[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP proxy to AD - fails to bind



Hi,

I am going through the hoops of setting up an LDAP proxy (OpenLDAP 2.3
as supplied with Red Hat 5.6) in order to expose parts of our Active
Directory to other services which for political and security reasons
(that I have no influence in) we do not want talking directly to the AD.
In order to achieve this I would like to use ldap-back as the database
to act as the proxy to the AD and then a module such as translucent to
mask out the bits of the AD that we do not want exposed.

So far I am fighting to get ldap-back working as I would expect, at the
moment no matter what I do it fails to bind against the AD and a tcp
dump demonstrates this failure.  Anonymously binding and querying the AD
is not an option and so I have to specify a user and get ID assertion
working to force a bind against the AD as a specific known user. This
does mean that anything (at the moment) could query our proxy and so get
at the exposed parts of the AD and for the moment that is intentional. I
am also aware that TLS etc are not enabled - this is deliberate as it
makes packet sniffing for debugging easier.

So for my slapd.conf I have:

[slapd.conf]

database        ldap
uri             "ldap://myad.canterbury.ac.uk/";
suffix          "dc=myad,dc=canterbury,dc=ac,dc=uk"

acl-bind        bindmethod=simple
                binddn="CN=ldapproxy,OU=AD
Administrators,DC=myad,DC=canterbury,DC=ac,DC=uk"
                credentials="password"
access to * by * read

idassert-bind   bindmethod=simple
 
authzId=dn:CN=ldapproxy,OU=Administrators,DC=myad,DC=canterbury,DC=ac,DC
=uk
 
binddn="CN=ldapproxy,OU=Administrators,DC=myad,DC=canterbury,DC=ac,DC=uk
"
                credentials="password"
idassert-authzFrom      "dn.regex:.*"


[end slapd.conf]

At the moment I don't really care that anyone can read anything from the
AD since I can't even bind, that will be tightened up in due course. I
have seen others over the years have had similar issues and I have noted
the responses they have received as well as reading the man pages and
the Admin Guide, but am now at the point where some community support
would be appreciated.

Thanks

Paul