[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help needed chaining to active directory for authentication - not quite there yet

One thing that stopped working since I introduced the new directives which
fixed the authentication problem is
being able to peruse the directories using Apache Directory Studio. I can
still see the AD branches but when I try to look at them I get an error
which in the server logs is reported as

res_errno: 1, res_error: <000004DC: LdapErr: DSID-0C0906E8, comment: In
order to perform this operation a successful bind must be completed on the
connection., data 0, v1db1>, res_matched: <>
ldap_free_request (origid 2, msgid 2)

So I must still be missing something in my configuration.

>On 09/11/11 19:34 +0000, Gabriella Turek wrote:
>>Hi Dan,
>>The way I got it to work (by pure chance mind you , I just happened on a
>>blog entry somewhere) was to add this entry to the slapd.config file:
>># Configure slapd-ldap back end to connect to AD
>>database        ldap
>>suffix          "ou=user accounts,dc=niwa,dc=local"
>>uri             "ldap://aucwdfp01.niwa.local:389";
>>chase-referrals yes
>>Nowhere in any documentation did I see this mentioned, and yet it worked
>>So I don't know what to think.
>>On 10/11/11 6:37 AM, "Dan White" <dwhite@olp.net> wrote:
>>>On 07/11/11 21:57 +0000, Gabriella Turek wrote:
>>>>Hello, I've set up an openLDAP server (2.4.23)  which chains to an
>>>>Active Directory (2008). I can successfully search for users, it will
>>>>find them in Active Directory if they are not in openLDAP,  but I
>>>>authenticate the Active Directory users.
>>>>The error is "Invalid credentials (49)"
>>>>Everything  is currently configured with clear text
>>>>ldapSearch works fine when pointed directly to the Active Directory.
>>>>The chaining configuration in the slapd.conf is:
>>>>overlay                     chain
>>>>chain-uri                   ldap://aucwdfp01.niwa.local:389
>>>>chain-rebind-as-user        TRUE
>>>>chain-idassert-bind         bindmethod="simple"
>>>>                            binddn="cn=SDT Tester,ou=NIWA Staff
>>>>Accounts,ou=User Accounts, dc=niwa,dc=local"
>>>>                            credentials=xxxxxxx
>>>>                            mode="self"
>>>>   flags=non-prescriptive
>>>>chain-return-error          TRUE
>>>Does mode="none" work? If my reading of slapd-ldap(5) is correct, with
>>>config other than 'none', slapd will attempt to assert the proxyAuthz
>>>I checked our local AD server (2003) and it does not appear to support
>>>ldapsearch -LLL -x -H ldap://<AD.ip> -s "base" -b "" supportedControl
>>>supportedControl: 1.2.840.113556.1.4.319
>>>supportedControl: 1.2.840.113556.1.4.801
>>>supportedControl: 1.2.840.113556.1.4.473
>>>supportedControl: 1.2.840.113556.1.4.528
>>>supportedControl: 1.2.840.113556.1.4.417
>>>supportedControl: 1.2.840.113556.1.4.619
>>>supportedControl: 1.2.840.113556.1.4.841
>>>supportedControl: 1.2.840.113556.1.4.529
>>>supportedControl: 1.2.840.113556.1.4.805
>>>supportedControl: 1.2.840.113556.1.4.521
>>>supportedControl: 1.2.840.113556.1.4.970
>>>supportedControl: 1.2.840.113556.1.4.1338
>>>supportedControl: 1.2.840.113556.1.4.474
>>>supportedControl: 1.2.840.113556.1.4.1339
>>>supportedControl: 1.2.840.113556.1.4.1340
>>>supportedControl: 1.2.840.113556.1.4.1413
>>>supportedControl: 2.16.840.1.113730.3.4.9
>>>supportedControl: 2.16.840.1.113730.3.4.10
>>>supportedControl: 1.2.840.113556.1.4.1504
>>>supportedControl: 1.2.840.113556.1.4.1852
>>>supportedControl: 1.2.840.113556.1.4.802
>>>supportedControl: 1.2.840.113556.1.4.1907
>>>supportedControl: 1.2.840.113556.1.4.1948
>>>proxyAuthz control == 2.16.840.1.113730.3.4.18 (RFC 4370)
>>>Dan White
>Dan White
>BTC Broadband
>Ph  918.366.0248 (direct)   main: (918)366-8000
>Fax 918.366.6610            email: dwhite@olp.net