[Date Prev][Date Next]
Re: need help interpreting "Error: ldap_back_is_proxy_authz returned 0, misconfigured URI?"
On 15/07/2013 18:00, Steve Eckmann wrote:
The odd thing is that I am doing exactly the same search twice. The
first fails, the second succeeds, so can it really be a credential
problem? I'm going to chase down what our intermediate proxy is;
maybe it's returning something bogus to openldap, but if so I haven't
been able to capture it in a log.
I see similar behaviour with the meta backend. If you don't have a
suitable schema defined for the AD attributes, it's necessary to first
search with an attribute that OpenLDAP does recognise (e.g. cn). Until
then attributes such as sAMAccountName will be unknown. After a
successful search that returns (say) sAMAccountName, OpenLDAP will
happily use it for auth.
Assuming your issue is the same, try defining a suitable schema for your
AD attributes. You can't use the Microsoft one directly unfortunately as
MS uses some syntaxes that aren't present in OpenLDAP, and it's not easy
to add additional syntaxes. But you can get away with creating a schema
just for the attributes you're interested in.
Alternatively the quick and very dirty workaround is to perform a
suitable search on initialisation.
Liam Gretton email@example.com
Systems Specialist http://www.le.ac.uk/its
IT Services Tel: +44 (0)116 2522254
University of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom