[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ldap + meta "Proxy operation retry failed" when re-binding as retrieved user for Active Directory account authentication
- To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
- Subject: ldap + meta "Proxy operation retry failed" when re-binding as retrieved user for Active Directory account authentication
- From: "Boyd, John K." <John.K.Boyd-1@ou.edu>
- Date: Mon, 20 Nov 2017 18:59:05 +0000
- Accept-language: en-US
- Content-language: en-US
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sooners.onmicrosoft.com; s=selector1-ou-edu; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=7Vv+HG1/8rsFTTVmuQVI+rYh+jFfJ+xtTCNy8DGJAKU=; b=S6fGy3s+eiKvV/1XnaF2D4lKk7Ap1TPPaCIOglS6tmLjgmskKbubIdXH8nbnc1+aJd1SGkAmN00YnIALkkwxlble48O101cZXr9BsxLoYt2LQr2p6xB556QVBDD+dYQRrNved8ERMtXG/hgk+IonFNQgXNSI4tXbhe5g6p0vO9Q=
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
- Thread-index: AQHTYjGBxixR8GC+8UC5oS5bGWuRgg==
- Thread-topic: ldap + meta "Proxy operation retry failed" when re-binding as retrieved user for Active Directory account authentication
According to my slapd debug logs, after the account is not found locally, the search continues in active directory. I can bind under the admin query only account and successfully retrieve the user account information (I have verified this) from active directory; however, I can't then rebind-as-user with the user password in order to authenticate.
I get a "Proxy operation retry failed" error:
slapd[22555]: conn=1000 fd=8 ACCEPT from IP=127.0.0.1:35848 (IP=127.0.0.1:389)
slapd[22555]: conn=1001 fd=9 ACCEPT from IP=127.0.0.1:35850 (IP=127.0.0.1:389)
slapd[22555]: conn=1000 op=0 BIND dn="cn=xxxx,ou=local" method=128
slapd[22555]: conn=1000 op=0 BIND dn="cn=xxxx,ou=local" mech=SIMPLE ssf=0
slapd[22555]: conn=1000 op=0 RESULT tag=97 err=0 text=
slapd[22555]: conn=1000 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(uid=xxxx0029)"
slapd[22555]: conn=1002 fd=11 ACCEPT from IP=127.0.0.1:35852 (IP=127.0.0.1:389)
slapd[22555]: conn=1002 op=0 BIND dn="cn=xxxx,ou=local" method=128
slapd[22555]: conn=1002 op=0 BIND dn="cn=xxxx,ou=local" mech=SIMPLE ssf=0
slapd[22555]: conn=1002 op=0 RESULT tag=97 err=0 text=
slapd[22555]: conn=1003 fd=13 ACCEPT from IP=127.0.0.1:35854 (IP=127.0.0.1:389)
slapd[22555]: conn=1003 op=0 BIND dn="cn=xxxx,ou=local" method=128
slapd[22555]: conn=1003 op=0 BIND dn="cn=xxxx,ou=local" mech=SIMPLE ssf=0
slapd[22555]: conn=1003 op=0 RESULT tag=97 err=0 text=
slapd[22555]: conn=1002 op=1 SRCH base="ou=xxxx,dc=sooner,dc=net,dc=ou,dc=edu" scope=2 deref=0 filter="(uid=xxxx0029)"
slapd[22555]: conn=1003 op=1 SRCH base="ou=local" scope=2 deref=0 filter="(uid=xxxx0029)"
slapd[22555]: conn=1003 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
slapd[22555]: conn=1000 op=1 meta_back_search[1] match="" err=32 (No such object) text="".
slapd[22555]: conn=1002 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[22555]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[22555]: conn=1001 op=0 BIND dn="cn=11079,ou=xxxx,dc=a,dc=example,dc=com" method=128
slapd[22555]: conn=1004 fd=16 ACCEPT from IP=127.0.0.1:35858 (IP=127.0.0.1:389)
slapd[22555]: conn=1004 op=0 BIND dn="cn=11079,ou=General,ou=xxxx,dc=sooner,dc=net,dc=ou,dc=edu" method=128
slapd[22555]: conn=1004 op=0 ldap_back_retry: retrying URI="ldaps://active.directory" DN=""
slapd[22555]: conn=1004 op=0 RESULT tag=97 err=52 text=Proxy operation retry failed
slapd[22555]: conn=1004 op=1 UNBIND
slapd[22555]: conn=1001 op=0 RESULT tag=97 err=52 text=
slapd[22555]: conn=1004 fd=16 closed
Here is my meta configuration:
database meta
suffix dc=example,dc=com
# The last rwm-map line maps all other attributes to nothing.
overlay rwm
rwm-map attribute uid sAMAccountname
rwm-map attribute *
#rwm-map objectclass posixGroup group
#rwm-map objectclass posixAccount person
#rwm-map objectclass memberUid member
##
uri "ldap://127.0.0.1/dc=a,dc=example,dc=com"
suffixmassage "dc=a,dc=example,dc=com" "ou=xxxx,dc=sooner,dc=net,dc=ou,dc=edu"
rebind-as-user true
idassert-bind
bindmethod=simple
binddn="cn=XXXX,ou=local"
credentials=XXXX
mode=none
idassert-authzFrom "dn.regex:.*"
##
uri "ldap://127.0.0.1/dc=b,dc=example,dc=com"
suffixmassage "dc=b,dc=example,dc=com" "ou=local"
rebind-as-user true
idassert-bind
bindmethod=simple
binddn="cn=XXXX,ou=local"
credentials=XXXX
mode=none
idassert-authzFrom "dn.regex:.*"
##
database ldap
uri ldaps://active.directory
suffix ou=xxxx,dc=sooner,dc=net,dc=ou,dc=edu
rebind-as-user true
idassert-bind
bindmethod=simple
binddn="cn=XXXX,ou=it,ou=services,ou=accounts,dc=sooner,dc=net,dc=ou,dc=edu"
credentials=XXXX
tls_reqcert=allow
tls_cacert=/etc/letsencrypt/live/lmamr-lims.rccc.ou.edu/fullchain.pem
tls_cert=/etc/letsencrypt/live/lmamr-lims.rccc.ou.edu/cert.pem
tls_key=/etc/letsencrypt/live/lmamr-lims.rccc.ou.edu/privkey.pem
mode=none
idassert-authzFrom "dn.regex:.*"