[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap meta + activedirectory

To: "Julien TOUCHE" <julien.touche@lycos.com>
Subject: Re: ldap meta + activedirectory
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Wed, 26 Jan 2005 20:21:26 +0100 (CET)
Cc: openldap-software@OpenLDAP.org
Domainkey-signature: a=rsa-sha1; s=mail; d=sys-net.it; c=simple; q=dns; b=T8rJN8+uaBSOY3rNhczDdD2s0fzzHIlSlNMkfwBsBwx8GYctk+gJcu1N5HRnoJutt d3CL1PFY8JMUmtT9iBpkw==
Importance: Normal
In-reply-to: <41F7E246.1010904@lycos.com>
References: <41F22341.30101@lycos.com> <41F23000.3030202@sys-net.it> <41F2AE29.7060204@lycos.com> <41F4097C.7090700@sys-net.it> <41F7E246.1010904@lycos.com>
User-agent: SquirrelMail/1.4.3a-1

> Pierangelo Masarati a écrit :
>>>
>>> ===
>  >> database meta
>  >> suffix cn=Users, dc=meta, dc=domain, dc=local uri
>>> ldaps://adserver.domain.local/cn=Users,dc=domain,dc=local \
>>> ldaps://adserver2.domain.local/cn=Users,dc=domain,dc=local
>>
>>
>> ^^^ Only the first URI in a URI list must provide the naming context
>
> database ldap
> suffix          "dc=domain,dc=local"
> uri           ldap://ldap.domain.local/cn=Users,dc=domain,dc=local
> suffixmassage "cn=Users,dc=meta,dc=domain,dc=local3"
> "cn=Users,dc=domain,dc=local3"
> binddn  proxyuser
> bindpw  xxx
> TLSVerifyClient allow
>
> # /opt/openldap2/libexec/slapd
> /opt/openldap2/etc/openldap/slapd.conf: line 81: unable to parse uri
> "ldap://ldap.domain.local/cn=Users,dc=domain,dc=local"; in "uri <uri>"
> line: URL doesn't begin with "[c]ldap[si]://"

with back-ldap, no naming context is required; the error you get is
because in your naming context there are commas, and commas are considered
URI separators by the "list of URI" parsing routines; that error is
telling you that "dc=comain", i.e. the second URI in a comma-separated
list, is not a valid URI.  This is written in the manual: back-ldap => no
DN; back-meta => yes DN for the first URI.

>
> with: uri           ldap://ldap.domain.local
> stark ok
> but nothing in tree

That's another problem.  AD likely needs auth.

>
> http://www.openldap.org/lists/openldap-software/200501/msg00573.html

from ^^^ :

>> bindn "cn=proxyuser,cn=Users,dc=domain,dc=local"
>> bindpw "{MD5}secret"

1) there's a typo: it's "binddn", not "bindn";
2) creds in "bindpw" must be in cleartext.  It's bad, but that's it.


> proxyuser exist in windows AD and is in administrator group (not really
> best. if someone have more precise config ?)

In any case, the above directives "binddn" and "bindpw" DO NOT IMPLY
BACK-LDAP WILL PERFORM A BIND FOR ANONYMOUS OPERATIONS.  YOU CAN SAFELY
REMOVE THEM AND NOTHING WILL CHANGE.

>
>> I also insist on suggesting back-ldap instead of back-meta unless you
>>
> ok, i switch :)
>
>> version of OpenLDAP you're using, so I cannot be more specific on the
>>
> latest (2.2.20-stable) on whitebox linux/x86, i'm on test for now.

Should be fine for back-ldap testing purposes, but note that there
occurred many changes in back-ldap/back-meta from 2.2.20 to 2.2.23.  I
recommend you upgrade at your earliest convenience.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- ldap meta + activedirectory
  - From: Julien TOUCHE <julien.touche@lycos.com>
- Re: ldap meta + activedirectory
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: ldap meta + activedirectory
  - From: Julien TOUCHE <julien.touche@lycos.com>
- Re: ldap meta + activedirectory
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: ldap meta + activedirectory
  - From: Julien TOUCHE <julien.touche@lycos.com>

Prev by Date: Re: proxyAttrSet: Only using the LAST value
Next by Date: Re: Can't build bdb as module
Index(es):
- Chronological
- Thread