Hi all,
I am trying to configure OpenLDAP proxy to proxy searches to my 2 (two) different AD servers. I am testing/trying to login as domain user to application that is configured to verify users against this proxy.
Context is : - allowed app users from AD1 will be placed to "AllowAPP group" on AD1 - i.e. - CN=AllowAPP,OU=Groups,OU=Something,DC=domain,DC=xy - allowed app users from AD2 will be placed to "AllowAPP group" on AD2 - i.e. - CN=Allow,OU=App,OU=Group,DC=domain2,DC=local - these two groups are be placed in different OUs on both ADs (Active Directories) so special rewriting have to be done on both URIs
Problem is that I don't know how to correctly authentificate users. App configuration is that it will allow login only to user which is member of CN=AllowAPP,OU=Groups,DC=grouped,DC=all "virtual” group. All working fine when I am searching group membership of users with ldapsearch. I can find members of both groups by searching virtual group mentioned upper.
I suspect there is problem with passing user credentials to one of AD servers that I am proxying to. I am using sAMAccountName as user login.
This is debug search base when I am trying to login from app : SRCH base="dc=grouped,dc=all" scope=2 deref=2 filter="(?SAMACCOUNTNAME=test.user)”
This is error produced while I am trying to login as user : meta_back_search[0] match="" err=1 (Operations error) text="000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1".
Am I doing something wrong? Can you advise? I am probably missing something that refers to validating users credentials..
Thanks, BR, Martin
This is my configuration so far :
database meta suffix "dc=grouped,dc=all” rootdn "cn=admin,dc=grouped,dc=all” rootpw "password” readonly yes lastmod off
uri ldap://AD1/dc=grouped,dc=all suffixmassage "dc=grouped,dc=all" "dc=domain,dc=xy" idassert-bind bindmethod=simple binddn="CN=bind,CN=Users,dc=domain,dc=xy" credentials="password" mode=none flags=non-prescriptive
rewriteEngine on chase-referrals yes rewriteContext default rewriteContext searchBase rewriteRule "CN=AllowAPP,OU=Groups,DC=grouped,DC=all$" "CN=AllowAPP,OU=Groups,OU=Something,DC=domain,DC=xy" "@"
uri ldap://AD2/dc=grouped,dc=all suffixmassage "dc=grouped,dc=all" "dc=domain2,dc=local" idassert-bind bindmethod=simple binddn="CN=binduser,CN=Users,dc=domain2,dc=local" credentials=“password" mode=none flags=non-prescriptive
rewriteEngine on chase-referrals yes rewriteContext default rewriteContext searchBase rewriteRule "CN=AllowAPP,OU=Groups,DC=grouped,DC=all$" "CN=Allow,OU=App,OU=Group,DC=domain2,DC=local" "@"
openldap-technical@openldap.org