On Tue, Apr 27, 2010 at 3:43 PM, repudi8or repu repudi8or@gmail.com wrote:
Thanks for the response Masarati,
I have setup with mode=self, but still the same error.
Maybe im having a conceptual issue here. What i am trying to do is ensure the backend functions prior to looking at the configuring the frontend correctly. I am configuring the solaris openldap slapd with back-ldap and pcache and am expecting to be able to simulate a fronted authentication process using ldapsearch to the solaris openldap proxy. The backend ldap service is AD @ backendldap.core.dir.mycompany.com. the proxy box i will refer to as openldapproxy (openldapproxy.core.dir.mycompany.com)"
my database ldap section now looks like this :- backendldap.core.dir.mycompany.com"
database ldap uri "ldap://backendldap.core.dir.mycompany.com" suffix "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com" rootdn "dc=core,dc=dir,dc=mycompany,dc=com" idassert-bind bindmethod=simple binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com" credentials="password" mode=self
i am testing by running ldapsearch on the openldapproxy host itself in the following manner :- # /usr/local/bin/ldapsearch -x -h localhost -b ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com employeeID=12345678
the proxied bind goes out to the backend AD as i have shown in the below discussion. The response returned is :- # filter: employeeID=12345678 # requesting: ALL # # search result search: 2 result: 48 Inappropriate authentication # numResponses: 1
Running slapd in diag mode i see the following in the debug output :- do_bind: v3 anonymous bind connection_get(11) connection_get(11): got connid=1014 connection_read(11): checking for input on id=1014 ber_get_next ber_get_next: tag 0x30 len 105 contents: op tag 0x63, time 1272346583 ber_get_next conn=1014 op=1 do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal:
<ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com> => ldap_bv2dn(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com,0) <= ldap_bv2dn(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(ou=people,ou=eprofile,dc=core,dc=dir,dc=mycompany,dc=com)=0 <<< dnPrettyNormal: <ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com>, <ou=people,ou=eprofile,dc=core,dc=dir,dc=mycompany,dc=com> SRCH "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com" 2 0 0 0 0 ber_scanf fmt ({mm}) ber: filter: (?=undefined) ber_scanf fmt ({M}}) ber: attrs: ==> limits_get: conn=1014 op=1 self="[anonymous]" this="ou=people,ou=eprofile,dc=core,dc=dir,dc=telstra,dc=com" send_ldap_result: conn=1014 op=1 p=3 send_ldap_result: err=48 matched="" text="" send_ldap_response: msgid=2 tag=101 err=48 Note the anonymous bind, I need this to be a simply authenticated bind using the idassert binddn and credentials Note the "self="[anonymous]"............... I was expecting that it should have been self=[USERID_THAT_RAN_THE_LDAPSEARCH]
Regards Rep On Tue, Apr 27, 2010 at 1:55 PM, masarati@aero.polimi.it wrote:
Hi Folks,
I am having troubles configuring openladp to my requirements.
I am setting up an openldap server running on solaris 10 x86 to use as a ldap proxy authentication server.
My issue is that i cant get it to send authenticated simple binds to the backend ldap system. I am running wireshark and when i ldapsearch direct to the backend ldap i see a bind which looks like this :- Lightweight-Directory-Access-Protocol LDAPMessage bindRequest(1) "cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com" simple messageID: 1 protocolOp: bindRequest (0) bindRequest version: 3 name: cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com authentication: simple (0) simple: 384174656C73747261316732
However when i initiate an ldapsearch to my local solaris slapd and capture the proxied backldap bind to the backend ldap system it looks like this
:-
Lightweight-Directory-Access-Protocol LDAPMessage bindRequest(1) "<ROOT>" simple messageID: 1 protocolOp: bindRequest (0) bindRequest version: 3 name: authentication: simple (0) simple: <MISSING>
I am having trouble working out from the documentation if it should be acl-bind or idassert-bind or some other option which influences the backend bind. I have tried both those to no avail. Here is the "database ldap" section from my slapd.conf
####################################################################### # ldap database definitions ####################################################################### database ldap uri "ldap://backendldap.core.dir.mycompany.com" suffix "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com" rootdn "dc=core,dc=dir,dc=mycompany,dc=com" acl-bind bindmethod=simple binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com" credentials="password" idassert-bind bindmethod=simple binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com" credentials="password"
The relevant directive is "idassert-bind", since you appear to be looking for an identity assertion. I hope what you posted was screwed up by the mailer: continuation lines must start with whitespace. What is missing above is the "mode=self" parameter to "idassert-bind". Try something like
idassert-bind bindmethod=simple binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com" credentials="password" mode=self
p.
overlay pcache proxycache bdb 400 1 50 1200 directory /var/openldap-data cachesize 10000 index cn,sn,uid pres,eq,sub index objectclass eq
proxycachequeries 400 proxyattrset 0 uid mail cn sn givenName proxytemplate (uid=) 0 600 proxytemplate (mail=) 0 600 proxytemplate (&(uid=)(mail=)) 0 600
Any help would be greatly appreciated
Regards Rep
Le 27/04/2010 07:46, repudi8or repu a écrit :
Maybe im having a conceptual issue here. What i am trying to do is ensure the backend functions prior to looking at the configuring the frontend correctly. I am configuring the solaris openldap slapd with back-ldap and pcache and am expecting to be able to simulate a fronted authentication process using ldapsearch to the solaris openldap proxy. The backend ldap service is AD @ backendldap.core.dir.mycompany.com http://backendldap.core.dir.mycompany.com/. the proxy box i will refer to as openldapproxy (openldapproxy.core.dir.mycompany.com http://openldapproxy.core.dir.mycompany.com/)" my database ldap section now looks like this :- backendldap.core.dir.mycompany.com http://backendldap.core.dir.mycompany.com/"
database ldap uri "ldap://backendldap.core.dir.mycompany.com http://backendldap.core.dir.mycompany.com/" suffix "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com" rootdn "dc=core,dc=dir,dc=mycompany,dc=com" idassert-bind bindmethod=simple binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com" credentials="password" mode=self i am testing by running ldapsearch on the openldapproxy host itself in the following manner :- # /usr/local/bin/ldapsearch -x -h localhost -b ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com employeeID=12345678 the proxied bind goes out to the backend AD as i have shown in the below discussion. The response returned is :- # filter: employeeID=12345678 # requesting: ALL # # search result search: 2 result: 48 Inappropriate authentication # numResponses: 1
Running slapd in diag mode i see the following in the debug output :- do_bind: v3 anonymous bind connection_get(11) connection_get(11): got connid=1014 connection_read(11): checking for input on id=1014 ber_get_next ber_get_next: tag 0x30 len 105 contents: op tag 0x63, time 1272346583 ber_get_next conn=1014 op=1 do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal:
<ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com> => ldap_bv2dn(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com,0) <= ldap_bv2dn(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(ou=people,ou=eprofile,dc=core,dc=dir,dc=mycompany,dc=com)=0 <<< dnPrettyNormal: <ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com>, <ou=people,ou=eprofile,dc=core,dc=dir,dc=mycompany,dc=com> SRCH "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com" 2 0 0 0 0 ber_scanf fmt ({mm}) ber: filter: (?=undefined) ber_scanf fmt ({M}}) ber: attrs: ==> limits_get: conn=1014 op=1 self="[anonymous]" this="ou=people,ou=eprofile,dc=core,dc=dir,dc=telstra,dc=com" send_ldap_result: conn=1014 op=1 p=3 send_ldap_result: err=48 matched="" text="" send_ldap_response: msgid=2 tag=101 err=48 Note the anonymous bind, I need this to be a simply authenticated bind using the idassert binddn and credentials Note the "self="[anonymous]"............... I was expecting that it should have been self=[USERID_THAT_RAN_THE_LDAPSEARCH]
"self" here is the user that authenticated to your local proxy server. Your ldapsearch has no -D option, so it's anonymous.
If you just want the proxy's clients to be able to access the AD server using the account you specified in idassert-bind, try mode=none.
Otherwise, you'll need to set up some appropriate authentication on the proxy side.
Regards, Jonathan
openldap-technical@openldap.org
-
Jonathan Clarke -
repudi8or repu