[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldap meta + activedirectory
> Pierangelo Masarati a écrit :
>>>
>>> ===
> >> database meta
> >> suffix cn=Users, dc=meta, dc=domain, dc=local uri
>>> ldaps://adserver.domain.local/cn=Users,dc=domain,dc=local \
>>> ldaps://adserver2.domain.local/cn=Users,dc=domain,dc=local
>>
>>
>> ^^^ Only the first URI in a URI list must provide the naming context
>
> database ldap
> suffix "dc=domain,dc=local"
> uri ldap://ldap.domain.local/cn=Users,dc=domain,dc=local
> suffixmassage "cn=Users,dc=meta,dc=domain,dc=local3"
> "cn=Users,dc=domain,dc=local3"
> binddn proxyuser
> bindpw xxx
> TLSVerifyClient allow
>
> # /opt/openldap2/libexec/slapd
> /opt/openldap2/etc/openldap/slapd.conf: line 81: unable to parse uri
> "ldap://ldap.domain.local/cn=Users,dc=domain,dc=local" in "uri <uri>"
> line: URL doesn't begin with "[c]ldap[si]://"
with back-ldap, no naming context is required; the error you get is
because in your naming context there are commas, and commas are considered
URI separators by the "list of URI" parsing routines; that error is
telling you that "dc=comain", i.e. the second URI in a comma-separated
list, is not a valid URI. This is written in the manual: back-ldap => no
DN; back-meta => yes DN for the first URI.
>
> with: uri ldap://ldap.domain.local
> stark ok
> but nothing in tree
That's another problem. AD likely needs auth.
>
> http://www.openldap.org/lists/openldap-software/200501/msg00573.html
from ^^^ :
>> bindn "cn=proxyuser,cn=Users,dc=domain,dc=local"
>> bindpw "{MD5}secret"
1) there's a typo: it's "binddn", not "bindn";
2) creds in "bindpw" must be in cleartext. It's bad, but that's it.
> proxyuser exist in windows AD and is in administrator group (not really
> best. if someone have more precise config ?)
In any case, the above directives "binddn" and "bindpw" DO NOT IMPLY
BACK-LDAP WILL PERFORM A BIND FOR ANONYMOUS OPERATIONS. YOU CAN SAFELY
REMOVE THEM AND NOTHING WILL CHANGE.
>
>> I also insist on suggesting back-ldap instead of back-meta unless you
>>
> ok, i switch :)
>
>> version of OpenLDAP you're using, so I cannot be more specific on the
>>
> latest (2.2.20-stable) on whitebox linux/x86, i'm on test for now.
Should be fine for back-ldap testing purposes, but note that there
occurred many changes in back-ldap/back-meta from 2.2.20 to 2.2.23. I
recommend you upgrade at your earliest convenience.
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497