[Date Prev][Date Next] [Chronological] [Thread] [Top]

problem with simple user/password authentication to AD server

ok, I'll try again. I am using openldap 2.4.23 on RHEL6 server and trying to configure openldap to do simple user/password authentication to our Microsoft AD servers. I can authenticate and do commandline ldap searches with my windows test account and password ok. However, in trying to follow examples from the openldap.org website I cannot get it to work using the openldap config files. All I get from the AD servers then are the anonymous bind results.
If anyone has an actual working configuration, I would really appreciate info on how they did it. I am under a typical last minute deadline to get this going. 

I am including latest slapd.conf iteration (there have been many :() for review.

thanks for any help/advice you might have.

John.

-----------------------------------------------------------------------------------------------
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org

pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args

# Sample security restrictions
#	Require integrity protection (prevent hijacking)
#	Require 112-bit (3DES or better) encryption for updates
#	Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#	Root DSE: allow anyone to read it
#	Subschema (sub)entry DSE: allow anyone to read it
#	Other DSEs:
#		Allow self write access
#		Allow authenticated users read access
#		Allow anonymous users to authenticate
#	Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#	by self write
#	by users read
#	by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!


###TLSCipherSuite HIGH:MEDIUM:+SSLv2
#TLSCACertificateFile /usr/var/openldap-data/cacert.pem
# will do TLS after basic authentication working.
TLSVerifyClient never

sizelimit unlimited

#######################################################################
# BDB database definitions
#######################################################################

database	bdb
suffix		"dc=corp,dc=ad,dc=parc,dc=com"
rootdn		"cn=Manager,dc=corp,dc=ad,dc=parc,dc=com"

# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw		{SSHA}EwrR01/GdI4+sdOVzZcK6Y94QbIXIw0j	
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
###sizelimit unlimited
directory	/var/lib/ldap
# Indices to maintain
index	objectClass	eq
### debug logging
loglevel -1
moduleload translucent
overlay translucent
moduleload rwm
overlay rwm
uri ldap://blowfish.corp.ad.parc.com
lastmod off
#
idassert-bind bindmethod=simple
 binddn="cn=ldapusr,OU=Pseudo_User_Accounts,OU=PARC_Users,DC=corp,DC=ad,DC=parc,DC=com"
 credentials=XXX
 authzID=dn:cn=ldapusr,OU=Pseudo_User_Accounts,OU=PARC_Users,DC=corp,DC=ad,DC=parc,DC=com

rwm-map objectclass * *
rwm-map attribute * *