[Date Prev][Date Next]
slapd.conf for proxy to AD
- To: email@example.com
- Subject: slapd.conf for proxy to AD
- From: Del <firstname.lastname@example.org>
- Date: Tue, 08 Feb 2011 15:57:54 +1100
- User-agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:220.127.116.11) Gecko/20091027 SeaMonkey/2.0
Like a lot of people I guess, I'm having trouble configuring slapd to work as a proxy server in
front of Microsoft's Active Directory. AD in this case is configured to refuse to allow
anonymous searches but I want to allow anonymous searches on the proxy. Therefore the
configuration I'm hoping for is:
* Anonymous binds to slapd get translated into an authenticated bind to AD.
* Authenticated binds to slapd have their credentials (DN and password) passed through to AD.
Here's what I have so far, based on the documentation. I'm using slapd.conf rather than the
new conf.d directory based config, and I'm currently running openldap 2.4.19:
acl-bind bindmethod=simple binddn="VALID-BIND-DN" credentials="VALID-PASSWORD"
idassert-bind bindmethod=simple binddn="VALID-BIND-DN credentials="VALID-PASSWORD"
access to * by * read
You can assume I've used valid bind DNs, suffixes, server names and passwords in the places
where I've resorted to capitals above. I've tested these binds from the command line directly
against the AD server and they all work.
I have tested the above on OpenLDAP 2.3, it works for anonymous binds if and only if a
successful authenticated bind is done first. The same was reported in this post:
In OpenLDAP 2.4 it fails to recognise the idassert-bind completely, all attempts at anonymous
bind seem to fail. A similar problem was reported while upgrading to 2.3.11 to 2.3.27, here:
Am I using the correct configuration directives to achieve what I want, and if not what should
I be using?