[Date Prev][Date Next] [Chronological] [Thread] [Top]

[Rivendell] idassert-bind not working as expected?



With minimal information as requested by the moderators multiple times.  Why
doesn't idassert-bind work as expected?  When I try an anonymous query to an
"LDAP" server via an OpenLDAP server configured as a proxy (backend meta , or
backend ldap), the query fails because the OpenLDAP server does not bind (even
when I try setting the "idassert-bind" option).

    # sample failed anonymous query to AD via OpenLDAP
    ldapsearch  -H "ldap://localhost/"; -b "ou=windows,dc=rfa,dc=org" -x

    # expected query to be performed by ldap server
 	ldapsearch -H "ldap://dc1.rfa.org/"; -b "cn=users,dc=rfa,dc=org" \
 		-D "CN=LDAP Proxy user account,OU=Windows,DC=rfa,DC=org" -W \
 		-x

    # using (tcpdump -x -s0 port 389) I never see a bind sent from OpenLDAP,
    # and instead I see an error returned from the "LDAP" server because a
    # bind not successful.


    # backend meta portion of the slapd.conf file
    ##database    ldap
    database    meta

    suffix      "ou=windows,dc=rfa,dc=org"
    uri         "ldap://dc1.rfa.org/ou=windows,dc=rfa,dc=org";

    suffixmassage   ou=windows,dc=rfa,dc=org
                    cn=users,dc=rfa,dc=org

    idassert-authzFrom "dn:*"
    #Xidassert-bind   bindmethod=simple binddn="ldap-proxy@rfa.org" credentials="222222"
    idassert-bind   bindmethod=simple binddn="CN=LDAP Proxy user account,OU=Windows,DC=rfa,DC=org" credentials="222222"  mode=none
    dncache-ttl     60



My environment is made up of Debian stable (4.0 Etch) on the workstations and
OpenLDAP server, OpenLDAP 2.3.30-5 on the server.  "LDAP" Server on the remote
end.


thank you,
donfede

-- 
Federico Grau
Free Software Developer and Sysadmin
Radio Free Asia
2025 M Street, NW
Suite 300
Washington, DC  20036
202-587-2046  Telephone
202-721-7468  Facsimile
CONFIDENTIAL COMMUNICATION
This e-mail message is intended only for the use of the addressee and may
contain information that is privileged and confidential.  Any unauthorized
dissemination, distribution, or copying is strictly prohibited.  If you
receive this transmission in error, please contact network@rfa.org.
_______________________________________________
Rivendell mailing list
Rivendell@techweb.rfa.org
http://techweb.rfa.org/mailman/listinfo/rivendell