[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ldap proxy to AD - UnicodePwd: attribute type undefined
- To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
- Subject: ldap proxy to AD - UnicodePwd: attribute type undefined
- From: Meike Stone <meike.stone@googlemail.com>
- Date: Thu, 30 Jul 2015 14:00:06 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=vzlQf2z9Zx1taVqIwNFbKdthIUm10CrnP3m3ooZCDTQ=; b=Oe3UYwb4C4/jj15lJZGysY/JBptGh1In8DTLG7i4RS+8oIwLmdHH98fb1GyrkDLgxj Aw3sPQmbsUpwkD83gTySxN7WTFvebkRi+Gg321e/0JSqd+IvcSnmK2pOHJpEeO+fU5UG hOfdBCjQulCrFgWftP9/6KkXENGBvab4SUu1frg6EyVjukb2f2YpBj9dC4tobmUQEIQz BgYBHO9ey+M3RjCBd0G8bcv68tB3LyTpqsbmgeZlGIeqgSJPy3UpOap3wmqiX8HARBZi wxpg0g9ZSH1mF1Vv6vJoP09rpkYnqcvPeyyMYlazdti8suk+HeyPnO2q9Rb7VLGg8Slv lofw==
Hello
I've installed a openldap as proxy in a DMZ for authentication
forwarding to an Active Directoy.
The Proxy is used by a VPN gateway.
That all works very well, but password change from client fails with
following error:
slapd[30661]: conn=1001 op=5 do_modify
slapd[30661]: conn=1001 op=5 do_modify: dn (cn=XPTEST5,ou=Users,dc=myorg,dc=net)
slapd[30661]: >>> dnPrettyNormal: <cn=TEST5,ou=Users,dc=myorg,dc=net>
slapd[30661]: <<< dnPrettyNormal: <cn=TEST5,ou=Users,dc=myorg,dc=net>,
<cn=xptest5,ou=users,dc=myorg,dc=net>
slapd[30661]: conn=1001 op=5 modifications:
slapd[30661]: delete: UnicodePwd
slapd[30661]: one value, length 26
slapd[30661]: add: UnicodePwd
slapd[30661]: one value, length 26
slapd[30661]: conn=1001 op=5 MOD dn="cn=TEST5,ou=Users,dc=myorg,dc=net"
slapd[30661]: conn=1001 op=5 MOD attr=UnicodePwd UnicodePwd
slapd[30661]: send_ldap_result: conn=1001 op=5 p=3
slapd[30661]: send_ldap_result: err=17 matched="" text="UnicodePwd:
attribute type undefined"
slapd[30661]: send_ldap_response: msgid=6 tag=103 err=17
slapd[30661]: conn=1001 op=5 RESULT tag=103 err=17 text=UnicodePwd:
attribute type undefined
slapd[30661]: daemon: activity on 1 descriptor
slapd[30661]: daemon: activity on:
slapd[30661]:
slapd[30661]: daemon: epoll: listen=7 active_threads=0 tvp=zero
slapd[30661]: daemon: activity on 1 descriptor
slapd[30661]: daemon: activity on:
As I understand, UnicodePwd is a proprietary "standard" MS attribute
in AD to store the password but the RFC attribute is the userPassword.
Is it possible, to get the proxy working to process this MOD request,
may be that openldap proxy pass through the MOD operation with the
attribute UnicodePwd from the VPN-gateway?
I use openldap 2.4.40, here is my configuration:
==============================================================
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/openldap/modules
moduleload back_ldap
disallow bind_anon
require authc
TLSCACertificateFile /etc/openldap/certs/myorg.net.root.pem
TLSCertificateFile /etc/openldap/certs/proxy1.myorg.net.pem
TLSCertificateKeyFile /etc/openldap/certs/proxy1.myorg.net.pem.key
TLSVerifyClient never
TLSCipherSuite ALL:!DH:!EDH
database ldap
security tls=256
rebind-as-user yes
suffix "dc=myorg,dc=net"
uri "ldap://dc1.myorg.net ldap://dc2.myorg.net";
tls start
tls_cacert=/etc/openldap/certs/adroot.pem
chase-referrals no
protocol-version 3
loglevel -1
==============================================================
Thanks for help!!
Meike