Hello Pierangelo, First, thank you for the response. I will re-test with the current stable release (2.3.32).
FYI, we chose the slapd-meta backend to allow for redundancy and work with multiple remote servers (I had read in the man page "the ldap backend is intended to proxy operations directed to a single server"). Would you have a sample configuration file for the working situtation? I never see a "simple authentication" bind go out from the OpenLDAP meta server, so something is definitely wrong on that end (either configuration or bug). best to you, donfede On Thu, May 17, 2007 at 07:32:03PM +0200, Pierangelo Masarati wrote: > Your setup, with minor changes (the naming contexts, and the remote > server is OpenLDAP as well) works just fine with current re23 and HEAD > code, using either slapd-meta(5) (why?) or slapd-ldap(5) with > slapo-rwm(5). So the devil must be in the details. In any case, since > OpenLDAP 2.3.30 there were at least 10 fixes/ehnahcement to > slapd-ldap(5) and at least 6 to slapd-meta(5), so an upgrade might help. > > p. > > Federico Grau wrote: > > With minimal information as requested by the moderators multiple times. Why > > doesn't idassert-bind work as expected? When I try an anonymous query to an > > "LDAP" server via an OpenLDAP server configured as a proxy (backend meta , > > or > > backend ldap), the query fails because the OpenLDAP server does not bind > > (even > > when I try setting the "idassert-bind" option). > > > > # sample failed anonymous query to AD via OpenLDAP > > ldapsearch -H "ldap://localhost/"; -b "ou=windows,dc=rfa,dc=org" -x > > > > # expected query to be performed by ldap server > > ldapsearch -H "ldap://dc1.rfa.org/"; -b "cn=users,dc=rfa,dc=org" \ > > -D "CN=LDAP Proxy user account,OU=Windows,DC=rfa,DC=org" -W \ > > -x > > > > # using (tcpdump -x -s0 port 389) I never see a bind sent from OpenLDAP, > > # and instead I see an error returned from the "LDAP" server because a > > # bind not successful. > > > > > > # backend meta portion of the slapd.conf file > > ##database ldap > > database meta > > > > suffix "ou=windows,dc=rfa,dc=org" > > uri "ldap://dc1.rfa.org/ou=windows,dc=rfa,dc=org"; > > > > suffixmassage ou=windows,dc=rfa,dc=org > > cn=users,dc=rfa,dc=org > > > > idassert-authzFrom "dn:*" > > #Xidassert-bind bindmethod=simple binddn="[EMAIL PROTECTED]" > > credentials="222222" > > idassert-bind bindmethod=simple binddn="CN=LDAP Proxy user > > account,OU=Windows,DC=rfa,DC=org" credentials="222222" mode=none > > dncache-ttl 60 > > > > > > > > My environment is made up of Debian stable (4.0 Etch) on the workstations > > and > > OpenLDAP server, OpenLDAP 2.3.30-5 on the server. "LDAP" Server on the > > remote > > end. > > > > > > thank you, > > donfede > > > > > > > Ing. Pierangelo Masarati > OpenLDAP Core Team > > SysNet s.r.l. > via Dossi, 8 - 27100 Pavia - ITALIA > http://www.sys-net.it > --------------------------------------- > Office: +39 02 23998309 > Mobile: +39 333 4963172 > Email: [EMAIL PROTECTED] > --------------------------------------- -- Federico Grau Free Software Developer and Sysadmin Radio Free Asia 2025 M Street, NW Suite 300 Washington, DC 20036 202-587-2046 Telephone 202-721-7468 Facsimile CONFIDENTIAL COMMUNICATION This e-mail message is intended only for the use of the addressee and may contain information that is privileged and confidential. Any unauthorized dissemination, distribution, or copying is strictly prohibited. If you receive this transmission in error, please contact [EMAIL PROTECTED]
