[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: need help interpreting "Error: ldap_back_is_proxy_authz returned 0, misconfigured URI?"



On 15/07/2013 18:00, Steve Eckmann wrote:
The odd thing is that I am doing exactly the same search twice. The
first fails, the second succeeds, so can it really be a credential
problem? I'm going to chase down what our intermediate proxy is;
maybe it's returning something bogus to openldap, but if so I haven't
been able to capture it in a log.

I see similar behaviour with the meta backend. If you don't have a suitable schema defined for the AD attributes, it's necessary to first search with an attribute that OpenLDAP does recognise (e.g. cn). Until then attributes such as sAMAccountName will be unknown. After a successful search that returns (say) sAMAccountName, OpenLDAP will happily use it for auth.

Assuming your issue is the same, try defining a suitable schema for your AD attributes. You can't use the Microsoft one directly unfortunately as MS uses some syntaxes that aren't present in OpenLDAP, and it's not easy to add additional syntaxes. But you can get away with creating a schema just for the attributes you're interested in.

Alternatively the quick and very dirty workaround is to perform a suitable search on initialisation.

--
Liam Gretton                                    liam.gretton@le.ac.uk
Systems Specialist                            http://www.le.ac.uk/its
IT Services                                   Tel: +44 (0)116 2522254
University of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom