Hi, thank you for reading this message! I'm configuring openldap (2.4.26) as a proxy for active directory (Win 2003) and encountered some inconsistent responses to bind/search requests that may relate to a misconfiguration around an rwm mapping. Hopefully this is the right place to ask for this kind of assistance. I haven’t yet been able to see what I’m missing but have spent a lot of time with slapd.conf man, slap-rwm man, and tailing logs even at loglevel -1. Here's what happens: On the console of the openldap server, I'll start the slapd service like: ./slapd -4 -n slapd-ldap -u ldap -g ldap then run an ldapsearch command to the openldap server using a bindDN that requires no rewrite, and a base that requires a rewrite. I get successful binds and search results 100% of the time. If I then run an ldapsearch where the bindDN requires a rewrite, occasionally I'll get a "bind massage" error on the console. Tailing the log file, shows a line like this: Aug 1 16:45:12 localhost slapd-ldap[19490]: conn=1001 op=0 SEARCH RESULT tag=101 err=1 nentries=0 text=00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece If I stop slapd, restart the service, and run the ldapsearch where the bindDN requires a rewrite, I'll only get errors. Then if I do an ldapsearch with a bindDN that doesn’t need a rewrite (which always binds and searches successfully), subsequent ldapsearch bind/search attempts with a bindDN that requires a rewrite will succeed most of the time. Below I've included some shell interaction and log output (loglevel 256 for brevity), non-comment lines from my slapd.conf, and other configuration details. Any suggestions for how I could debug this further or glaring mistakes would be greatly appreciated. Humbly yours, Dave # Start openldap Aug 1 16:38:42 localhost slapd-ldap[19426]: @(#) $OpenLDAP: slapd 2.4.26 (Jul 29 2011 14:11:30) $#012#011dave@localhost.localdomain:/usr/src/openldap-2.4.26/servers/slapd Aug 1 16:38:42 localhost slapd-ldap[19427]: slapd starting # bind and search that requires no rewrite on bind but a rewrite on base (ou=App Auth 1 -> ou=Students) - this always works /opt/openldap/proxy/bin/ldapsearch -b "ou=App Auth 1,dc=TEST_STUDENT,dc=TEST_EDU" -D "CN=Addott\, Steven (saddott),ou=Students,DC=TEST_STUDENT,DC=TEST_EDU" -w "saddott" -x "(mail=sadd*)" name Aug 1 16:40:01 localhost slapd-ldap[19427]: conn=1001 fd=8 ACCEPT from IP=127.0.0.1:36499 (IP=0.0.0.0:389) Aug 1 16:40:01 localhost slapd-ldap[19427]: conn=1001 op=0 BIND dn="cn=Addott\2C Steven (saddott),ou=Students,dc=TEST_STUDENT,dc=TEST_EDU" method=128 Aug 1 16:40:01 localhost slapd-ldap[19427]: conn=1001 op=0 BIND dn="cn=Addott\2C Steven (saddott),ou=Students,dc=TEST_STUDENT,dc=TEST_EDU" mech=SIMPLE ssf=0 Aug 1 16:40:01 localhost slapd-ldap[19427]: conn=1001 op=0 RESULT tag=97 err=0 text= Aug 1 16:40:01 localhost slapd-ldap[19427]: conn=1001 op=1 SRCH base="ou=App Auth 1,dc=TEST_STUDENT,dc=TEST_EDU" scope=2 deref=0 filter="(mail=sadd*)" Aug 1 16:40:01 localhost slapd-ldap[19427]: conn=1001 op=1 SRCH attr=name Aug 1 16:40:01 localhost slapd-ldap[19427]: conn=1001 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 1 16:40:01 localhost slapd-ldap[19427]: conn=1001 op=2 UNBIND Aug 1 16:40:01 localhost slapd-ldap[19427]: conn=1001 fd=8 closed # success! this comes back in the console: # extended LDIF # # LDAPv3 # base <ou=App Auth 1,dc=TEST_STUDENT,dc=TEST_EDU> with scope subtree # filter: (mail=sadd*) # requesting: name # # Addott\2C Steven (saddott), Students, TEST_STUDENT.TEST_EDU dn: cn=Addott\2C Steven (saddott),ou=Students,dc=TEST_STUDENT,dc=TEST_EDU name: Addott, Steven (saddott) # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 # now search and bind requiring a search base rewrite and bind rewrite (mail -> cn) /opt/openldap/proxy/bin/ldapsearch -b "ou=App Auth 1,dc=TEST_STUDENT,dc=TEST_EDU" -D "mail=saddott@localhost.localdomain,ou=Students,DC=TEST_STUDENT,DC=TEST_EDU" -w "saddott" -x "(mail=sadd*)" name Aug 1 16:40:59 localhost slapd-ldap[19427]: conn=1002 fd=8 ACCEPT from IP=127.0.0.1:36502 (IP=0.0.0.0:389) Aug 1 16:40:59 localhost slapd-ldap[19427]: conn=1002 op=0 BIND dn="mail=saddott@localhost.localdomain,ou=Students,dc=TEST_STUDENT,dc=TEST_EDU" method=128 Aug 1 16:40:59 localhost slapd-ldap[19427]: conn=1003 fd=12 ACCEPT from IP=127.0.0.1:36503 (IP=0.0.0.0:389) Aug 1 16:40:59 localhost slapd-ldap[19427]: conn=1003 op=0 SRCH base="ou=Students,dc=TEST_STUDENT,dc=TEST_EDU" scope=2 deref=0 filter="(mail=saddott@localhost.localdomain)" Aug 1 16:40:59 localhost slapd-ldap[19427]: conn=1003 op=0 SRCH attr=1.1 Aug 1 16:40:59 localhost slapd-ldap[19427]: conn=1003 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 1 16:40:59 localhost slapd-ldap[19427]: conn=1003 op=1 UNBIND Aug 1 16:40:59 localhost slapd-ldap[19427]: conn=1003 fd=12 closed Aug 1 16:40:59 localhost slapd-ldap[19427]: conn=1002 op=0 BIND dn="cn=Addott\2C Steven (saddott),ou=Students,dc=TEST_STUDENT,dc=TEST_EDU" mech=SIMPLE ssf=0 Aug 1 16:40:59 localhost slapd-ldap[19427]: conn=1002 op=0 RESULT tag=97 err=0 text= Aug 1 16:40:59 localhost slapd-ldap[19427]: conn=1002 op=1 SRCH base="ou=App Auth 1,dc=TEST_STUDENT,dc=TEST_EDU" scope=2 deref=0 filter="(mail=sadd*)" Aug 1 16:40:59 localhost slapd-ldap[19427]: conn=1002 op=1 SRCH attr=name Aug 1 16:40:59 localhost slapd-ldap[19427]: conn=1002 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 1 16:40:59 localhost slapd-ldap[19427]: conn=1002 op=2 UNBIND Aug 1 16:40:59 localhost slapd-ldap[19427]: conn=1002 fd=8 closed # and again, success! this comes back # extended LDIF # # LDAPv3 # base <ou=App Auth 1,dc=TEST_STUDENT,dc=TEST_EDU> with scope subtree # filter: (mail=sadd*) # requesting: name # # Addott\2C Steven (saddott), Students, TEST_STUDENT.TEST_EDU dn: cn=Addott\2C Steven (saddott),ou=Students # restarting the service Aug 1 16:44:54 localhost slapd-ldap[19427]: daemon: shutdown requested and initiated. Aug 1 16:44:54 localhost slapd-ldap[19427]: slapd shutdown: waiting for 0 operations/tasks to finish Aug 1 16:44:54 localhost slapd-ldap[19427]: slapd stopped. Aug 1 16:45:02 localhost slapd-ldap[19489]: @(#) $OpenLDAP: slapd 2.4.26 (Jul 29 2011 14:11:30) $#012#011dave@localhost.localdomain:/usr/src/openldap-2.4.26/servers/slapd Aug 1 16:45:02 localhost slapd-ldap[19490]: slapd starting # here's where I get a failure, attempting to bind where the bind requires a rewrite # same request as above but this time I'm doing it right after a service restart [root@localhost openldap]# /opt/openldap/proxy/bin/ldapsearch -b "ou=App Auth 1,dc=TEST_STUDENT,dc=TEST_EDU" -D "mail=saddott@localhost.localdomain,ou=Students,DC=TEST_STUDENT,DC=TEST_EDU" -w "saddott" -x "(mail=sadd*)" name ldap_bind: Other (e.g., implementation specific) error (80) additional info: bindDN massage error .. log file shows Aug 1 16:45:12 localhost slapd-ldap[19490]: conn=1000 fd=8 ACCEPT from IP=127.0.0.1:46174 (IP=0.0.0.0:389) Aug 1 16:45:12 localhost slapd-ldap[19490]: conn=1000 op=0 BIND dn="mail=saddott@localhost.localdomain,ou=Students,dc=TEST_STUDENT,dc=TEST_EDU" method=128 Aug 1 16:45:12 localhost slapd-ldap[19490]: conn=1001 fd=10 ACCEPT from IP=127.0.0.1:46175 (IP=0.0.0.0:389) Aug 1 16:45:12 localhost slapd-ldap[19490]: conn=1001 op=0 SRCH base="ou=Students,dc=TEST_STUDENT,dc=TEST_EDU" scope=2 deref=0 filter="(mail=saddott@localhost.localdomain)" Aug 1 16:45:12 localhost slapd-ldap[19490]: conn=1001 op=0 SRCH attr=1.1 Aug 1 16:45:12 localhost slapd-ldap[19490]: ==> rewrite_context_apply error ... Aug 1 16:45:12 localhost slapd-ldap[19490]: conn=1000 op=0 RESULT tag=97 err=80 text=bindDN massage error Aug 1 16:45:12 localhost slapd-ldap[19490]: conn=1001 op=0 SEARCH RESULT tag=101 err=1 nentries=0 text=00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece Aug 1 16:45:12 localhost slapd-ldap[19490]: conn=1000 fd=8 closed (connection lost) Aug 1 16:45:12 localhost slapd-ldap[19490]: conn=1001 op=1 UNBIND Aug 1 16:45:12 localhost slapd-ldap[19490]: conn=1001 fd=10 closed Now back to the request that required no bind rewrite [root@localhost openldap]# /opt/openldap/proxy/bin/ldapsearch -b "ou=App Auth 1,dc=TEST_STUDENT,dc=TEST_EDU" -D "CN=Addott\, Steven (saddott),ou=Students,DC=TEST_STUDENT,DC=TEST_EDU" -w "saddott" -x "(mail=sadd*)" name # extended LDIF # # LDAPv3 # base <ou=App Auth 1,dc=TEST_STUDENT,dc=TEST_EDU> with scope subtree # filter: (mail=sadd*) # requesting: name # # Addott\2C Steven (saddott), Students, TEST_STUDENT.TEST_EDU dn: cn=Addott\2C Steven (saddott),ou=Students,dc=TEST_STUDENT,dc=TEST_EDU name: Addott, Steven (saddott) # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Aug 1 16:45:47 localhost slapd-ldap[19490]: conn=1002 fd=8 ACCEPT from IP=127.0.0.1:46177 (IP=0.0.0.0:389) Aug 1 16:45:47 localhost slapd-ldap[19490]: conn=1002 op=0 BIND dn="cn=Addott\2C Steven (saddott),ou=Students,dc=TEST_STUDENT,dc=TEST_EDU" method=128 Aug 1 16:45:47 localhost slapd-ldap[19490]: conn=1002 op=0 BIND dn="cn=Addott\2C Steven (saddott),ou=Students,dc=TEST_STUDENT,dc=TEST_EDU" mech=SIMPLE ssf=0 Aug 1 16:45:47 localhost slapd-ldap[19490]: conn=1002 op=0 RESULT tag=97 err=0 text= Aug 1 16:45:47 localhost slapd-ldap[19490]: conn=1002 op=1 SRCH base="ou=App Auth 1,dc=TEST_STUDENT,dc=TEST_EDU" scope=2 deref=0 filter="(mail=sadd*)" Aug 1 16:45:47 localhost slapd-ldap[19490]: conn=1002 op=1 SRCH attr=name Aug 1 16:45:47 localhost slapd-ldap[19490]: conn=1002 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 1 16:45:47 localhost slapd-ldap[19490]: conn=1002 op=2 UNBIND Aug 1 16:45:47 localhost slapd-ldap[19490]: conn=1002 fd=8 closed and searching again with the bindDN requiring a map rewrite - this time it failed [root@localhost openldap]# /opt/openldap/proxy/bin/ldapsearch -b "ou=App Auth 1,dc=TEST_STUDENT,dc=TEST_KSC" -D "mail=saddott@localhost.localdomain,ou=Students,DC=TEST_STUDENT,DC=TEST_EDU" -w "saddott" -x "(mail=sadd*)" name ldap_bind: Other (e.g., implementation specific) error (80) additional info: bindDN massage error Aug 1 16:45:56 localhost slapd-ldap[19490]: conn=1003 fd=8 ACCEPT from IP=127.0.0.1:46180 (IP=0.0.0.0:389) Aug 1 16:45:56 localhost slapd-ldap[19490]: conn=1003 op=0 BIND dn="mail=saddott@localhost.localdomain,ou=Students,dc=TEST_STUDENT,dc=TEST_EDU" method=128 Aug 1 16:45:56 localhost slapd-ldap[19490]: conn=1004 fd=13 ACCEPT from IP=127.0.0.1:46181 (IP=0.0.0.0:389) Aug 1 16:45:56 localhost slapd-ldap[19490]: conn=1004 op=0 SRCH base="ou=Students,dc=TEST_STUDENT,dc=TEST_EDU" scope=2 deref=0 filter="(mail=saddott@localhost.localdomain)" Aug 1 16:45:56 localhost slapd-ldap[19490]: conn=1004 op=0 SRCH attr=1.1 Aug 1 16:45:56 localhost slapd-ldap[19490]: conn=1004 op=0 SEARCH RESULT tag=101 err=1 nentries=0 text=00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece Aug 1 16:45:56 localhost slapd-ldap[19490]: conn=1004 op=1 UNBIND Aug 1 16:45:56 localhost slapd-ldap[19490]: conn=1004 fd=13 closed Aug 1 16:45:56 localhost slapd-ldap[19490]: ==> rewrite_context_apply error ... Aug 1 16:45:56 localhost slapd-ldap[19490]: conn=1003 op=0 RESULT tag=97 err=80 text=bindDN massage error Aug 1 16:45:56 localhost slapd-ldap[19490]: conn=1003 fd=8 closed (connection lost) I tried the same ldapsearch command again and this time it succeeded Aug 1 16:46:12 localhost slapd-ldap[19490]: conn=1005 fd=8 ACCEPT from IP=127.0.0.1:46182 (IP=0.0.0.0:389) Aug 1 16:46:12 localhost slapd-ldap[19490]: conn=1005 op=0 BIND dn="mail=saddott@localhost.localdomain,ou=Students,dc=TEST_STUDENT,dc=TEST_EDU" method=128 Aug 1 16:46:12 localhost slapd-ldap[19490]: conn=1006 fd=13 ACCEPT from IP=127.0.0.1:46183 (IP=0.0.0.0:389) Aug 1 16:46:12 localhost slapd-ldap[19490]: conn=1006 op=0 SRCH base="ou=Students,dc=TEST_STUDENT,dc=TEST_EDU" scope=2 deref=0 filter="(mail=saddott@localhost.localdomain)" Aug 1 16:46:12 localhost slapd-ldap[19490]: conn=1006 op=0 SRCH attr=1.1 Aug 1 16:46:12 localhost slapd-ldap[19490]: conn=1006 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 1 16:46:12 localhost slapd-ldap[19490]: conn=1006 op=1 UNBIND Aug 1 16:46:12 localhost slapd-ldap[19490]: conn=1006 fd=13 closed Aug 1 16:46:12 localhost slapd-ldap[19490]: conn=1005 op=0 BIND dn="cn=Addott\2C Steven (saddott),ou=Students,dc=TEST_STUDENT,dc=TEST_EDU" mech=SIMPLE ssf=0 Aug 1 16:46:12 localhost slapd-ldap[19490]: conn=1005 op=0 RESULT tag=97 err=0 text= Aug 1 16:46:12 localhost slapd-ldap[19490]: conn=1005 op=1 SRCH base="ou=App Auth 1,dc=TEST_STUDENT,dc=TEST_EDU" scope=2 deref=0 filter="(mail=sadd*)" Aug 1 16:46:12 localhost slapd-ldap[19490]: conn=1005 op=1 SRCH attr=name Aug 1 16:46:12 localhost slapd-ldap[19490]: conn=1005 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 1 16:46:12 localhost slapd-ldap[19490]: conn=1005 op=2 UNBIND Aug 1 16:46:12 localhost slapd-ldap[19490]: conn=1005 fd=8 closed AD is running on a VM openldap-2.4.26 was configured on a Fedora 15 (2.6.38.8-35.fc15.i686) VM with: ./configure --prefix=/opt/openldap/proxy --enable-ldap --enable-rewrite --enable-rwm --enable-memberof --with-tls=no non-comment lines from my slapd.conf look like: include /opt/openldap/proxy/etc/openldap/schema/core.schema include /opt/openldap/proxy/etc/openldap/schema/cosine.schema include /opt/openldap/proxy/etc/openldap/schema/inetorgperson.schema # schema to add sAMAccountName include /opt/openldap/proxy/etc/openldap/schema/myorg.schema pidfile /opt/openldap/proxy/var/run/slapd.pid argsfile /opt/openldap/proxy/var/run/slapd.args moduleload rwm.la ####################################################################### # BDB database definitions ####################################################################### database ldap suffix "dc=TEST_STUDENT,dc=TEST_EDU" uri "ldap://..." # ... is the ip of my AD host acl-bind bindmethod=simple binddn="cn=serviceuser,cn=Users,dc=TEST_STUDENT,dc=TEST_EDU" credentials="pwd" idassert-bind bindmethod=simple binddn="cn=serviceuser,cn=Users,dc=TEST_STUDENT,dc=TEST_EDU" credentials="pwd" authzID="dn:cn=serviceuser,cn=Users,dc=TEST_STUDENT,dc=TEST_EDU" loglevel 256 # much of this was borrowed from slapo-rwm man page overlay rwm rwm-rewriteEngine on # all dataflow from client to server referring to DNs rwm-rewriteContext default rwm-rewriteRule "(.+,)?<virtualnamingcontext>$" "$1<realnamingcontext>" ":" # empty filter rwm-rewriteContext searchFilter # from server to client rwm-rewriteContext searchEntryDN rwm-rewriteRule "(.+,)?<realnamingcontext>$" "$1<virtualnamingcontext>" ":" rwm-rewriteContext searchAttrDN alias searchEntryDN rwm-rewriteContext matchedDN alias searchEntryDN # misc empty rules rwm-rewriteContext referralAttrDN rwm-rewriteContext referralDN # define default rewrite for virtual of anything # ou=App Auth 1 -> ou=Students rwm-rewriteContext searchDN rwm-rewriteRule "(.+)?ou=App Auth 1,dc=TEST_STUDENT,dc=TEST_EDU$" "$1ou=Students,dc=TEST_STUDENT,dc=TEST_EDU" ":" # bind map from source rwm-rewriteMap ldap source2dn "ldap:///ou=Students,dc=TEST_STUDENT,dc=TEST_EDU?dn?sub" rwm-rewriteContext bindDN rwm-rewriteRule "^mail=([^,]*),ou=Students,dc=TEST_STUDENT,dc=TEST_EDU" "${source2dn(mail=$1)}" ":" |