Thanks, Liam. I will look more carefully at our schema and the search. I thought I had included definitions of all the AD attributes we use, but possibly not, and that would be an easy fix.
Regards, Steve -----Original Message----- From: Liam Gretton [mailto:liam.gret...@leicester.ac.uk] Sent: Monday, July 22, 2013 9:52 AM To: openldap-technical@openldap.org Subject: Re: need help interpreting "Error: ldap_back_is_proxy_authz returned 0, misconfigured URI?" On 15/07/2013 18:00, Steve Eckmann wrote: > The odd thing is that I am doing exactly the same search twice. The > first fails, the second succeeds, so can it really be a credential > problem? I'm going to chase down what our intermediate proxy is; maybe > it's returning something bogus to openldap, but if so I haven't been > able to capture it in a log. I see similar behaviour with the meta backend. If you don't have a suitable schema defined for the AD attributes, it's necessary to first search with an attribute that OpenLDAP does recognise (e.g. cn). Until then attributes such as sAMAccountName will be unknown. After a successful search that returns (say) sAMAccountName, OpenLDAP will happily use it for auth. Assuming your issue is the same, try defining a suitable schema for your AD attributes. You can't use the Microsoft one directly unfortunately as MS uses some syntaxes that aren't present in OpenLDAP, and it's not easy to add additional syntaxes. But you can get away with creating a schema just for the attributes you're interested in. Alternatively the quick and very dirty workaround is to perform a suitable search on initialisation. -- Liam Gretton liam.gret...@le.ac.uk Systems Specialist http://www.le.ac.uk/its IT Services Tel: +44 (0)116 2522254 University of Leicester, University Road Leicestershire LE1 7RH, United Kingdom
