[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help needed chaining to active directory for authentication

To: Gabriella Turek <Gabriella.Turek@niwa.co.nz>
Subject: Re: Help needed chaining to active directory for authentication
From: Dan White <dwhite@olp.net>
Date: Wed, 9 Nov 2011 11:37:14 -0600
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Content-disposition: inline
In-reply-to: <CADEBA35.28AF%g.turek@niwa.co.nz>
References: <CADD5032.2837%g.turek@niwa.co.nz> <CADEBA35.28AF%g.turek@niwa.co.nz>
User-agent: Mutt/1.5.21 (2010-09-15)

On 07/11/11 21:57 +0000, Gabriella Turek wrote:

Hello, I've set up an openLDAP server (2.4.23)  which chains to an Active Directory (2008). I can successfully search for users, it will find them in Active Directory if they are not in openLDAP,  but I cannot authenticate the Active Directory users.
The error is "Invalid credentials (49)"
Everything  is currently configured with clear text
ldapSearch works fine when pointed directly to the Active Directory.

The chaining configuration in the slapd.conf is:

overlay                     chain
chain-uri                   ldap://aucwdfp01.niwa.local:389
chain-rebind-as-user        TRUE
chain-idassert-bind         bindmethod="simple"
                           binddn="cn=SDT Tester,ou=NIWA Staff Accounts,ou=User Accounts, dc=niwa,dc=local"
                           credentials=xxxxxxx
                           mode="self"
  flags=non-prescriptive
chain-return-error          TRUE


Does mode="none" work? If my reading of slapd-ldap(5) is correct, with any
config other than 'none', slapd will attempt to assert the proxyAuthz
control.

I checked our local AD server (2003) and it does not appear to support that
control:

ldapsearch -LLL -x -H ldap://<AD.ip> -s "base" -b "" supportedControl
dn:
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948


proxyAuthz control == 2.16.840.1.113730.3.4.18 (RFC 4370)

--
Dan White

References:
- Help needed chaining to active directory for authentication
  - From: Gabriella Turek <Gabriella.Turek@niwa.co.nz>

Prev by Date: Re: loadbalancer in OopenLDAP environment
Next by Date: Compile Error for ldapc++ library
Index(es):
- Chronological
- Thread