[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Trouble with slapd-ldap in various scenarios (LdarErr: DSID-0C090627)
Hi,
Martin Rubáš <mrubas@kerio.com> writes:
> Hello,
[...]
> Notes:
> ~ using slapd version 2.4.15 on Ubuntu (9.04/jaunty;64-bit;localhost)
> - using Windows 2003 Server as PDC (pdc.domain.net)
> ~ command used to query:
> ldapsearch -x -w secret -H ldap://localhost:389 \
> -D 'CN=The Root,CN=Users,DC=domain,DC=net' \
> -b 'CN=The User,CN=Users,DC=domain,DC=net' \
> -s sub -a always '(objectClass=*)'
> ~ all used accounts (The Root, The User, The Bind & Administrator) exists
> in Windows domain (AD) and have set password to 'secret'. 'The Root' is
> also member 'Domain Admins', so it should have the same access rights as
> 'Administrator' (at least, for AD/LDAP operations)
>
> === Case A ===
>
> I started with slapd-hdb and slapo-translucent to combine data from
> Active Directory repository with other data from local DB. It finally got
> it working but only when ldapsearch command was binding with "rootdn" from
> slapd-hdb configuration. But I want to do binding with the (proper) user DN
> to slapd (local repository) as well as to AD (remote one).
>
> #======================================================================
> database hdb
> suffix "dc=domain,dc=net"
> rootdn "cn=The Root,cn=Users,dc=domain,dc=net"
> rootpw secret
> directory /var/lib/ldap/lib-trans
> index objectClass eq
> index cn eq
>
> overlay translucent
> uri ldap://pdc.domain.net:389
> binddn "cn=The Bind,cn=Users,dc=domain,dc=net"
> bindpw heslo
> lastmod off
> chase-referrals true
> rebind-as-user true
> #----------------------------------------------------------------------
>
> If I use ldapsearch -D "cn=The Root,..." -b "cn=The User,..." then slapd
> binds to "cn=The Bind". That's correct, I guess...
> But when I use some other DN for -D parameter then the response is
> "LdarErr: DSID-0C090627 ... " (I saw that one many time in archives).
> It doesn't matter if it was "cn=The User,..." or "cn=The Bind".
This Error seems to be not a slapd error, so you should check some
other services in your network.
The configuration parameters for translucent overlay are incorrect,
see man slapo-translucent(5) and man slapd-ldap(5), you should
probably use idassert-bind parameters.
>
> I also tried to combine slapd-ldap together with slapd-relay extended by
> slapo-rwm, to get something like "domain-alias" (2 names for one repository).
>
> #======================================================================
> database ldap
> suffix "dc=domain,dc=net"
> uri ldap://pdc.domain.net:389
> chase-referrals yes
> rebind-as-user yes
>
> database relay
> suffix "dc=alias,dc=net"
> relay "dc=domain,dc=net"
> overlay rwm
> rwm-suffixmassage "dc=domain,dc=net"
> #----------------------------------------------------------------------
>
> In this case, I was able to get result with -D option set to
> "cn=The User,cn=Users,dc=domain,dc=net" but I got the same error while using
> the aliased DN "cn=The Users,cn=Users,dc=alias,dc=net".
In the first case you where requesting the ldap backend, in the second
case the relay backend. If a request to relay backend failed but where
successful to the ldap backend, than something is wrong with your
relay backend configuration. Debug slapd's acl parsing to find the reason.
[...]
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E