[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Trouble with slapd-ldap in various scenarios (LdarErr: DSID-0C090627)



Hi,

Martin Rubáš <mrubas@kerio.com> writes:

> Hello,
[...]
> Notes:
> ~ using slapd version 2.4.15 on Ubuntu (9.04/jaunty;64-bit;localhost)
> - using Windows 2003 Server as PDC (pdc.domain.net)
> ~ command used to query:
>   ldapsearch -x -w secret -H ldap://localhost:389 \
>      -D 'CN=The Root,CN=Users,DC=domain,DC=net' \
>      -b 'CN=The User,CN=Users,DC=domain,DC=net' \
>      -s sub -a always '(objectClass=*)'
> ~ all used accounts (The Root, The User, The Bind & Administrator) exists
>   in Windows domain (AD) and have set password to 'secret'. 'The Root' is
>   also member 'Domain Admins', so it should have the same access rights as
>   'Administrator' (at least, for AD/LDAP operations)
>
> === Case A ===
>
> I started with slapd-hdb and slapo-translucent to combine data from
> Active Directory repository with other data from local DB. It finally got
> it working but only when ldapsearch command was binding with "rootdn" from
> slapd-hdb configuration. But I want to do binding with the (proper) user DN
> to slapd (local repository) as well as to AD (remote one).
>
> #======================================================================
> database    hdb
> suffix        "dc=domain,dc=net"
> rootdn        "cn=The Root,cn=Users,dc=domain,dc=net"
> rootpw        secret
> directory    /var/lib/ldap/lib-trans
> index objectClass eq
> index cn eq
>
> overlay   translucent
> uri       ldap://pdc.domain.net:389
> binddn    "cn=The Bind,cn=Users,dc=domain,dc=net"
> bindpw    heslo
> lastmod   off
> chase-referrals true
> rebind-as-user  true
> #----------------------------------------------------------------------
>
> If I use ldapsearch -D "cn=The Root,..." -b "cn=The User,..." then slapd
> binds to "cn=The Bind". That's correct, I guess...
> But when I use some other DN for -D parameter then  the response is
> "LdarErr: DSID-0C090627 ... " (I saw that one many time in archives).
> It doesn't matter if it was "cn=The User,..." or "cn=The Bind".

This Error seems to be not a slapd error, so you should check some
other services in your network.
The configuration parameters for translucent overlay are incorrect,
see man slapo-translucent(5) and man slapd-ldap(5), you should
probably use idassert-bind parameters.

>
> I also tried to combine slapd-ldap together with slapd-relay extended by
> slapo-rwm, to get something like "domain-alias" (2 names for one repository).
>
> #======================================================================
> database        ldap
> suffix            "dc=domain,dc=net"
> uri       ldap://pdc.domain.net:389
> chase-referrals yes
> rebind-as-user  yes
>
> database    relay
> suffix      "dc=alias,dc=net"
> relay       "dc=domain,dc=net"
> overlay     rwm
> rwm-suffixmassage "dc=domain,dc=net"
> #----------------------------------------------------------------------
>
> In this case, I was able to get result with -D option set to
> "cn=The User,cn=Users,dc=domain,dc=net" but I got the same error while using
> the aliased DN "cn=The Users,cn=Users,dc=alias,dc=net".

In the first case you where requesting the ldap backend, in the second
case the relay backend. If a request to relay backend failed but where
successful to the ldap backend, than something is wrong with your
relay backend configuration. Debug slapd's acl parsing to find the reason.

[...]

-Dieter


-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E