[Date Prev][Date Next] [Chronological] [Thread] [Top]

LdapErr: DSID-0C090627 with translucent proxy and AD

To: openldap-technical@openldap.org
Subject: LdapErr: DSID-0C090627 with translucent proxy and AD
From: Petteri Heinonen <petteri.j.heinonen@kolumbus.fi>
Date: Wed, 22 Jul 2009 10:19:30 +0300 (EEST)

Hello list, I've been trying to setup a translucent proxy to display a modified version of our ActiveDirectory (Server 2003) to Linux clients. The ultimate goal is to be able to transparently add UID, default shell etc. parameters missing in AD by default. Usage of Services for Unix is not possible this time because of "company policies". Config file is like this:

# Default realm
sasl-realm company.com

# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
loglevel 504

# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_hdb
moduleload back_ldap
moduleload accesslog
moduleload translucent

# The maximum number of entries that is returned for a search operation
sizelimit 500

# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1

backend hdb

database hdb

# The base of your directory in database #1
suffix "dc=company,dc=com"

# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn "cn=admin,dc=company,dc=com"
rootpw {SSHA}blaablaa

# Where the database file are physically stored for database #1
directory "/var/lib/ldap"

# Indexing options for database #1
index objectClass eq

# Save the time that the entry gets modified, for database #1
lastmod off

overlay translucent
uri ldap://ad1.company.com:389
acl-bind binddn="CN=ldapuser,OU=tools,DC=company,DC=com" credentials="verysecure"


Now, if I do a search with rootdn cn=admin,dc=company,dc=com, proxy binds to AD as ldapuser and search is successful. But, if I use a user existing in AD only, for example like this:

ldapsearch -x -W -D "CN=Some User,OU=Users,DC=company,DC=com" -b "CN=Some User,OU=Users,DC=company,DC=com"

I get:

# extended LDIF
#
# LDAPv3
# base <CN=Some User,OU=Users,DC=company,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope
ration a successful bind must be completed on the connection., data 0, vece

# numResponses: 1


I monitored the traffic using wireshark, and from there I can see that binding is actually successful. What fails is the search request after that:

0.000361 10.65.31.26 -> 10.65.26.34 LDAP bindRequest(1) "cn=Some User,ou=Users,dc=company,dc=com" simple
0.002285 10.65.26.34 -> 10.65.31.26 LDAP bindResponse(1) success
0.002297 10.65.31.26 -> 10.65.26.34 TCP 43898 > ldap [ACK] Seq=79 Ack=23 Win=5888 Len=0 TSV=67497094 TSER=69277767
0.003840 10.65.31.26 -> 10.65.26.34 LDAP searchRequest(4) "Some User,ou=Users,dc=company,dc=com" wholeSubtree
0.004067 10.65.26.34 -> 10.65.31.26 LDAP searchResDone(4) operationsError (00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece)

OpenLDAP version is the one with Debian Lenny: slapd/lenny uptodate 2.4.11-1

Any suggestions how to continue? Is this some AD related quirk or possibly a problem problem related to how OpenLDAP does binding?

Regards, Petteri Heinonen

Prev by Date: Fwd: OpenLdap manual howto available
Next by Date: error in SSLv3 read client certificate
Index(es):
- Chronological
- Thread