[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: successful ldapsearch -- need to turn it into a working slapd configuration for an LDAP proxy

> On 8/24/07, Pierangelo Masarati <> wrote:
>> DePriest, Jason R. wrote:
>> > Thanks for the tip.  I made the change and I am still getting the same
>> > basic error.
>> > It does not think there is a successful bind and won't honor my search
>> request.
>> >
>> > Also, if there is a really good book I can buy that will help figure
>> > out the intricacies of OpenLDAP, please recommend it.
>> > I understand LDAP and I have managed a couple of different
>> > Directory-type products that are LDAP-based (Windows NT domain,
>> > Microsoft Active Directory, CA eTrust Directory).  This is my first
>> > foray into OpenLDAP and, so far, I don't understand it.  And that's
>> > frustrating.
>> I think you should provide much more info on what you're trying to do
>> and where you got in the meanwhile.  a full log of the proxy at level
>> "stats,stats2" would definitely help.
>> About books, there should be a very good one (I should say ultimative)
>> by Howard Chu, but I don't know about its status.
>> p.
> Sorry about not providing much information.  I am attaching a diagram
> to help illustrate.
> I have an application in a DMZ that needs to query Active Directory to
> pull information about users such as email addresses, physical
> addresses, phone numbers, etc.
> It does not need to perform any authentication, just pull information.
>>From a security stand-point, my department decided against punching
> holes in the firewall for this specific application.  This keeps us
> from setting a precedent that would force us to punch holes for every
> other application and server that wanted this functionality.
> We decided to put an LDAP server in place.  One of my teammates was
> assigned to work on the project after I initially put a server in the
> DMZ with the OpenLDAP software.
> That teammate is no longer employed here and did no work on this
> project in the two or three months leading up to his leaving.
> It is now my project because I put the server in place and because
> nobody else on my team is at all familiar with LDAP.  I've done things
> with LDAP, so I was elected.
> Now that I have digressed with the sob-story, back to the tech.
> This LDAP server will have access through the firewall to our Active
> Directory servers and will make LDAP queries on behalf of this
> application for now and others in the future.
> I can run an ldapsearch command from the shell on the LDAP server
> successfully against AD, performing a successful bind with the user
> credentials provided.  I cannot get the LDAP server daemon to
> successfully bind with the same credentials and I null binds are
> disabled on AD, so no bind, no query.
> I need OpenLDAP to have no local user or data store.  It needs to bind
> with AD using the credentials I stick in the config file.  It needs to
> proxy requests between this application and AD using LDAP commands.

OK, now it's clearer.  But I think you missed to clarify one point: is
this application connecting anonymously to the proxy?  If so, then the
proxy won't bind to the remote host unless explicitly told to do so.  In
fact, the idassert, by default, only proxies authenticated (i.e. those who
performed a successful bind) and authorized users (i.e. those who are
authorized to use this feature; by default all authenticated users).

To enable authorization for anonymous, you need to explicitly create a
idassert-authzFrom rule that includes the empty DN.  Something like

idassert-authzFrom "*"

and remove the "flags=non-prescritpive" from the idassert-bind rule.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it