Hello list, I've been trying to setup a translucent proxy to display a modified
version of our ActiveDirectory (Server 2003) to Linux clients. The ultimate goal is to be
able to transparently add UID, default shell etc. parameters missing in AD by default.
Usage of Services for Unix is not possible this time because of "company
policies". Config file is like this:
# Default realm
sasl-realm
company.com
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel 504
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_hdb
moduleload back_ldap
moduleload accesslog
moduleload translucent
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
backend hdb
database hdb
# The base of your directory in database #1
suffix "dc=company,dc=com"
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn "cn=admin,dc=company,dc=com"
rootpw {SSHA}blaablaa
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod off
overlay translucent
uri ldap://ad1.company.com:389
acl-bind binddn="CN=ldapuser,OU=tools,DC=company,DC=com"
credentials="verysecure"
Now, if I do a search with rootdn cn=admin,dc=company,dc=com, proxy binds to AD as
ldapuser and search is successful. But, if I use a user existing in AD only, for example
like this:
ldapsearch -x -W -D "CN=Some User,OU=Users,DC=company,DC=com" -b "CN=Some
User,OU=Users,DC=company,DC=com"
I get:
# extended LDIF
#
# LDAPv3
# base <CN=Some User,OU=Users,DC=company,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope
ration a successful bind must be completed on the connection., data 0, vece
# numResponses: 1
I monitored the traffic using wireshark, and from there I can see that binding is actually
successful. What fails is the search request after that:
0.000361 10.65.31.26 -> 10.65.26.34 LDAP bindRequest(1) "cn=Some
User,ou=Users,dc=company,dc=com" simple
0.002285 10.65.26.34 -> 10.65.31.26 LDAP bindResponse(1) success
0.002297 10.65.31.26 -> 10.65.26.34 TCP 43898 > ldap [ACK] Seq=79 Ack=23 Win=5888
Len=0 TSV=67497094 TSER=69277767
0.003840 10.65.31.26 -> 10.65.26.34 LDAP searchRequest(4) "Some
User,ou=Users,dc=company,dc=com" wholeSubtree
0.004067 10.65.26.34 -> 10.65.31.26 LDAP searchResDone(4) operationsError (00000000:
LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must
be completed on the connection., data 0, vece)
OpenLDAP version is the one with Debian Lenny: slapd/lenny uptodate 2.4.11-1
Any suggestions how to continue? Is this some AD related quirk or possibly a problem
problem related to how OpenLDAP does binding?
Regards, Petteri Heinonen