[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP Proxy to Win 2003 AD

To: <OpenLDAP-software@OpenLDAP.org>
Subject: OpenLDAP Proxy to Win 2003 AD
From: "Pratt, Benjamin E." <bepratt@stcloudstate.edu>
Date: Mon, 1 Aug 2005 09:34:46 -0500
Content-class: urn:content-classes:message
Thread-index: AcWWpin5e5hl7qqsRtORUQyK+1s0RQ==
Thread-topic: OpenLDAP Proxy to Win 2003 AD

Hello, I'm trying to set up an OpenLDAP 2.2.27 server running on FreeBSD
5.4 to act as a proxy to our company's Active Directory 2003 servers.
I'm looking at OpenLDAP for several reasons including the ability to
query multiple LDAP servers for failover and attribute mapping. I am
using Softerra's LDAP Browser (http://www.ldapbrowser.com/) to test the
connection from my Windows XP Pro system.

The problem I am running into is that when the proxy authenticates to
the Windows 2003 server the initial bind seems to be happening without
problems (as seen from an Ethereal packet capture) but as soon as a
Search Request is made the Windows 2003 server returns a "LdapErr:
DSID-0c0905FF, comment: In order to perform this operation a successful
bind must be completed on the connection., data0, vece" After doing some
searching on the Internet I found an old posting
(http://www.issociate.de/board/post/152598/OpenLDAP_to_Active_Directory_
Authentication.html) in which a user says there is a problem with "the
LDAP referrals being sent by Active Directory." I looked and sure enough
there are a couple of referrals in the base directory where I was
beginning my search.

I thought I'd try to just move the base directory of my searches down
one OU but I can't figure out how to get that done. At the bottom of the
e-mail I've included the slapd.conf file that I'm using with the bindpw
changed for obvious reasons. The Search Request is beginning in
"DC=campus,DC=stcloudstate,DC=edu" where there are referrals but if I
could change the Search Request to begin in
"OU=Users,DC=campus,DC=stcloudstate,DC=edu" there will be no referrals
in that directory.

Could someone please enlighten me on how to accomplish this? If anyone
knows of a different way for be to be able to bind OpenLDAP to a Windows
2003 Active Directory LDAP server I would appreciate that information as
well.

Thank you,

Ben

--

## slapd.conf

include         /usr/local/etc/openldap/schema/core.schema
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

database        ldap
lastmod         off
suffix          "DC=campus,DC=stcloudstate,DC=edu"
directory       /var/db/openldap-data
binddn
"CN=testbindingid,OU=Users,DC=campus,DC=stcloudstate,DC=edu"
bindpw          <testbindingid's password>
uri             "ldap://199.17.25.100";

# Indices to maintain
index   objectClass     eq

Prev by Date: Dynamic group based on arbitrary value
Next by Date: Re: replication problems
Index(es):
- Chronological
- Thread