[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Trouble with slapd-ldap in various scenarios (LdarErr: DSID-0C090627)


Martin Rubáš <mrubas@kerio.com> writes:

> Hello,
> Notes:
> ~ using slapd version 2.4.15 on Ubuntu (9.04/jaunty;64-bit;localhost)
> - using Windows 2003 Server as PDC (pdc.domain.net)
> ~ command used to query:
>   ldapsearch -x -w secret -H ldap://localhost:389 \
>      -D 'CN=The Root,CN=Users,DC=domain,DC=net' \
>      -b 'CN=The User,CN=Users,DC=domain,DC=net' \
>      -s sub -a always '(objectClass=*)'
> ~ all used accounts (The Root, The User, The Bind & Administrator) exists
>   in Windows domain (AD) and have set password to 'secret'. 'The Root' is
>   also member 'Domain Admins', so it should have the same access rights as
>   'Administrator' (at least, for AD/LDAP operations)
> === Case A ===
> I started with slapd-hdb and slapo-translucent to combine data from
> Active Directory repository with other data from local DB. It finally got
> it working but only when ldapsearch command was binding with "rootdn" from
> slapd-hdb configuration. But I want to do binding with the (proper) user DN
> to slapd (local repository) as well as to AD (remote one).
> #======================================================================
> database    hdb
> suffix        "dc=domain,dc=net"
> rootdn        "cn=The Root,cn=Users,dc=domain,dc=net"
> rootpw        secret
> directory    /var/lib/ldap/lib-trans
> index objectClass eq
> index cn eq
> overlay   translucent
> uri       ldap://pdc.domain.net:389
> binddn    "cn=The Bind,cn=Users,dc=domain,dc=net"
> bindpw    heslo
> lastmod   off
> chase-referrals true
> rebind-as-user  true
> #----------------------------------------------------------------------
> If I use ldapsearch -D "cn=The Root,..." -b "cn=The User,..." then slapd
> binds to "cn=The Bind". That's correct, I guess...
> But when I use some other DN for -D parameter then  the response is
> "LdarErr: DSID-0C090627 ... " (I saw that one many time in archives).
> It doesn't matter if it was "cn=The User,..." or "cn=The Bind".

This Error seems to be not a slapd error, so you should check some
other services in your network.
The configuration parameters for translucent overlay are incorrect,
see man slapo-translucent(5) and man slapd-ldap(5), you should
probably use idassert-bind parameters.

> I also tried to combine slapd-ldap together with slapd-relay extended by
> slapo-rwm, to get something like "domain-alias" (2 names for one repository).
> #======================================================================
> database        ldap
> suffix            "dc=domain,dc=net"
> uri       ldap://pdc.domain.net:389
> chase-referrals yes
> rebind-as-user  yes
> database    relay
> suffix      "dc=alias,dc=net"
> relay       "dc=domain,dc=net"
> overlay     rwm
> rwm-suffixmassage "dc=domain,dc=net"
> #----------------------------------------------------------------------
> In this case, I was able to get result with -D option set to
> "cn=The User,cn=Users,dc=domain,dc=net" but I got the same error while using
> the aliased DN "cn=The Users,cn=Users,dc=alias,dc=net".

In the first case you where requesting the ldap backend, in the second
case the relay backend. If a request to relay backend failed but where
successful to the ldap backend, than something is wrong with your
relay backend configuration. Debug slapd's acl parsing to find the reason.



Dieter Klünter | Systemberatung