[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap meta + activedirectory



> Pierangelo Masarati a écrit :
>>>
>>> ===
>  >> database meta
>  >> suffix cn=Users, dc=meta, dc=domain, dc=local uri
>>> ldaps://adserver.domain.local/cn=Users,dc=domain,dc=local \
>>> ldaps://adserver2.domain.local/cn=Users,dc=domain,dc=local
>>
>>
>> ^^^ Only the first URI in a URI list must provide the naming context
>
> database ldap
> suffix          "dc=domain,dc=local"
> uri           ldap://ldap.domain.local/cn=Users,dc=domain,dc=local
> suffixmassage "cn=Users,dc=meta,dc=domain,dc=local3"
> "cn=Users,dc=domain,dc=local3"
> binddn  proxyuser
> bindpw  xxx
> TLSVerifyClient allow
>
> # /opt/openldap2/libexec/slapd
> /opt/openldap2/etc/openldap/slapd.conf: line 81: unable to parse uri
> "ldap://ldap.domain.local/cn=Users,dc=domain,dc=local"; in "uri <uri>"
> line: URL doesn't begin with "[c]ldap[si]://"

with back-ldap, no naming context is required; the error you get is
because in your naming context there are commas, and commas are considered
URI separators by the "list of URI" parsing routines; that error is
telling you that "dc=comain", i.e. the second URI in a comma-separated
list, is not a valid URI.  This is written in the manual: back-ldap => no
DN; back-meta => yes DN for the first URI.

>
> with: uri           ldap://ldap.domain.local
> stark ok
> but nothing in tree

That's another problem.  AD likely needs auth.

>
> http://www.openldap.org/lists/openldap-software/200501/msg00573.html

from ^^^ :

>> bindn "cn=proxyuser,cn=Users,dc=domain,dc=local"
>> bindpw "{MD5}secret"

1) there's a typo: it's "binddn", not "bindn";
2) creds in "bindpw" must be in cleartext.  It's bad, but that's it.


> proxyuser exist in windows AD and is in administrator group (not really
> best. if someone have more precise config ?)

In any case, the above directives "binddn" and "bindpw" DO NOT IMPLY
BACK-LDAP WILL PERFORM A BIND FOR ANONYMOUS OPERATIONS.  YOU CAN SAFELY
REMOVE THEM AND NOTHING WILL CHANGE.

>
>> I also insist on suggesting back-ldap instead of back-meta unless you
>>
> ok, i switch :)
>
>> version of OpenLDAP you're using, so I cannot be more specific on the
>>
> latest (2.2.20-stable) on whitebox linux/x86, i'm on test for now.

Should be fine for back-ldap testing purposes, but note that there
occurred many changes in back-ldap/back-meta from 2.2.20 to 2.2.23.  I
recommend you upgrade at your earliest convenience.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497