[Date Prev][Date Next]
LdapErr: DSID-0C090627 with translucent proxy and AD
Hello list, I've been trying to setup a translucent proxy to display a modified version of our ActiveDirectory (Server 2003) to Linux clients. The ultimate goal is to be able to transparently add UID, default shell etc. parameters missing in AD by default. Usage of Services for Unix is not possible this time because of "company policies". Config file is like this:
# Default realm
# Schema and objectClass definitions
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
# List of arguments that were passed to the server
# Read slapd.conf(5) for possible values
# Where the dynamically loaded modules are stored
# The maximum number of entries that is returned for a search operation
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
# The base of your directory in database #1
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
# Where the database file are physically stored for database #1
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
acl-bind binddn="CN=ldapuser,OU=tools,DC=company,DC=com" credentials="verysecure"
Now, if I do a search with rootdn cn=admin,dc=company,dc=com, proxy binds to AD as ldapuser and search is successful. But, if I use a user existing in AD only, for example like this:
ldapsearch -x -W -D "CN=Some User,OU=Users,DC=company,DC=com" -b "CN=Some User,OU=Users,DC=company,DC=com"
# extended LDIF
# base <CN=Some User,OU=Users,DC=company,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# search result
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope
ration a successful bind must be completed on the connection., data 0, vece
# numResponses: 1
I monitored the traffic using wireshark, and from there I can see that binding is actually successful. What fails is the search request after that:
0.000361 10.65.31.26 -> 10.65.26.34 LDAP bindRequest(1) "cn=Some User,ou=Users,dc=company,dc=com" simple
0.002285 10.65.26.34 -> 10.65.31.26 LDAP bindResponse(1) success
0.002297 10.65.31.26 -> 10.65.26.34 TCP 43898 > ldap [ACK] Seq=79 Ack=23 Win=5888 Len=0 TSV=67497094 TSER=69277767
0.003840 10.65.31.26 -> 10.65.26.34 LDAP searchRequest(4) "Some User,ou=Users,dc=company,dc=com" wholeSubtree
0.004067 10.65.26.34 -> 10.65.31.26 LDAP searchResDone(4) operationsError (00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece)
OpenLDAP version is the one with Debian Lenny: slapd/lenny uptodate 2.4.11-1
Any suggestions how to continue? Is this some AD related quirk or possibly a problem problem related to how OpenLDAP does binding?
Regards, Petteri Heinonen