[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP-Proxy: backend inaccessible via ldaps (w/o proxy no errors)

To: <openldap-technical@openldap.org>
Subject: LDAP-Proxy: backend inaccessible via ldaps (w/o proxy no errors)
From: "Jahnke-Zumbusch, Dirk" <dirk.jahnke-zumbusch@desy.de>
Date: Mon, 27 Jun 2011 15:30:18 +0200
Content-class: urn:content-classes:message
Thread-index: Acw0zluHg/dFtapiQeG5ECBrPy8UfQ==
Thread-topic: LDAP-Proxy: backend inaccessible via ldaps (w/o proxy no errors)

Hi all,

I would like to use the proxy features (and as soon as this works
for me also some kind of rewriting / mapping) with openldap 2.4.25:

./configure --prefix=/scratch/openldap \
  --with-tls=openssl \ 
  --enable-meta \ 
  --enable-ldap \ 
  --enable-rewrite \ 
  --enable-rwm \ 
  --enable-bdb \ 
  --enable-overlays \ 
  --enable-perl \ 
  --enable-shell


make install...

I may access one LDAP backend via ldap: but not the other (Active
Directory)
via ldaps:


What works fine is

1. ldapsearch for LDAP-Tree-1 / Server-1:
=========================================

Direct access to LDAP server:
-----------------------------
ldapsearch -x -H ldap://ldap-server-1 -b 'ou=OU1,o=desy,c=de' '(mail=*)'
| fgrep num
# numResponses: 7
# numEntries: 6


and using the proxy:
-----------------------------

ldapsearch -x -H ldap://ldap-proxy    -b 'ou=OU1,o=desy,c=de' '(mail=*)'
| fgrep num
# numResponses: 7
# numEntries: 6


(This tree is rather small.)


what is not working is

2. ldapsearch for Active-Directory / Server-2:
==============================================

Direct Access to AD-Server
-----------------------------

ldapsearch -x -H ldaps://domain-controller \
  -D CN=accountname,OU=...,OU=...,OU=...,DC=desy,DC=de \
  -W \
  -b 'ou=ou1,...,dc=desy,dc=de' \
  '(samaccountname=testuser)' | fgrep num

Enter LDAP Password:
# numResponses: 2
# numEntries: 1


Doing the same via the proxy fails:
-----------------------------------
ldapsearch -x -H ldap://ldap-proxy -b 'ou=...,...,dc=desy,dc=de'
# extended LDIF
#
# LDAPv3
# base <ou=...,...,dc=desy,dc=de> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 48 Inappropriate authentication

# numResponses: 1


I would like to understand why this fails. 

slapd.conf is like this
----------


include         /scratch/openldap/etc/openldap/schema/core.schema
include         /scratch/openldap/etc/openldap/schema/cosine.schema
include
/scratch/openldap/etc/openldap/schema/inetorgperson.schema

idletimeout 120

pidfile         /scratch/openldap/var/run/slapd.pid
argsfile        /scratch/openldap/var/run/slapd.args

# -- 1st LDAP-backend, the one which works, see 1. above
database ldap
uri ldap://ldap-server-1:portnumber/
suffix "ou=ouA,o=desy,c=de"

# -- 2nd LDAP-/Active-Driectory-backend, that one, which fails
database ldap
suffix "ou=OU1,...,dc=desy,dc=de"
uri ldaps://domain-controller/
acl-bind bindmethod=simple binddn="CN=...,DC=desy,DC=de"
credentials=TopSecret
idassert-bind bindmethod=simple binddn="CN=...,DC=desy,DC=de"
credentials=TopSecret mode=none tls_cacertdir=/etc/pki/tls/certs
tls_reqcert=never tls_crlcheck=none
idle-timeout 1800
rebind-as-user yes

# -- just to make sure for now that I will see everything
access to * by * read


# === END OF SLAPD.CONF ===


When I am strace'ing slapd with "-e trace=file -f" I cannot see that any
file in
tls_cacertdir is read. But I would have expected that.

Any directions what I should looking for, now?

Kind regards,
Dirk

--
Dirk Jahnke-Zumbusch              Deutsches Elektronen-Synchrotron DESY
IT Information Fabrics              Member of the Helmholtz Association
D-22603 Hamburg                        Notkestrasse 85  / 22607 Hamburg
T: +49-40-899.81760   F: +49-40-899.41760  dirk.jahnke-zumbusch@desy.de

Prev by Date: Re: How to perform windows domain authentication with openldap
Next by Date: sssvlv
Index(es):
- Chronological
- Thread