[Date Prev][Date Next] [Chronological] [Thread] [Top]

idassert-authzFrom ignored



Hi,

I have an OpenLDAP proxy using back_meta to talk to two back-ends
Microsoft AD servers.
My goal is to provide a single view of both AD trees.

Basically, it works, as long as I use a bind account which exists in one
of the back-end AD's.

However, to first search where an AD account is, I would like to use a
local account on the LDAP proxy. To my understanding, I need to use


database       meta
suffix         dc=proxy,dc=stuff,dc=ch
rootdn          "cn=root,dc=proxy,dc=stuff,dc=ch"
rootpw          "secret"
subordinate

...

idassert-bind
        bindmethod=simple
        binddn="CN=srvLDAP,..."
        credentials="..."
        mode=none
        flags=non-prescriptive
idassert-authzFrom "dn.exact:cn=root,dc=proxy,dc=stuff,dc=ch"

The DN "cn=root,dc=proxy,dc=stuff,dc=ch" does exist in the proxy and can
do local searches. However, the account defined in the idassert is never
used, and the connections to the back-ends AD's fail. Respectively, I
think they are contacted using anonymous instead of the account I
specify (not sure about the anonymous part, the debug log isn't very
clear about it).

Hints welcome.
Below is a part of the relevant log if it helps.

Charles

..........
tls_read: want=64, got=64
  0000:  65 87 ac 08 7e 49 8d 7f  95 3c d0 1f 09 57 b7 ce   e...~I...<...W..
  0010:  d4 13 2e ac 57 c9 27 6b  58 f7 76 70 a1 95 10 3e   ....W.'kX.vp...>
  0020:  e2 96 0d cf a1 d3 13 ff  e7 0b b1 2f c0 6f dc 19   .........../.o..
  0030:  93 38 07 b9 f7 e4 81 a8  e0 45 0e 97 ec 7f 21 a6   .8.......E....!.
TLS trace: SSL_connect:SSLv3 read finished A
ldap_int_poll: fd: -1 tm: 0
53679e3b conn=1000 op=1 <<< meta_search_dobind_init[0]=4
53679e3b conn=1000 op=1 <<< meta_back_search_start[0]=4
53679e3b conn=1000 op=1 meta_back_search: ncandidates=1 cnd="*"
53679e3b conn=1000 op=1 >>> meta_search_dobind_init[0]
ldap_sasl_bind
ldap_send_initial_request
ldap_int_poll: fd: 12 tm: 0
ldap_is_sock_ready: 12
ldap_ndelay_off: 12
TLS trace: SSL_connect:before/connect initialization
tls_write: want=225, written=225
  0000:  16 03 01 00 dc 01 00 00  d8 03 02 53 67 9e 3b 55   ...........Sg.;U
  0010:  4b 2f ee 53 01 81 ee ca  6a 3f a0 ea 85 3a c9 7e   K/.S....j?...:.~
  0020:  e3 01 d7 e6 d1 09 65 14  21 05 ef 00 00 66 c0 14   ......e.!....f..
  0030:  c0 0a c0 22 c0 21 00 39  00 38 00 88 00 87 c0 0f   ...".!.9.8......
  0040:  c0 05 00 35 00 84 c0 12  c0 08 c0 1c c0 1b 00 16   ...5............
  0050:  00 13 c0 0d c0 03 00 0a  c0 13 c0 09 c0 1f c0 1e   ................
  0060:  00 33 00 32 00 9a 00 99  00 45 00 44 c0 0e c0 04   .3.2.....E.D....
  0070:  00 2f 00 96 00 41 c0 11  c0 07 c0 0c c0 02 00 05   ./...A..........
  0080:  00 04 00 15 00 12 00 09  00 14 00 11 00 08 00 06   ................
  0090:  00 03 00 ff 01 00 00 49  00 0b 00 04 03 00 01 02   .......I........
  00a0:  00 0a 00 34 00 32 00 0e  00 0d 00 19 00 0b 00 0c   ...4.2..........
  00b0:  00 18 00 09 00 0a 00 16  00 17 00 08 00 06 00 07   ................
  00c0:  00 14 00 15 00 04 00 05  00 12 00 13 00 01 00 02   ................
  00d0:  00 03 00 0f 00 10 00 11  00 23 00 00 00 0f 00 01   .........#......
  00e0:  01                                                 .
TLS trace: SSL_connect:SSLv3 write client hello A
tls_read: want=5 error=Connection reset by peer
TLS trace: SSL_connect:error in SSLv3 read server hello A
TLS: can't connect: .
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 12
  0000:  30 05 02 01 03 42 00                               0....B.
ldap_write: want=7 error=Broken pipe
ldap_free_connection: actually freed
53679e3b conn=1000 op=1 <<< meta_search_dobind_init[0]=0
53679e3b send_ldap_result: conn=1000 op=1 p=3
53679e3b send_ldap_result: err=0 matched="" text=""
53679e3b send_ldap_result: conn=1000 op=1 p=3
53679e3b send_ldap_result: err=0 matched="" text=""
53679e3b send_ldap_response: msgid=2 tag=101 err=0
ber_flush2: 14 bytes to sd 11
  0000:  30 0c 02 01 02 65 07 0a  01 00 04 00 04 00         0....e........
tls_write: want=69, written=69