[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP proxy for AD



I am still running into issue when attempting to use openldap as a proxy to
AD.  When I do a TCP dump on the proxy server, it doesn't appear to be
actually communicating with the AD server when I issue "id user" from a
client server.  When I issue the same command from the "proxy" it connects
to the AD as the correct user and pulls the correct information.  Any help
or suggestions would be greatly appreciated.   Below is a snippet of my
slapd.conf from the proxy and also my ldap.conf from the client machine.


[slapd.conf] 

database        ldap
suffix          "cn=Users,dc=ldaptest,dc=local"
#subordinate
rebind-as-user
uri             "ldap://2008vm1.inetu.net";

acl-bind        bindmethod=simple 
                binddn="CN=Bind User,CN=Users,DC=ldaptest,DC=local" 
                credentials="testing"

chase-referrals yes

idassert-bind   bindmethod=simple
                authzID="u:bind"
                mode=self
                idassert-authzFrom "dn.regex:.*"
                binddn="CN=Bind User,CN=Users,DC=ldaptest,DC=local"
                credentials="testing"

idassert-authzFrom "dn.regex:.*"

[slapd.conf end]

[ldap.conf]
host 10.100.223.63
port 389

base cn=Users,dc=ldaptest,dc=local
ldap_version 3

scope sub

timelimit 10
bind_timelimit 5

idle_timeout 90

bind_policy soft

pam_filter objectClass=posixAccount
pam_login_attribute uid
pam_lookup_policy no

[ldap.conf end]


I can provide logs if needed.


Thanks in advance....

-----Original Message-----
From: openldap-technical-bounces+lyork=inetu.net@openldap.org
[mailto:openldap-technical-bounces+lyork=inetu.net@openldap.org] On Behalf
Of Lynn York
Sent: Wednesday, September 10, 2008 10:14 AM
To: Pierangelo Masarati
Cc: openldap-technical@openldap.org
Subject: RE: LDAP proxy for AD

I am not worried about the client machine binding to the proxy server as
long as the proxy server binds with a user to the AD server.


Right now what is happening is:

Issue " id user " on the client server, the connect then makes it to proxy
server as anonymous, but the proxy never attempts to bind to the AD server
to verify if "user" exists in AD.  If I issues the same command " id user "
from the proxy server, it binds to AD and give me information about the
user.  I can't figure out how to get the client server to bind to the AD
server "through" the proxy?

-Lynn

-----Original Message-----
From: Pierangelo Masarati [mailto:ando@sys-net.it] 
Sent: Wednesday, September 10, 2008 9:12 AM
To: Lynn York
Cc: openldap-technical@openldap.org
Subject: Re: LDAP proxy for AD

Lynn York wrote:
> When I issue "id user" from the client machine I can see the connection to
> the proxy server, but I do not see the connection from the proxy to the AD
> server.  It also binds anonymously through the proxy and I need it to bind
> with a certain user.
> 
> [ SNIPPET  FROM slapd.conf ]
> 
> database        ldap
> suffix          "dc=ldaptest,dc=local"
> uri             "ldap://2008vm1.inetu.net";
> 
> acl-bind        bindmethod=simple
>                 binddn="CN=Bind User,CN=Users,DC=ldaptest,DC=local"
>                 credentials="testing"
> 
> idassert-bind   bindmethod=simple
>                 authzID="u:bind"
>                 mode=self
>                 binddn="CN=Bind User,CN=Users,DC=ldaptest,DC=local"
>                 credentials="testing"

First of all, authzID is only useful if "mode" is not given, as 
specified in the man page; it's ignored in your case.

Second, the idassert-bind directive is only honored if the user 
authenticates, while your application is probably binding anonymously to 
the proxy.

If you want idassert to work also for anonymous operations (not 
recommended, as this defeats the security model of the remote server, by 
letting it believe that the proxy authenticated users while it didn't), 
you need to explicitly enable it using an idassert-authzFrom rule that 
includes anonymous, like

idassert-authzFrom "dn.regex:.*"

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Attachment: smime.p7s
Description: S/MIME cryptographic signature