[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap for proxy AD

To: Willy Ramos <wrm@cdtn.br>
Subject: Re: Openldap for proxy AD
From: Peter Gietz <peter.gietz@daasi.de>
Date: Mon, 25 Nov 2013 15:54:59 +0100
Cc: "openldap-technical@OpenLDAP.org" <openldap-technical@openldap.org>
In-reply-to: <528F64B0.2090907@cdtn.br>
References: <21c0b36fe18b07698e7053e931e6a583.squirrel@webmail.cdtn.br> <CAJ-t26qc2pgBBaVisrEhUxSZ9rKtoN93MpscQ8VsD4E5t4ciFg@mail.gmail.com> <CAK_oV48tr71Qhb494faNL0GVbHGO4Bb0nAO+iWuoweYKH_JeRg@mail.gmail.com> <528C72AF.3060407@symas.com> <a7e6ee9e725bfc5c9835609b6da7485f.squirrel@webmail.cdtn.br> <CAK_oV49b-+Z+gVQhvLPd9EtOfgt678HvNM20ZNrRRPjOAGSdhg@mail.gmail.com> <528CE98F.2040008@cdtn.br> <20131122112134.GA16320@slab.skills-1st.co.uk> <528F64B0.2090907@cdtn.br>
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1

Hi,

since it is working for a lot of people (including some of our
customers) it seems that you are doing something wrong.

What about the contents of your entries: Are you sure that you have the
attribute userPassword with the value

{SASL}<username>@<AD-realm>

set in all entries that are to bind via AD?

Cheers,

Peter


Am 22.11.2013 15:05, schrieb Willy Ramos:
> Em 22/11/2013 09:21, Andrew Findlay escreveu:
>> On Wed, Nov 20, 2013 at 02:55:43PM -0200, Willy Ramos wrote:
>>
>>> Subject: Re: Openldap for proxy AD
>> Have you tried following the examples in the Admin Guide?
>>
>> http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication
>>
>>
>> There is a detailed setup and diagnosic guide there which should help
>> you
>> to isolate the problem.
>>
>> Andrew
>
> Thanks Andrew,
>
> I was testing based in this Admin Guide.
>
> When I Check that the user can bind to AD:
>
>  ldapsearch -x -H ldap://dc1.example.com/ \
>       -D cn=user,cn=Users,DC=ad,DC=example,DC=com \
>       -w userpassword \
>       -b cn=user,cn=Users,DC=ad,DC=example,DC=com \
> Or with
>      -s base \
>         "(objectclass=*)"
> Or
>
>  testsaslauthd -u user -p userpassword
>
> It´s works.
>
> I was reading about and Seems don´t find the schemas of objectclass or
> userPassword attribute;
>
> But I could not resolve yet.
>
> See the logs
>
>
> Nov 22 11:57:30 mail slapd[18370]: conn=1192 fd=11 ACCEPT from
> IP=127.0.0.1:51698 (IP=0.0.0.0:636)
> Nov 22 11:57:30 mail slapd[18370]: conn=1192 fd=11 TLS established
> tls_ssf=256 ssf=256
> Nov 22 11:57:30 mail slapd[18370]: conn=1192 op=0 EXT
> oid=1.3.6.1.4.1.1466.20037
> Nov 22 11:57:30 mail slapd[18370]: conn=1192 op=0 STARTTLS
> Nov 22 11:57:30 mail slapd[18370]: conn=1192 op=0 RESULT oid= err=1
> text=TLS already started
> Nov 22 11:57:30 mail slapd[18370]: conn=1192 op=1 UNBIND
> Nov 22 11:57:30 mail slapd[18370]: conn=1192 fd=11 closed
>
> Thanks.
>


-- 

Peter Gietz, CEO

DAASI International GmbH        
Europaplatz 3                   
D-72072 Tübingen                
Germany                    

phone: +49 7071 407109-0
fax:   +49 7071 407109-9  
email: peter.gietz@daasi.de
web:   www.daasi.de

Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz

Follow-Ups:
- Re: Openldap for proxy AD
  - From: Willy Ramos <wrm@cdtn.br>

References:
- Openldap for proxy AD
  - From: wrm@cdtn.br
- Re: Openldap for proxy AD
  - From: Jason Brandt <jbrandt@fsmail.bradley.edu>
- Re: Openldap for proxy AD
  - From: Clément OUDOT <clem.oudot@gmail.com>
- Re: Openldap for proxy AD
  - From: Howard Chu <hyc@symas.com>
- Re: Openldap for proxy AD
  - From: wrm@cdtn.br
- Re: Openldap for proxy AD
  - From: Clément OUDOT <clem.oudot@gmail.com>
- Re: Openldap for proxy AD
  - From: Willy Ramos <wrm@cdtn.br>
- Re: Openldap for proxy AD
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: Openldap for proxy AD
  - From: Willy Ramos <wrm@cdtn.br>

Prev by Date: Re: Password Issues between provider and consumer
Next by Date: Re: Recommended ACL for nagios monitoring
Index(es):
- Chronological
- Thread