Re: proxy to AD does not work during login client machine

[Dan White <dwhite@cafedemocracy.org>]

On 06/11/15 23:38 +0000, Leo Xiao wrote:
> Hi technical,
>
> I hit a problem during configure proxy to AD.
> I can run command:
> $ldapsearch -x -h localhost -LLL -b dc=mydomain,dc=local -D cn=open,cn=users,dc=mydomain,dc=local -W "(cn=open1)" cn sAMAccountName
> which return the SAMACCOUNTNAME:open successfully. --- This may mean the proxy works well.
> But if I run command with out -D -D cn=open,cn=users,dc=mydomain,dc=local. The search will failed.

So you are attempting to authenticate anonymously? Or with SASL?

> when I try to login my client machine with AD user. It always failed. --- I can login with openldapuser successfully.

You'll need to trouble shoot your nss/pam config, which ever one you're
using.

> I think I need some configuration to force the -D in slapd.con. Is there any problems with my slapd.conf? Or any trouble shooting comments? Appreciate it very much.
>
> Below is my slapd.conf:
> #######################################################################
> # database definitions
> #######################################################################
> database       ldap
> suffix         "DC=mydomain,DC=local"
> uri            ldap://dc-ad.mydomain.local/
> chase-referrals no
> rebind-as-user  yes
> idassert-bind   bindmethod=simple
>                binddn="CN=open,OU=users,DC=mydomain,DC=local"
>                credentials=open
>                mode=none
>                flags=non-prescriptive
> idassert-authzFrom "*"
>
>
> Thanks,
> Leo

--
Dan White