So I've made *some* progress. I created a new user in AD, and used this new account to bind with. And, using simple authentication and password prompting, my search worked correctly:
ldapsearch -Hldap://dim-win2300.dacrib.local -tt -x -D "ldap-proxy@dacrib.local" -b "dc=dacrib,dc=local" -W -L "(objectClass=user)" dn
However, I can't seem to get it to work, if I don't specify the ID and password to bind with:
---------------------------- ldapsearch -v -x -Hldap://dim-win2300.dacrib.local "(objectClass=user)" sAMAccountName
ldap_initialize( ldap://dim-win2300.dacrib.local:389/??base ) filter: (objectClass=user) requesting: sAMAccountName # extended LDIF # # LDAPv3 # base <dc=DaCrib,dc=local> (default) with scope subtree # filter: (objectClass=user) # requesting: sAMAccountName #
# search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece
# numResponses: 1 --------------------------
I thought perhaps the problem was that SASL was interferring, so I tried to turn it off in ldap.conf, but that didn't seem to work.
As an aside, where does ldap.conf live, in Ubuntu 9.04? I have 2, one in /etc and one in /etc/ldap. And I don't know which one (if either) is being read ... is there any way to tell which one is in use?
------------------- host 10.0.0.60 base dc=DaCrib,dc=local
#binddn CN=ldap-proxy,CN=Users,DC=DaCrib,DC=local binddn ldap-proxy@dacrib.local bindpw XXXXXXXX
use_sasl off SASL_SECPROPS none SSL no
# The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) # rootbinddn cn=Administrator,dc=dacrib,dc=local
# RFC 2307 (AD) mappings # <to> <from> nss_map_attribute userPassword sambaPassword nss_map_attribute gecos name nss_map_attribute uid unixName nss_map_attribute shadowLastChange pwdLastSet nss_map_objectclass posixGroup group pam_filter objectclass=User pam_password crypt
nss_initgroups_ignoreusers avahi,backup,bin,daemon,dhcp,dovecot,festival,games,gnats,haldaemon,hplip,irc,klog,li buuid,list,lp,mail,man,messagebus,mysql,news,polkituser,postfix,proxy,root,saned,sshd,sync,sys,syslog,uucp,www-d ata -----------------------
Anyone? I feel I am close, but can't figure out why doing it interactively from the command line binds and searches, and relying on the ldap.conf to supply that information does not ...
Thanks
openldap-technical@openldap.org