[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd.conf for proxy to AD


Like a lot of people I guess, I'm having trouble configuring slapd to work as a proxy server in front of Microsoft's Active Directory. AD in this case is configured to refuse to allow anonymous searches but I want to allow anonymous searches on the proxy. Therefore the configuration I'm hoping for is:

* Anonymous binds to slapd get translated into an authenticated bind to AD.
* Authenticated binds to slapd have their credentials (DN and password) passed through to AD.

Here's what I have so far, based on the documentation. I'm using slapd.conf rather than the new conf.d directory based config, and I'm currently running openldap 2.4.19:

database        ldap
chase-referrals no
suffix          "MY-AD-SUFFIX-HERE"
uri             "ldaps://MY-AD-SERVER-HERE/"
cancel          abandon

acl-bind        bindmethod=simple binddn="VALID-BIND-DN" credentials="VALID-PASSWORD"

idassert-bind bindmethod=simple binddn="VALID-BIND-DN credentials="VALID-PASSWORD" mode=legacy flags=non-prescriptive

idassert-authzFrom "dn.regex:.*"

access to * by * read

You can assume I've used valid bind DNs, suffixes, server names and passwords in the places where I've resorted to capitals above. I've tested these binds from the command line directly against the AD server and they all work.

I have tested the above on OpenLDAP 2.3, it works for anonymous binds if and only if a successful authenticated bind is done first. The same was reported in this post:


In OpenLDAP 2.4 it fails to recognise the idassert-bind completely, all attempts at anonymous bind seem to fail. A similar problem was reported while upgrading to 2.3.11 to 2.3.27, here:


Am I using the correct configuration directives to achieve what I want, and if not what should I be using?