Hi all,
I am testing a OpenLDAP act as LDAP proxy server using meta-backend. My back-end server contain AD servers and some OpenLDAP servers.
When this OpenLDAP server connects to other OpenLDAP servers to query data, everything is okie, I get any data as I desire. But, when I use this server query to AD server, the return code is always Operation Error. I debug this process and I get a error which AD server return to my OpenLDAP server "errorMessage: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece" although I had configured a binddn and bindpw for my OpenLDAP server. But if I using ldapsearch, query directly to AD server and specify username and password, everything is okie :-(. Here is a piece of my sldapd.conf:
database meta
suffix "dc=abc,dc=com "
uri "ldap://10.3.0.24/dc=abc,dc=com "
binddn "cn=root,dc=abc,dc=com "
bindpw 123
suffix "dc=xyz,dc=net"
uri "ldap://10.3.0.26/dc=xyz,dc=net"
binddn "cn=openldap,cn=Users,dc=xyz,dc=net"
bindpw 123
map attribute uid sAMAccountName
map attribute cn name
map attribute mail userPrincipalName
map objectClass account user
map attribute *
Note: 10.3.0.24 is a OpenLDAP server IP and 10.3.0.26 is AD server IP.
I used openldap@xyz.net to query data from AD server directly and It is okie. But in this case, I got an error.
Any idea for my problem?
Thanks and best regards,
Duong Pham Tung wrote:
Any idea for my problem?
You didn't read the documentation about the usage and the purpose of binddn/bindpw.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Sorry, but if anyone can, give me a example of slapd.conf for openldap proxy.
I tried using idassert-bind instead of using binddn/bindpw, but nothing can be finished
Thanks and best regards, -----Original Message----- From: Pierangelo Masarati [mailto:ando@sys-net.it] Sent: 09 tháng hai 2009 9:59 CH To: Duong Pham Tung Cc: openldap-technical@openldap.org Subject: Re: Problem when using OpenLDAP query to AD server
Duong Pham Tung wrote:
Any idea for my problem?
You didn't read the documentation about the usage and the purpose of binddn/bindpw.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Duong Pham Tung wrote:
Sorry, but if anyone can, give me a example of slapd.conf for openldap proxy.
I tried using idassert-bind instead of using binddn/bindpw, but nothing can be finished
You didn't specify what you intend to do. First of all you may want to read this http://www.openldap.org/faq/data/cache/532.html.
If your intention is to proxy anonymous clients on an authenticated connection, you can use
database ldap suffix "dc=example,dc=com" uri "ldap://ldap.example.com" idassert-bind bindmethod=simple binddn="cn=Proxy,dc=example,dc=com" credentials=proxy mode=none idassert-authzFrom "*"
Replace the binddn and credentials fields accordingly. Beware that by doing this you're breaking security, since AD will see anonymous users as the identity you put in the binddn. So anonymous (or any user) will have the privileges of the binddn.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Okie, thanks for your help. My server is running properly. I will enhance some security features for my server later.
Thanks and Best regards,
Pham Tung Duong
-----Original Message----- From: Pierangelo Masarati [mailto:ando@sys-net.it] Sent: 10 tháng hai 2009 11:41 CH To: Duong Pham Tung Cc: openldap-technical@openldap.org Subject: Re: Problem when using OpenLDAP query to AD server
Duong Pham Tung wrote:
Sorry, but if anyone can, give me a example of slapd.conf for openldap proxy.
I tried using idassert-bind instead of using binddn/bindpw, but nothing
can
be finished
You didn't specify what you intend to do. First of all you may want to read this http://www.openldap.org/faq/data/cache/532.html.
If your intention is to proxy anonymous clients on an authenticated connection, you can use
database ldap suffix "dc=example,dc=com" uri "ldap://ldap.example.com" idassert-bind bindmethod=simple binddn="cn=Proxy,dc=example,dc=com" credentials=proxy mode=none idassert-authzFrom "*"
Replace the binddn and credentials fields accordingly. Beware that by doing this you're breaking security, since AD will see anonymous users as the identity you put in the binddn. So anonymous (or any user) will have the privileges of the binddn.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
openldap-technical@openldap.org
-
Duong Pham Tung -
Pierangelo Masarati