Hello, One thing that stopped working since I introduced the new directives which fixed the authentication problem is being able to peruse the directories using Apache Directory Studio. I can still see the AD branches but when I try to look at them I get an error which in the server logs is reported as
res_errno: 1, res_error: <000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1>, res_matched: <> ldap_free_request (origid 2, msgid 2)
So I must still be missing something in my configuration. Thanx Gaby
On 09/11/11 19:34 +0000, Gabriella Turek wrote:
Hi Dan,
The way I got it to work (by pure chance mind you , I just happened on a blog entry somewhere) was to add this entry to the slapd.config file:
# Configure slapd-ldap back end to connect to AD database ldap suffix "ou=user accounts,dc=niwa,dc=local" subordinate rebind-as-user uri "ldap://aucwdfp01.niwa.local:389" chase-referrals yes
Nowhere in any documentation did I see this mentioned, and yet it worked immediately, So I don't know what to think. Gaby
On 10/11/11 6:37 AM, "Dan White" dwhite@olp.net wrote:
On 07/11/11 21:57 +0000, Gabriella Turek wrote:
Hello, I've set up an openLDAP server (2.4.23) which chains to an Active Directory (2008). I can successfully search for users, it will find them in Active Directory if they are not in openLDAP, but I cannot authenticate the Active Directory users. The error is "Invalid credentials (49)" Everything is currently configured with clear text ldapSearch works fine when pointed directly to the Active Directory.
The chaining configuration in the slapd.conf is:
overlay chain chain-uri ldap://aucwdfp01.niwa.local:389 chain-rebind-as-user TRUE chain-idassert-bind bindmethod="simple" binddn="cn=SDT Tester,ou=NIWA Staff Accounts,ou=User Accounts, dc=niwa,dc=local" credentials=xxxxxxx mode="self" flags=non-prescriptive chain-return-error TRUE
Does mode="none" work? If my reading of slapd-ldap(5) is correct, with any config other than 'none', slapd will attempt to assert the proxyAuthz control.
I checked our local AD server (2003) and it does not appear to support that control:
ldapsearch -LLL -x -H ldap://<AD.ip> -s "base" -b "" supportedControl dn: supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.840.113556.1.4.801 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 1.2.840.113556.1.4.528 supportedControl: 1.2.840.113556.1.4.417 supportedControl: 1.2.840.113556.1.4.619 supportedControl: 1.2.840.113556.1.4.841 supportedControl: 1.2.840.113556.1.4.529 supportedControl: 1.2.840.113556.1.4.805 supportedControl: 1.2.840.113556.1.4.521 supportedControl: 1.2.840.113556.1.4.970 supportedControl: 1.2.840.113556.1.4.1338 supportedControl: 1.2.840.113556.1.4.474 supportedControl: 1.2.840.113556.1.4.1339 supportedControl: 1.2.840.113556.1.4.1340 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.10 supportedControl: 1.2.840.113556.1.4.1504 supportedControl: 1.2.840.113556.1.4.1852 supportedControl: 1.2.840.113556.1.4.802 supportedControl: 1.2.840.113556.1.4.1907 supportedControl: 1.2.840.113556.1.4.1948
proxyAuthz control == 2.16.840.1.113730.3.4.18 (RFC 4370)
-- Dan White
-- Dan White BTC Broadband Ph 918.366.0248 (direct) main: (918)366-8000 Fax 918.366.6610 email: dwhite@olp.net http://www.btcbroadband.com
openldap-technical@openldap.org
-
Gabriella Turek