I am currently attempting to configure our OpenLDAP 2.4.26 (on SUSE Enterprise 10) server to act as an proxy to Active Directory as well as using a local database. The local database works fine but I cannot for the life of me get the ldap backend to authenticate/bind correctly to the AD ldap server. I can use ldapsearch to search AD just fine with the credentials passed as follows:
ldapsearch -x -h ldap.mydomain.com -D 'myldapuser' -w 'myldappw' -b 'dc=mydomain,dc=com' '(sAMAccountName=myusername)'
Returns all the associated data of "myusername" from AD.
Here is the section of my slapd.conf for my databases and backends. I have read several different sites on how to configure this and they all use different methods and claim it works for them. None has worked for me. I continue to get bind errors. Any guidance would be much appreciated.
database bdb suffix dc=zlinux,dc=mydomain,dc=com rootdn cn=admin,dc=zlinux,dc=mydomain,dc=com rootpw myrootdnpw directory /usr/local/openldap/var/openldap-data index objectClass,uidNumber,gidNumber eq index cn,sn,uid,displayName pres,sub,eq index memberUid,mail,givenname eq,subinitial # # database ldap suffix "dc=Company Users,dc=mydomain,dc=com" uri ldap://ldap.mydomain.com idassert-bind bindmethod=simple binddn="cn=myldapuser,dc=Company Service Accounts,dc=mydomain,dc=com" credentials=myldappw mode=none idassert-authzFrom "dn.exact:cn=cn=myldapuser,dc=Company Service Accounts,dc=mydomain,dc=com" chase-referrals no overlay rwm rwm-map objectclass account user rwm-map attribute uidNumber employeeID rwm-map attribute uid sAMAccountname rwm-map attribute cn name rwm-map attribute sn sn rwm-map attribute mail mail rwm-map attribute company company rwm-map attribute entry entry rwm-map attribute userPassword unicodePassword rwm-map attribute *
Thanks
Dedrick
----------------------------------------------------- Please see the following link for the BlueCross BlueShield of Tennessee E-mail disclaimer: http://www.bcbst.com/email_disclaimer.shtm
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of turbo@bayour.com Sent: Wednesday, September 28, 2011 9:50 AM To: openldap-technical@openldap.org Subject: Re: OpenLDAP Proxy to Active Directory
On Tue, 27 Sep 2011 09:00:25 -0400, Allen, Dedrick wrote:
idassert-authzFrom "dn.exact:cn=cn=myldapuser,dc=Company Service
cn=cn= ... ?
I caught that and corrected it. Still no luck. The problem is when openldap attempts to connect to my AD LDAP it sends an empty bind dn no matter how I specify it in the slapd.conf. I have tried using the binddn, acl-bind and idassert-bind configuration options. It still continues to send an empty bind dn string to AD LDAP. Any way to force it to send a string no matter who or what the client is/does?
Thanks,
Dedrick
----------------------------------------------------- Please see the following link for the BlueCross BlueShield of Tennessee E-mail disclaimer: http://www.bcbst.com/email_disclaimer.shtm
On Sep 28, 2011, at 5:13 PM, Allen, Dedrick wrote:
it sends an empty bind dn no matter how I specify it
How about testing an empty authzFrom, just for test/debug?
idassert-authzFrom "*"
That should match anything you're supplying. If that works, you can go back and figure out why it didn't work :).
-- If something's hard to do, then it's not worth doing. - Homer Simpson
openldap-technical@openldap.org
-
Allen, Dedrick -
Turbo Fredriksson -
turbo@bayour.com