[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: ldap proxy to AD returns no results - take#2
- To: <ando@sys-net.it>
- Subject: RE: ldap proxy to AD returns no results - take#2
- From: "Lank, Tim" <tim.lank@bearingpoint.com>
- Date: Wed, 14 Apr 2004 10:58:03 +0100
- Cc: <openldap-software@OpenLDAP.org>
- Content-class: urn:content-classes:message
- Thread-index: AcQh/Tu8zyvrQH1ZTiy3CUPLnH8eEAACUvuN
- Thread-topic: ldap proxy to AD returns no results - take#2
Thanks again Pierangelo.
So what you are saying if I'm not mistaken is that the examples on pages 210-213 (most specifically p. 212) of Gerald Carter's O'reilly book on LDAP System Administration should not actually work and that is how back-ldap is designed?
Thanks,
Tim
-----Original Message-----
From: Pierangelo Masarati [mailto:ando@sys-net.it]
Sent: Wed 4/14/2004 4:48 AM
To: Lank, Tim
Cc: openldap-software@OpenLDAP.org
Subject: RE: ldap proxy to AD returns no results - take#2
> Thanks Pierangelo.
>
> What does the binddn and bindpw do then if it doesn't specifically bind
> the proxied query to AD?
It is used internally by back-ldap to bind to the remote server when
accessing data on behalf of the proxy itself, not on behalf of clients,
e.g. for ACL purposes or so. E.g if you have a "group" ACL, the server
needs to be allowed to fetch the "group" entry to see the client user has
appropriate permissions. Note that the client itself doesn't need access
to the "group" entry for appropriate use of the ACLs. In regular
databases this is not an issue because the information is local. However,
in back-ldap information is stored remotely so the proxy may need a
privileged identity to access it.
p.
>
> Thanks,
> Tim
>
>
> -----Original Message-----
> From: Pierangelo Masarati [mailto:ando@sys-net.it]
> Sent: Wed 4/14/2004 3:33 AM
> To: Lank, Tim
> Cc: openldap-software@OpenLDAP.org
> Subject: Re: ldap proxy to AD returns no results - take#2
> AD, AFAIK, by befault is configured to allow only bound access.
> I don't know how to instruct it to accept anonymous queries.
> So in your case it's simply behaving as expected.
>
> p.
>
>
>>
>> I am trying to use OpenLDAP v2.1.29 on a linux server (10.98.3.98) as
>> a proxy into an Active Directory server (10.98.3.20).
>>
>> Using ldapsearch on the linux box, I can query the AD directly with
>> the following command:
>>
>> ldapsearch -H ldap://10.98.3.20 -x -D tim.lank@testcompany.com -W -b
>> 'cn=users,dc=corp,dc=testcompany,dc=com' 'cn=Lank*'
>>
>> when I enter my AD password, the above returns all of the AD
>> attributes & values for the query.
>>
>> However, when I try to query the AD via the proxy with the following
>> command, it returns nothing at all:
>>
>> ldapsearch -H ldap://10.98.3.98 -x -b
>> 'cn=users,dc=corp,dc=testcompany,dc=com' 'cn=Lank*'
>>
>> The slapd was compiled with the following:
>>
>> ./configure --enable-ldap --enable-rewrite
>>
>> And the following is the contents of the database section for the ldap
>> backend:
>>
>> #### section in slapd.conf ###############
>> database ldap
>> suffix cn=users,dc=corp,dc=testcompany,dc=com
>> uri ldap://10.98.3.20
>> binddn tim.lank@testcompany.com
>> bindpw mypassword
>>
>> Any thoughts?
>>
>>
>> ***************************************************************************************************
>> The information in this email is confidential and may be legally
>> privileged. Access to this email by anyone other than the intended
>> addressee is unauthorized. If you are not the intended recipient of
>> this message, any review, disclosure, copying, distribution,
>> retention, or any action taken or omitted to be taken in reliance on
>> it is
>> prohibited and may be unlawful. If you are not the intended
>> recipient, please reply to or forward a copy of this message to the
>> sender and delete the message, any attachments, and any copies thereof
>> from your system.
>> ***************************************************************************************************
>
>
> --
> Pierangelo Masarati
> mailto:pierangelo.masarati@sys-net.it
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
***************************************************************************************************
The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system.
***************************************************************************************************