[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap 2.4.21 - back-ldap + pcache ... backend binding

Le 27/04/2010 07:46, repudi8or repu a écrit :
Maybe im having a conceptual issue here. What i am trying to do is
ensure the backend functions prior to looking at the configuring the
frontend correctly. I am configuring the solaris openldap slapd with
back-ldap and pcache and am expecting to be able to simulate a fronted
authentication process using ldapsearch to the solaris openldap proxy.
The backend ldap service is AD @ backendldap.core.dir.mycompany.com
<http://backendldap.core.dir.mycompany.com/>. the proxy box i will refer
to as openldapproxy  (openldapproxy.core.dir.mycompany.com
my database ldap section now looks like this :-

database ldap
uri "ldap://backendldap.core.dir.mycompany.com
suffix "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com"
rootdn "dc=core,dc=dir,dc=mycompany,dc=com"
bindmethod=simple binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com" credentials="password"
i am testing by running ldapsearch on the openldapproxy host itself in
the following manner :-
# /usr/local/bin/ldapsearch -x -h localhost -b
ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com employeeID=12345678
the proxied bind goes out to the backend AD as i have shown in the below
discussion. The response returned is :-
# filter: employeeID=12345678
# requesting: ALL
# search result
search: 2
result: 48 Inappropriate authentication
# numResponses: 1

Running slapd in diag mode i see the following in the debug output :-
do_bind: v3 anonymous bind
connection_get(11): got connid=1014
connection_read(11): checking for input on id=1014
ber_get_next: tag 0x30 len 105 contents:
op tag 0x63, time 1272346583
conn=1014 op=1 do_search
ber_scanf fmt ({miiiib) ber:
 >>> dnPrettyNormal:
=> ldap_bv2dn(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com,0)
<= ldap_bv2dn(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=people,ou=eprofile,dc=core,dc=dir,dc=mycompany,dc=com)=0
<<< dnPrettyNormal:
SRCH "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com" 2 0    0 0 0
ber_scanf fmt ({mm}) ber:
     filter: (?=undefined)
ber_scanf fmt ({M}}) ber:
==> limits_get: conn=1014 op=1 self="[anonymous]"
send_ldap_result: conn=1014 op=1 p=3
send_ldap_result: err=48 matched="" text=""
send_ldap_response: msgid=2 tag=101 err=48
Note the anonymous bind, I need this to be a simply authenticated bind
using the idassert binddn and credentials
Note the "self="[anonymous]"............... I was expecting that it
should have been self=[USERID_THAT_RAN_THE_LDAPSEARCH]

"self" here is the user that authenticated to your local proxy server. Your ldapsearch has no -D option, so it's anonymous.

If you just want the proxy's clients to be able to access the AD server using the account you specified in idassert-bind, try mode=none.

Otherwise, you'll need to set up some appropriate authentication on the proxy side.

Jonathan Clarke - jonathan@phillipoux.net
Ldap Synchronization Connector (LSC) - http://lsc-project.org