Hello list, I've been trying to setup a translucent proxy to display a modified version of our ActiveDirectory (Server 2003) to Linux clients. The ultimate goal is to be able to transparently add UID, default shell etc. parameters missing in AD by default. Usage of Services for Unix is not possible this time because of "company policies". Config file is like this:
# Default realm sasl-realm company.com
# Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema
# Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values loglevel 504
# Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_hdb moduleload back_ldap moduleload accesslog moduleload translucent
# The maximum number of entries that is returned for a search operation sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1
backend hdb
database hdb
# The base of your directory in database #1 suffix "dc=company,dc=com"
# rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. rootdn "cn=admin,dc=company,dc=com" rootpw {SSHA}blaablaa
# Where the database file are physically stored for database #1 directory "/var/lib/ldap"
# Indexing options for database #1 index objectClass eq
# Save the time that the entry gets modified, for database #1 lastmod off
overlay translucent uri ldap://ad1.company.com:389 acl-bind binddn="CN=ldapuser,OU=tools,DC=company,DC=com" credentials="verysecure"
Now, if I do a search with rootdn cn=admin,dc=company,dc=com, proxy binds to AD as ldapuser and search is successful. But, if I use a user existing in AD only, for example like this:
ldapsearch -x -W -D "CN=Some User,OU=Users,DC=company,DC=com" -b "CN=Some User,OU=Users,DC=company,DC=com"
I get:
# extended LDIF # # LDAPv3 # base <CN=Some User,OU=Users,DC=company,DC=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope ration a successful bind must be completed on the connection., data 0, vece
# numResponses: 1
I monitored the traffic using wireshark, and from there I can see that binding is actually successful. What fails is the search request after that:
0.000361 10.65.31.26 -> 10.65.26.34 LDAP bindRequest(1) "cn=Some User,ou=Users,dc=company,dc=com" simple 0.002285 10.65.26.34 -> 10.65.31.26 LDAP bindResponse(1) success 0.002297 10.65.31.26 -> 10.65.26.34 TCP 43898 > ldap [ACK] Seq=79 Ack=23 Win=5888 Len=0 TSV=67497094 TSER=69277767 0.003840 10.65.31.26 -> 10.65.26.34 LDAP searchRequest(4) "Some User,ou=Users,dc=company,dc=com" wholeSubtree 0.004067 10.65.26.34 -> 10.65.31.26 LDAP searchResDone(4) operationsError (00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece)
OpenLDAP version is the one with Debian Lenny: slapd/lenny uptodate 2.4.11-1
Any suggestions how to continue? Is this some AD related quirk or possibly a problem problem related to how OpenLDAP does binding?
Regards, Petteri Heinonen
openldap-technical@openldap.org