ldap + meta "Proxy operation retry failed" when re-binding as retrieved user for Active Directory account authentication

["Boyd, John K." <John.K.Boyd-1@ou.edu>]

According to my slapd debug logs, after the account is not found locally, the search continues in active directory. I can bind under the admin query only account and successfully retrieve the user account information (I have verified this) from active directory; however, I can't then rebind-as-user with the user password in order to authenticate.

I get a "Proxy operation retry failed" error:

slapd[22555]: conn=1000 fd=8 ACCEPT from IP=127.0.0.1:35848 (IP=127.0.0.1:389)
slapd[22555]: conn=1001 fd=9 ACCEPT from IP=127.0.0.1:35850 (IP=127.0.0.1:389)
slapd[22555]: conn=1000 op=0 BIND dn="cn=xxxx,ou=local" method=128
slapd[22555]: conn=1000 op=0 BIND dn="cn=xxxx,ou=local" mech=SIMPLE ssf=0
slapd[22555]: conn=1000 op=0 RESULT tag=97 err=0 text=
slapd[22555]: conn=1000 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(uid=xxxx0029)"
slapd[22555]: conn=1002 fd=11 ACCEPT from IP=127.0.0.1:35852 (IP=127.0.0.1:389)
slapd[22555]: conn=1002 op=0 BIND dn="cn=xxxx,ou=local" method=128
slapd[22555]: conn=1002 op=0 BIND dn="cn=xxxx,ou=local" mech=SIMPLE ssf=0
slapd[22555]: conn=1002 op=0 RESULT tag=97 err=0 text=
slapd[22555]: conn=1003 fd=13 ACCEPT from IP=127.0.0.1:35854 (IP=127.0.0.1:389)
slapd[22555]: conn=1003 op=0 BIND dn="cn=xxxx,ou=local" method=128
slapd[22555]: conn=1003 op=0 BIND dn="cn=xxxx,ou=local" mech=SIMPLE ssf=0
slapd[22555]: conn=1003 op=0 RESULT tag=97 err=0 text=
slapd[22555]: conn=1002 op=1 SRCH base="ou=xxxx,dc=sooner,dc=net,dc=ou,dc=edu" scope=2 deref=0 filter="(uid=xxxx0029)"
slapd[22555]: conn=1003 op=1 SRCH base="ou=local" scope=2 deref=0 filter="(uid=xxxx0029)"
slapd[22555]: conn=1003 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
slapd[22555]: conn=1000 op=1 meta_back_search[1] match="" err=32 (No such object) text="".
slapd[22555]: conn=1002 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[22555]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[22555]: conn=1001 op=0 BIND dn="cn=11079,ou=xxxx,dc=a,dc=example,dc=com" method=128
slapd[22555]: conn=1004 fd=16 ACCEPT from IP=127.0.0.1:35858 (IP=127.0.0.1:389)
slapd[22555]: conn=1004 op=0 BIND dn="cn=11079,ou=General,ou=xxxx,dc=sooner,dc=net,dc=ou,dc=edu" method=128
slapd[22555]: conn=1004 op=0 ldap_back_retry: retrying URI="ldaps://active.directory" DN=""
slapd[22555]: conn=1004 op=0 RESULT tag=97 err=52 text=Proxy operation retry failed
slapd[22555]: conn=1004 op=1 UNBIND
slapd[22555]: conn=1001 op=0 RESULT tag=97 err=52 text=
slapd[22555]: conn=1004 fd=16 closed


Here is my meta configuration:


database meta
suffix dc=example,dc=com
# The last rwm-map line maps all other attributes to nothing.
overlay rwm
rwm-map attribute uid sAMAccountname
rwm-map attribute *
#rwm-map objectclass posixGroup group
#rwm-map objectclass posixAccount person
#rwm-map objectclass memberUid member

##
uri "ldap://127.0.0.1/dc=a,dc=example,dc=com";
suffixmassage "dc=a,dc=example,dc=com" "ou=xxxx,dc=sooner,dc=net,dc=ou,dc=edu"
rebind-as-user true
idassert-bind
          bindmethod=simple
          binddn="cn=XXXX,ou=local"
          credentials=XXXX
          mode=none
idassert-authzFrom "dn.regex:.*"


##
uri "ldap://127.0.0.1/dc=b,dc=example,dc=com";
suffixmassage "dc=b,dc=example,dc=com" "ou=local"
rebind-as-user true
idassert-bind
          bindmethod=simple
          binddn="cn=XXXX,ou=local"
          credentials=XXXX
          mode=none
idassert-authzFrom "dn.regex:.*"


##
database ldap
uri ldaps://active.directory
suffix ou=xxxx,dc=sooner,dc=net,dc=ou,dc=edu
rebind-as-user true
idassert-bind
          bindmethod=simple
          binddn="cn=XXXX,ou=it,ou=services,ou=accounts,dc=sooner,dc=net,dc=ou,dc=edu"
          credentials=XXXX
          tls_reqcert=allow
          tls_cacert=/etc/letsencrypt/live/lmamr-lims.rccc.ou.edu/fullchain.pem
          tls_cert=/etc/letsencrypt/live/lmamr-lims.rccc.ou.edu/cert.pem
          tls_key=/etc/letsencrypt/live/lmamr-lims.rccc.ou.edu/privkey.pem
          mode=none
idassert-authzFrom "dn.regex:.*"