Thanks for the response Masarati,I have setup with mode=self, but still the same error.Maybe im having a conceptual issue here. What i am trying to do is ensure the backend functions prior to looking at the configuring the frontend correctly. I am configuring the solaris openldap slapd with back-ldap and pcache and am expecting to be able to simulate a fronted authentication process using ldapsearch to the solaris openldap proxy. The backend ldap service is AD @ backendldap.core.dir.mycompany.com. the proxy box i will refer to as openldapproxy (openldapproxy.core.dir.mycompany.com)"my database ldap section now looks like this :-backendldap.core.dir.mycompany.com"
database ldap
uri "ldap://backendldap.core.dir.mycompany.com"
suffix "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com"
rootdn "dc=core,dc=dir,dc=mycompany,dc=com"idassert-bind bindmethod=simple binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com" credentials="password" mode=selfi am testing by running ldapsearch on the openldapproxy host itself in the following manner :-# /usr/local/bin/ldapsearch -x -h localhost -b ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com employeeID=12345678the proxied bind goes out to the backend AD as i have shown in the below discussion. The response returned is :-# filter: employeeID=12345678
# requesting: ALL
## search result
search: 2
result: 48 Inappropriate authentication# numResponses: 1
Running slapd in diag mode i see the following in the debug output :-do_bind: v3 anonymous bind
connection_get(11)
connection_get(11): got connid=1014
connection_read(11): checking for input on id=1014
ber_get_next
ber_get_next: tag 0x30 len 105 contents:
op tag 0x63, time 1272346583
ber_get_next
conn=1014 op=1 do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com>
=> ldap_bv2dn(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com,0)
<= ldap_bv2dn(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=people,ou=eprofile,dc=core,dc=dir,dc=mycompany,dc=com)=0
<<< dnPrettyNormal: <ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com>, <ou=people,ou=eprofile,dc=core,dc=dir,dc=mycompany,dc=com>
SRCH "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com" 2 0 0 0 0
ber_scanf fmt ({mm}) ber:
filter: (?=undefined)
ber_scanf fmt ({M}}) ber:
attrs:
==> limits_get: conn=1014 op=1 self="[anonymous]" this="ou=people,ou=eprofile,dc=core,dc=dir,dc=telstra,dc=com"
send_ldap_result: conn=1014 op=1 p=3
send_ldap_result: err=48 matched="" text=""
send_ldap_response: msgid=2 tag=101 err=48Note the anonymous bind, I need this to be a simply authenticated bind using the idassert binddn and credentials
Note the "self="[anonymous]"............... I was expecting that it should have been self=[USERID_THAT_RAN_THE_LDAPSEARCH]Regards RepOn Tue, Apr 27, 2010 at 1:55 PM, <masarati@aero.polimi.it> wrote:
The relevant directive is "idassert-bind", since you appear to be looking> Hi Folks,
>
> I am having troubles configuring openladp to my requirements.
>
> I am setting up an openldap server running on solaris 10 x86 to use as
> a ldap proxy authentication server.
>
> My issue is that i cant get it to send authenticated simple binds to the
> backend ldap system. I am running wireshark and when i ldapsearch direct
> to
> the backend ldap i see a bind which looks like this :-
> Lightweight-Directory-Access-Protocol
> LDAPMessage bindRequest(1)
> "cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com" simple
> messageID: 1
> protocolOp: bindRequest (0)
> bindRequest
> version: 3
> name:
> cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com
> authentication: simple (0)
> simple: 384174656C73747261316732
>
> However when i initiate an ldapsearch to my local solaris slapd and
> capture
> the proxied backldap bind to the backend ldap system it looks like this :-
> Lightweight-Directory-Access-Protocol
> LDAPMessage bindRequest(1) "<ROOT>" simple
> messageID: 1
> protocolOp: bindRequest (0)
> bindRequest
> version: 3
> name:
> authentication: simple (0)
> simple: <MISSING>
>
> I am having trouble working out from the documentation if it should be
> acl-bind or idassert-bind or some other option which influences the
> backend
> bind. I have tried both those to no avail.
> Here is the "database ldap" section from my slapd.conf
>
> #######################################################################
> # ldap database definitions
> #######################################################################
> database ldap
> uri "ldap://backendldap.core.dir.mycompany.com"
> suffix "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com"
> rootdn "dc=core,dc=dir,dc=mycompany,dc=com"
> acl-bind bindmethod=simple
> binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com"
> credentials="password"
> idassert-bind bindmethod=simple
> binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com"
> credentials="password"
for an identity assertion. I hope what you posted was screwed up by the
mailer: continuation lines must start with whitespace. What is missing
above is the "mode=self" parameter to "idassert-bind". Try something like
mode=self
idassert-bind bindmethod=simple
binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com"
credentials="password"
p.
> overlay pcache
> proxycache bdb 400 1 50 1200
> directory /var/openldap-data
> cachesize 10000
> index cn,sn,uid pres,eq,sub
> index objectclass eq
>
> proxycachequeries 400
> proxyattrset 0 uid mail cn sn givenName
> proxytemplate (uid=) 0 600
> proxytemplate (mail=) 0 600
> proxytemplate (&(uid=)(mail=)) 0 600
>
> Any help would be greatly appreciated
>
> Regards Rep
>