[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap for proxy AD

To: Peter Gietz <peter.gietz@daasi.de>
Subject: Re: Openldap for proxy AD
From: Willy Ramos <wrm@cdtn.br>
Date: Tue, 26 Nov 2013 08:50:37 -0200
Cc: "openldap-technical@OpenLDAP.org" <openldap-technical@openldap.org>
In-reply-to: <529364C3.3030503@daasi.de>
References: <21c0b36fe18b07698e7053e931e6a583.squirrel@webmail.cdtn.br> <CAJ-t26qc2pgBBaVisrEhUxSZ9rKtoN93MpscQ8VsD4E5t4ciFg@mail.gmail.com> <CAK_oV48tr71Qhb494faNL0GVbHGO4Bb0nAO+iWuoweYKH_JeRg@mail.gmail.com> <528C72AF.3060407@symas.com> <a7e6ee9e725bfc5c9835609b6da7485f.squirrel@webmail.cdtn.br> <CAK_oV49b-+Z+gVQhvLPd9EtOfgt678HvNM20ZNrRRPjOAGSdhg@mail.gmail.com> <528CE98F.2040008@cdtn.br> <20131122112134.GA16320@slab.skills-1st.co.uk> <528F64B0.2090907@cdtn.br> <529364C3.3030503@daasi.de>
User-agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.1

Hi,

Yes, there are some entries with the attribute userPassword like this value.

But don´t found the entries, when I put the password.

Thanks.

Em 25/11/2013 12:54, Peter Gietz escreveu:

Hi,

since it is working for a lot of people (including some of our
customers) it seems that you are doing something wrong.

What about the contents of your entries: Are you sure that you have the
attribute userPassword with the value

{SASL}<username>@<AD-realm>

set in all entries that are to bind via AD?

Cheers,

Peter


Am 22.11.2013 15:05, schrieb Willy Ramos:

Em 22/11/2013 09:21, Andrew Findlay escreveu:

On Wed, Nov 20, 2013 at 02:55:43PM -0200, Willy Ramos wrote:

Subject: Re: Openldap for proxy AD

Have you tried following the examples in the Admin Guide?

http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication


There is a detailed setup and diagnosic guide there which should help
you
to isolate the problem.

Andrew

Thanks Andrew,

I was testing based in this Admin Guide.

When I Check that the user can bind to AD:

  ldapsearch -x -Hldap://dc1.example.com/  \
       -D cn=user,cn=Users,DC=ad,DC=example,DC=com \
       -w userpassword \
       -b cn=user,cn=Users,DC=ad,DC=example,DC=com \
Or with
      -s base \
         "(objectclass=*)"
Or

  testsaslauthd -u user -p userpassword

It´s works.

I was reading about and Seems don´t find the schemas of objectclass or
userPassword attribute;

But I could not resolve yet.

See the logs


Nov 22 11:57:30 mail slapd[18370]: conn=1192 fd=11 ACCEPT from
IP=127.0.0.1:51698 (IP=0.0.0.0:636)
Nov 22 11:57:30 mail slapd[18370]: conn=1192 fd=11 TLS established
tls_ssf=256 ssf=256
Nov 22 11:57:30 mail slapd[18370]: conn=1192 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Nov 22 11:57:30 mail slapd[18370]: conn=1192 op=0 STARTTLS
Nov 22 11:57:30 mail slapd[18370]: conn=1192 op=0 RESULT oid= err=1
text=TLS already started
Nov 22 11:57:30 mail slapd[18370]: conn=1192 op=1 UNBIND
Nov 22 11:57:30 mail slapd[18370]: conn=1192 fd=11 closed

Thanks.



--
Att.


Willy R. M

References:
- Openldap for proxy AD
  - From: wrm@cdtn.br
- Re: Openldap for proxy AD
  - From: Jason Brandt <jbrandt@fsmail.bradley.edu>
- Re: Openldap for proxy AD
  - From: Clément OUDOT <clem.oudot@gmail.com>
- Re: Openldap for proxy AD
  - From: Howard Chu <hyc@symas.com>
- Re: Openldap for proxy AD
  - From: wrm@cdtn.br
- Re: Openldap for proxy AD
  - From: Clément OUDOT <clem.oudot@gmail.com>
- Re: Openldap for proxy AD
  - From: Willy Ramos <wrm@cdtn.br>
- Re: Openldap for proxy AD
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: Openldap for proxy AD
  - From: Willy Ramos <wrm@cdtn.br>
- Re: Openldap for proxy AD
  - From: Peter Gietz <peter.gietz@daasi.de>

Prev by Date: Re: ACL and Password Policy
Next by Date: Re: Recommended ACL for nagios monitoring
Index(es):
- Chronological
- Thread