On Tue, Apr 27, 2010 at 3:43 PM, repudi8or repu <[email protected]> wrote:
> Thanks for the response Masarati, > > I have setup with mode=self, but still the same error. > > Maybe im having a conceptual issue here. What i am trying to do is ensure > the backend functions prior to looking at the configuring the frontend > correctly. I am configuring the solaris openldap slapd with back-ldap and > pcache and am expecting to be able to simulate a fronted authentication > process using ldapsearch to the solaris openldap proxy. The backend ldap > service is AD @ backendldap.core.dir.mycompany.com. the proxy box i will > refer to as openldapproxy (openldapproxy.core.dir.mycompany.com)" > > my database ldap section now looks like this :- > backendldap.core.dir.mycompany.com" > > database ldap > uri "ldap://backendldap.core.dir.mycompany.com"; > suffix "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com" > rootdn "dc=core,dc=dir,dc=mycompany,dc=com" > idassert-bind > bindmethod=simple > binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com" > credentials="password" > mode=self > > i am testing by running ldapsearch on the openldapproxy host itself in the > following manner :- > # /usr/local/bin/ldapsearch -x -h localhost -b > ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com employeeID=12345678 > > the proxied bind goes out to the backend AD as i have shown in the below > discussion. The response returned is :- > # filter: employeeID=12345678 > # requesting: ALL > # > # search result > search: 2 > result: 48 Inappropriate authentication > # numResponses: 1 > > Running slapd in diag mode i see the following in the debug output :- > do_bind: v3 anonymous bind > connection_get(11) > connection_get(11): got connid=1014 > connection_read(11): checking for input on id=1014 > ber_get_next > ber_get_next: tag 0x30 len 105 contents: > op tag 0x63, time 1272346583 > ber_get_next > conn=1014 op=1 do_search > ber_scanf fmt ({miiiib) ber: > >>> dnPrettyNormal: > <ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com> > => ldap_bv2dn(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com,0) > <= ldap_bv2dn(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com)=0 > => ldap_dn2bv(272) > <= ldap_dn2bv(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com)=0 > => ldap_dn2bv(272) > <= ldap_dn2bv(ou=people,ou=eprofile,dc=core,dc=dir,dc=mycompany,dc=com)=0 > <<< dnPrettyNormal: > <ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com>, > <ou=people,ou=eprofile,dc=core,dc=dir,dc=mycompany,dc=com> > SRCH "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com" 2 0 0 0 > 0 > ber_scanf fmt ({mm}) ber: > filter: (?=undefined) > ber_scanf fmt ({M}}) ber: > attrs: > ==> limits_get: conn=1014 op=1 self="[anonymous]" > this="ou=people,ou=eprofile,dc=core,dc=dir,dc=telstra,dc=com" > send_ldap_result: conn=1014 op=1 p=3 > send_ldap_result: err=48 matched="" text="" > send_ldap_response: msgid=2 tag=101 err=48 > Note the anonymous bind, I need this to be a simply authenticated bind > using the idassert binddn and credentials > Note the "self="[anonymous]"............... I was expecting that it should > have been self=[USERID_THAT_RAN_THE_LDAPSEARCH] > > Regards Rep > On Tue, Apr 27, 2010 at 1:55 PM, <[email protected]> wrote: > >> > Hi Folks, >> > >> > I am having troubles configuring openladp to my requirements. >> > >> > I am setting up an openldap server running on solaris 10 x86 to use as >> > a ldap proxy authentication server. >> > >> > My issue is that i cant get it to send authenticated simple binds to the >> > backend ldap system. I am running wireshark and when i ldapsearch direct >> > to >> > the backend ldap i see a bind which looks like this :- >> > Lightweight-Directory-Access-Protocol >> > LDAPMessage bindRequest(1) >> > "cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com" simple >> > messageID: 1 >> > protocolOp: bindRequest (0) >> > bindRequest >> > version: 3 >> > name: >> > cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com >> > authentication: simple (0) >> > simple: 384174656C73747261316732 >> > >> > However when i initiate an ldapsearch to my local solaris slapd and >> > capture >> > the proxied backldap bind to the backend ldap system it looks like this >> :- >> > Lightweight-Directory-Access-Protocol >> > LDAPMessage bindRequest(1) "<ROOT>" simple >> > messageID: 1 >> > protocolOp: bindRequest (0) >> > bindRequest >> > version: 3 >> > name: >> > authentication: simple (0) >> > simple: <MISSING> >> > >> > I am having trouble working out from the documentation if it should be >> > acl-bind or idassert-bind or some other option which influences the >> > backend >> > bind. I have tried both those to no avail. >> > Here is the "database ldap" section from my slapd.conf >> > >> > ####################################################################### >> > # ldap database definitions >> > ####################################################################### >> > database ldap >> > uri "ldap://backendldap.core.dir.mycompany.com"; >> > suffix "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com" >> > rootdn "dc=core,dc=dir,dc=mycompany,dc=com" >> > acl-bind bindmethod=simple >> > binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com" >> > credentials="password" >> > idassert-bind bindmethod=simple >> > binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com" >> > credentials="password" >> >> The relevant directive is "idassert-bind", since you appear to be looking >> for an identity assertion. I hope what you posted was screwed up by the >> mailer: continuation lines must start with whitespace. What is missing >> above is the "mode=self" parameter to "idassert-bind". Try something like >> >> idassert-bind bindmethod=simple >> binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com" >> credentials="password" >> mode=self >> >> p. >> >> > overlay pcache >> > proxycache bdb 400 1 50 1200 >> > directory /var/openldap-data >> > cachesize 10000 >> > index cn,sn,uid pres,eq,sub >> > index objectclass eq >> > >> > proxycachequeries 400 >> > proxyattrset 0 uid mail cn sn givenName >> > proxytemplate (uid=) 0 600 >> > proxytemplate (mail=) 0 600 >> > proxytemplate (&(uid=)(mail=)) 0 600 >> > >> > Any help would be greatly appreciated >> > >> > Regards Rep >> > >> >> >> >
