LDAP-Proxy: backend inaccessible via ldaps (w/o proxy no errors) - openldap-technical

27 Jun 2011


      Hi all,
I would like to use the proxy features (and as soon as this works
for me also some kind of rewriting / mapping) with openldap 2.4.25:
./configure --prefix=/scratch/openldap \
  --with-tls=openssl \ 
  --enable-meta \ 
  --enable-ldap \ 
  --enable-rewrite \ 
  --enable-rwm \ 
  --enable-bdb \ 
  --enable-overlays \ 
  --enable-perl \ 
  --enable-shell
make install...
I may access one LDAP backend via ldap: but not the other (Active
Directory)
via ldaps:
What works fine is
1. ldapsearch for LDAP-Tree-1 / Server-1:
=========================================
Direct access to LDAP server:
-----------------------------
ldapsearch -x -H ldap://ldap-server-1 -b 'ou=OU1,o=desy,c=de' '(mail=*)'
| fgrep num
# numResponses: 7
# numEntries: 6
and using the proxy:
-----------------------------
ldapsearch -x -H ldap://ldap-proxy    -b 'ou=OU1,o=desy,c=de' '(mail=*)'
| fgrep num
# numResponses: 7
# numEntries: 6
(This tree is rather small.)
what is not working is
2. ldapsearch for Active-Directory / Server-2:
==============================================
Direct Access to AD-Server
-----------------------------
ldapsearch -x -H ldaps://domain-controller \
  -D CN=accountname,OU=...,OU=...,OU=...,DC=desy,DC=de \
  -W \
  -b 'ou=ou1,...,dc=desy,dc=de' \
  '(samaccountname=testuser)' | fgrep num
Enter LDAP Password:
# numResponses: 2
# numEntries: 1
Doing the same via the proxy fails:
-----------------------------------
ldapsearch -x -H ldap://ldap-proxy -b 'ou=...,...,dc=desy,dc=de'
# extended LDIF
#
# LDAPv3
# base <ou=...,...,dc=desy,dc=de> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 48 Inappropriate authentication
# numResponses: 1
I would like to understand why this fails.
slapd.conf is like this
----------
include         /scratch/openldap/etc/openldap/schema/core.schema
include         /scratch/openldap/etc/openldap/schema/cosine.schema
include
/scratch/openldap/etc/openldap/schema/inetorgperson.schema
idletimeout 120
pidfile         /scratch/openldap/var/run/slapd.pid
argsfile        /scratch/openldap/var/run/slapd.args
# -- 1st LDAP-backend, the one which works, see 1. above
database ldap
uri ldap://ldap-server-1:portnumber/
suffix "ou=ouA,o=desy,c=de"
# -- 2nd LDAP-/Active-Driectory-backend, that one, which fails
database ldap
suffix "ou=OU1,...,dc=desy,dc=de"
uri ldaps://domain-controller/
acl-bind bindmethod=simple binddn="CN=...,DC=desy,DC=de"
credentials=TopSecret
idassert-bind bindmethod=simple binddn="CN=...,DC=desy,DC=de"
credentials=TopSecret mode=none tls_cacertdir=/etc/pki/tls/certs
tls_reqcert=never tls_crlcheck=none
idle-timeout 1800
rebind-as-user yes
# -- just to make sure for now that I will see everything
access to * by * read
# === END OF SLAPD.CONF ===
When I am strace'ing slapd with "-e trace=file -f" I cannot see that any
file in
tls_cacertdir is read. But I would have expected that.
Any directions what I should looking for, now?
Kind regards,
Dirk
--
Dirk Jahnke-Zumbusch              Deutsches Elektronen-Synchrotron DESY
IT Information Fabrics              Member of the Helmholtz Association
D-22603 Hamburg                        Notkestrasse 85  / 22607 Hamburg
T: +49-40-899.81760   F: +49-40-899.41760  dirk.jahnke-zumbusch@desy.de