Re: [Rivendell] idassert-bind not working as expected?

Thu, 17 May 2007 10:41:34 -0700 

Your setup, with minor changes (the naming contexts, and the remote
server is OpenLDAP as well) works just fine with current re23 and HEAD
code, using either slapd-meta(5) (why?) or slapd-ldap(5) with
slapo-rwm(5).  So the devil must be in the details.  In any case, since
OpenLDAP 2.3.30 there were at least 10 fixes/ehnahcement to
slapd-ldap(5) and at least 6 to slapd-meta(5), so an upgrade might help.

p.

Federico Grau wrote:
> With minimal information as requested by the moderators multiple times.  Why
> doesn't idassert-bind work as expected?  When I try an anonymous query to an
> "LDAP" server via an OpenLDAP server configured as a proxy (backend meta , or
> backend ldap), the query fails because the OpenLDAP server does not bind (even
> when I try setting the "idassert-bind" option).
> 
>     # sample failed anonymous query to AD via OpenLDAP
>     ldapsearch  -H "ldap://localhost/"; -b "ou=windows,dc=rfa,dc=org" -x
> 
>     # expected query to be performed by ldap server
>       ldapsearch -H "ldap://dc1.rfa.org/"; -b "cn=users,dc=rfa,dc=org" \
>               -D "CN=LDAP Proxy user account,OU=Windows,DC=rfa,DC=org" -W \
>               -x
> 
>     # using (tcpdump -x -s0 port 389) I never see a bind sent from OpenLDAP,
>     # and instead I see an error returned from the "LDAP" server because a
>     # bind not successful.
> 
> 
>     # backend meta portion of the slapd.conf file
>     ##database    ldap
>     database    meta
> 
>     suffix      "ou=windows,dc=rfa,dc=org"
>     uri         "ldap://dc1.rfa.org/ou=windows,dc=rfa,dc=org";
> 
>     suffixmassage   ou=windows,dc=rfa,dc=org
>                     cn=users,dc=rfa,dc=org
> 
>     idassert-authzFrom "dn:*"
>     #Xidassert-bind   bindmethod=simple binddn="[EMAIL PROTECTED]" 
> credentials="222222"
>     idassert-bind   bindmethod=simple binddn="CN=LDAP Proxy user 
> account,OU=Windows,DC=rfa,DC=org" credentials="222222"  mode=none
>     dncache-ttl     60
> 
> 
> 
> My environment is made up of Debian stable (4.0 Etch) on the workstations and
> OpenLDAP server, OpenLDAP 2.3.30-5 on the server.  "LDAP" Server on the remote
> end.
> 
> 
> thank you,
> donfede
> 




Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   [EMAIL PROTECTED]
---------------------------------------

Reply via email to