD server and B)
maintain a local database for users that are not in AD. The AD system
will be used for internal/corp users while the local db will be used
for external/3rd party people. The AD system has _some_ of the unix
schema attributes, but not all so I will be doing some rewriting on
the openldap server. The linux workstations will use the single
openldap server and will only be used by internal users and we also
have some websites that are for internal/external users.
For the time being, I'm just working on part A - proxy requests for
these linux workstations to the backend AD server and get the proper
mapping figured out.
My present problem is that my openldap server is connecting
anonymously to the AD server and that's no good because that's not
allowed. I have a AD service account defined for the openldap server
connections, and have configured the correct values for the
'idassert-bind' directive (see below). Performing a manual ldapsearch
works fine when I define the same parameters on the command line, but
slapd isn't using the correct parameters it seems. Below are the
config files, etc for each component... I hope this helps.
./ldapsearch -vvv -H ldap://corp-ad.mascorp.com
-s sub -D "cn=agis-ldap,ou=service
I've compiled and installed bdb v4.8 and openldap v2.4.23 from source.
Here's how I configured openldap:
--enable-crypt=yes --enable-rewrite=yes --enable-bdb=yes
--enable-hdb=yes --enable-ldap=mod --enable-meta=mod
--enable-monitor=yes --enable-relay=mod --enable-overlays=yes
--with-cyrus-sasl --with-threads=posix --with-tls=openssl
This is the client configuration on the linux workstation:
This is the server config on the openldap server:
acl-bind bindmethod=simple binddn="cn=agis-ldap,ou=service
idassert-bind bindmethod=simple binddn="cn=agis-ldap,ou=service
rwm-map attribute uid sAMAccountName
rwm-map attribute homeDirectory unixHomeDirectory
rwm-map attribute cn cn
rwm-map attribute displayName displayName
rwm-map attribute givenName givenName
rwm-map attribute sn sn
rwm-map attribute mail mail
rwm-map attribute userPassword objectGUID
rwm-map attribute *
rwm-map objectclass posixAccount organizationalPerson
rwm-map objectclass inetOrgPerson user
access to dn.subtree="dc=mascorp,dc=com"
by * read
# Pertinent logs from ldap2.4.log
Jan 20 00:13:57 sso slapd: do_bind: v3 anonymous bind
Jan 20 00:13:57 sso slapd: ==> limits_get: conn=1000 op=1
Jan 20 00:13:57 sso slapd: send_ldap_result: err=1 matched=""
text="00000000: LdapErr: DSID-0C090627, comment: In order to perform
this operation a successful bind must be completed on the connection.,
data 0, vece"