[Date Prev][Date Next]
Re: Trouble with slapd-ldap in various scenarios (LdarErr: DSID-0C090627)
Thanks for your reponse, Dieter.
Basically, you said "RTFM" just using more polite words. But I already
do that, man! I played with a few combination of idassert-bind option
but it doesn't help to me. B-)
Dieter Kluenter wrote:
Yes, I know that this error is returned by Active Directory LDAP server.
It says, that data were requested using unbinded connection and AD
server on Win2003 requires to bind. See the second half of this (and
also the original email)...
Martin Rubáš <email@example.com> writes:
If I use ldapsearch -D "cn=The Root,..." -b "cn=The User,..." then slapd
binds to "cn=The Bind". That's correct, I guess...
But when I use some other DN for -D parameter then the response is
"LdarErr: DSID-0C090627 ... " (I saw that one many time in archives).
It doesn't matter if it was "cn=The User,..." or "cn=The Bind".
This Error seems to be not a slapd error, so you should check some
other services in your network.
The configuration parameters for translucent overlay are incorrect,
see man slapo-translucent(5) and man slapd-ldap(5), you should
probably use idassert-bind parameters.
"man slapd-relay" shows only one option that I already used - relay
<real.naming.ctx>. other option mentioned in "man slapd.conf" under
section related to backends doesn't talk about anything related to
binding (except sync-replication which is no matter now).
In the first case you where requesting the ldap backend, in the second
case the relay backend. If a request to relay backend failed but where
successful to the ldap backend, than something is wrong with your
relay backend configuration. Debug slapd's acl parsing to find the reason.
If I understood man pages and FAQs well the identity assertion mechanism
allows to specify (through idassert-bind, idassert-authzFrom, etc.)
which identity will be used to bind on remote server. As I want to use
the identity that was used to access slapd I have to use idassert-bind
with mode=self or mode=legacy. That's correct, isnt't?
So, what's wrong with my config that binding to raw ldap backend works
and binding to relay doesn't (yes, I use proper DNs with correct suffix):
1. ldapsearch ... -D "cn=The User,cn=Users,dc=domain,dc=net" - is
successful and TCP stream looks something like that:
bind(44111)["The User"] -> success
request(44111) -> success
2. ldapsearch .... -D "cn=The User,cn=Users,dc=alias,dc=net" - ends with
failure and TCP stream is pretty weird:
bind(44111)["The User"] -> success
connect(33666) --- why???
bind(33666)["<ROOT>"] -> success --- huh ??? anonymous bind???
request(33666) -> LdapErr: DSID-0C090627 --- no-binding = no-data
from Active Directory
... and consecutive searches are similar to this one:
connect(44222) --- another connection??? why??? the 44111 was not
bind(44222)["The User"] -> success
request(33666) -> LdapErr: DSID-0C090627 --- reusing incorrectly
binded connection?? very nice :-(
For more details on TCP stream see original email (there is a packet
dump from Wireshark).
So, what I have not been able to do yet...
I want to use the slapd with "The User" and its own credentials to
forward LDAP request to remote Active Directory with the identity of
"The User" using slapd-relay/slapo-rwm or slapd-hdb/slapo-translucent
exactly same way as it works for raw slapd-ldap.
The only way was to specify some account using idassert-bind. The search
through slapd-relay returned the requested data but the "doubled
connection" was still in play but "The IdAssert" identity was used
instead of the strange "<ROOT"> for binding. Unfortunately, this is not
desired but "The User" biding is preferred.
I hope I explained my problem well. Could someone help me, please?