[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
OpenLDAP Proxy - user authentification problem
- To: openldap-technical@openldap.org
- Subject: OpenLDAP Proxy - user authentification problem
- From: Martin Toth <snowmailer@gmail.com>
- Date: Sat, 12 Jan 2019 20:02:47 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:content-transfer-encoding:mime-version:subject:message-id:date :to; bh=tVme39DN/gZBbifScNZSgMHwRJReb/pGi6yZbg6fq94=; b=JfbO/V7CvQ599qN2odTVvUHNzgYXgV+0p3AxWYCL5DkCgzn3DSd6NXFHE2IeKJw10m 2kKFsz1IrwNuMli49tmuTw4LkMZ7K1l4eByK7XZKIluRz+Q/lE2gvyDRoLmSPw1Jmdoq BxaFaRQnWEqjIBWQZrGfpkERaEFwqx2alSusuFbTCnXeWyjt2ZPu4ti8iYG3O8g/fcMC xPZegbpsns+Kl12Ykzd8nkdVIAp6euTW+z3Wlsn9R5VrRKpttstV46Ne/kBnzl30GgPz I+II8cFsvgakuhsCsSLhXhN22XY/x9tFRwxZigFV2dVuU2Dh6GhIfrbW8xeaoNdK7FzY lKxQ==
Hi all,
I am trying to configure OpenLDAP proxy to proxy searches to my 2 (two) different AD servers. I am testing/trying to login as domain user to application that is configured to verify users against this proxy.
Context is :
- allowed app users from AD1 will be placed to "AllowAPP group" on AD1 - i.e. - CN=AllowAPP,OU=Groups,OU=Something,DC=domain,DC=xy
- allowed app users from AD2 will be placed to "AllowAPP group" on AD2 - i.e. - CN=Allow,OU=App,OU=Group,DC=domain2,DC=local
- these two groups are be placed in different OUs on both ADs (Active Directories) so special rewriting have to be done on both URIs
Problem is that I don't know how to correctly authentificate users. App configuration is that it will allow login only to user which is member of CN=AllowAPP,OU=Groups,DC=grouped,DC=all "virtual” group.
All working fine when I am searching group membership of users with ldapsearch. I can find members of both groups by searching virtual group mentioned upper.
I suspect there is problem with passing user credentials to one of AD servers that I am proxying to. I am using sAMAccountName as user login.
This is debug search base when I am trying to login from app :
SRCH base="dc=grouped,dc=all" scope=2 deref=2 filter="(?SAMACCOUNTNAME=test.user)”
This is error produced while I am trying to login as user :
meta_back_search[0] match="" err=1 (Operations error) text="000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1".
Am I doing something wrong? Can you advise? I am probably missing something that refers to validating users credentials..
Thanks, BR,
Martin
This is my configuration so far :
database meta
suffix "dc=grouped,dc=all”
rootdn "cn=admin,dc=grouped,dc=all”
rootpw "password”
readonly yes
lastmod off
uri ldap://AD1/dc=grouped,dc=all
suffixmassage "dc=grouped,dc=all" "dc=domain,dc=xy"
idassert-bind bindmethod=simple
binddn="CN=bind,CN=Users,dc=domain,dc=xy"
credentials="password"
mode=none
flags=non-prescriptive
rewriteEngine on
chase-referrals yes
rewriteContext default
rewriteContext searchBase
rewriteRule "CN=AllowAPP,OU=Groups,DC=grouped,DC=all$" "CN=AllowAPP,OU=Groups,OU=Something,DC=domain,DC=xy" "@"
uri ldap://AD2/dc=grouped,dc=all
suffixmassage "dc=grouped,dc=all" "dc=domain2,dc=local"
idassert-bind bindmethod=simple
binddn="CN=binduser,CN=Users,dc=domain2,dc=local"
credentials=“password"
mode=none
flags=non-prescriptive
rewriteEngine on
chase-referrals yes
rewriteContext default
rewriteContext searchBase
rewriteRule "CN=AllowAPP,OU=Groups,DC=grouped,DC=all$" "CN=Allow,OU=App,OU=Group,DC=domain2,DC=local" "@"