Erik Kemper
asked on
(Open)LDAP V2.44 search proxy to AD (W2012R2)
Hi,
I am trying to set up a openLDAP (2.44) search/auth-proxy to a Windows 2012 R2 AD server on and off for a month now with no apperent success.
Third party applications need to search (verify) users against a LDAP connection in the DMZ. ( apps like like Proofpoint, etc.)
Has anyone have a good step-by-step guide for a newby or a OVA or similar?
(openLDAP 2.44 is not using SLAPD.conf, and all guides are still using that way of config...)
PS:I prefer it on a Debian based OS.....? :-)
I am trying to set up a openLDAP (2.44) search/auth-proxy to a Windows 2012 R2 AD server on and off for a month now with no apperent success.
Third party applications need to search (verify) users against a LDAP connection in the DMZ. ( apps like like Proofpoint, etc.)
Has anyone have a good step-by-step guide for a newby or a OVA or similar?
(openLDAP 2.44 is not using SLAPD.conf, and all guides are still using that way of config...)
PS:I prefer it on a Debian based OS.....? :-)
Are you trying to connect directly to AD over LDAP, or setup OpenLDAP as a "Proxy" to connect to AD over LDAP ?
As gheist has said, AD requires an authenticated bind rather than an anonymous bind, so the account used to bind to then do the lookup for teh user account attempting to authenticate and then authorise must be specified with its full DN such as "CN=LDAP-bind,OU=ServiceAc counts,DC= internal,D C=domain,D C=com"
As gheist has said, AD requires an authenticated bind rather than an anonymous bind, so the account used to bind to then do the lookup for teh user account attempting to authenticate and then authorise must be specified with its full DN such as "CN=LDAP-bind,OU=ServiceAc
ASKER
Hi, thanks for the quick reply!
User connect to Proofpoint to collect their digest, Proofpoint uses LDAP to verify this user.
I want to have a LDAP "box" in our DMZ to check and accept the connect from Proofpoint and the verify its request about that user to our AD('s) in the internal network.
I would need a client-LDAP "box" then?
Thanks
Erik
User connect to Proofpoint to collect their digest, Proofpoint uses LDAP to verify this user.
I want to have a LDAP "box" in our DMZ to check and accept the connect from Proofpoint and the verify its request about that user to our AD('s) in the internal network.
I would need a client-LDAP "box" then?
Thanks
Erik
ASKER
PS: is that the Softerra LDAP browser 4.5 you are referring too?
Cheers
Erik
Cheers
Erik
First you need to make ldapsearch via ways of softerra (LDAP Browser v4.5) working
After you need to proxy respective OU where users are using authentication that you learned with simple tools...
After you need to proxy respective OU where users are using authentication that you learned with simple tools...
ASKER
Thanks!
I will try you solution and let you know the outcome!
Cheers
Erik
I will try you solution and let you know the outcome!
Cheers
Erik
I would connect directly to a DC in your LAN, I would suggest using LDAPS instead of LDAP to secure the traffic.
Presuming that the DMZ is not routable to the LAN, you can expose LDAP/LDAPS via NAT
The account to use for the initial bind should be only a std user and NOT a Domain Admin
Presuming that the DMZ is not routable to the LAN, you can expose LDAP/LDAPS via NAT
The account to use for the initial bind should be only a std user and NOT a Domain Admin
Use LDAP 3268 or LDAPS 3269 on a single or few domain controllers. It does not respend with referrals, so you will never go chasing them across all AD servers.
ASKER
Hi,
Today I will start to install/configure the softerra (LDAP Browser v4.5) and keep you posted on progress.
Today I will start to install/configure the softerra (LDAP Browser v4.5) and keep you posted on progress.
ASKER
Hi all,
I went to the download section, and only see a Windows version?
As stated, I would prefer/need a linux tool... :-)
Cheers
Erik
I went to the download section, and only see a Windows version?
As stated, I would prefer/need a linux tool... :-)
Cheers
Erik
ASKER
It looks like (googling again this morning) that I need a LDAP meta backend setup.
Anyone know a good guide for a (open)LDAP-noobie on a Debian/CentOS base?
I can't find one that works for me. Either it's too old or info, steps or examples not good or missing.....
Picture still is:
ProofPoint checks access/authentication for user -> LDAP proxy (DMZ) -> Windows 2008R2 AD DC('s).
Hope anyone can point me in the right direction.... :-)
Cheers
Erik
Anyone know a good guide for a (open)LDAP-noobie on a Debian/CentOS base?
I can't find one that works for me. Either it's too old or info, steps or examples not good or missing.....
Picture still is:
ProofPoint checks access/authentication for user -> LDAP proxy (DMZ) -> Windows 2008R2 AD DC('s).
Hope anyone can point me in the right direction.... :-)
Cheers
Erik
Second
Here are slapd examples:
https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD7
->
parameters can be figured out with softerra.Here are slapd examples:
https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD7
ASKER
Hi gheist,
As stated earlier, Softerra is windows based, and I don't want a windows machine in the DMZ... :-)
And the link you suggest drops in a empty Wiki page?
Thanks for the help till now by the way!
Cheers
Erik
As stated earlier, Softerra is windows based, and I don't want a windows machine in the DMZ... :-)
And the link you suggest drops in a empty Wiki page?
Thanks for the help till now by the way!
Cheers
Erik
ASKER
Hello all,
Would this be a good product?
https://backstage.forgerock.com/docs/openidm/4.5/samples-guide/chap-ldap-samples#more-sample-6
Cheers
Erik
Would this be a good product?
https://backstage.forgerock.com/docs/openidm/4.5/samples-guide/chap-ldap-samples#more-sample-6
Cheers
Erik
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
Yeah, and I tried this one, but this info is "old" I think?
This page was last modified on 27 August 2015, at 18:07.
The openLDAP 2.44 does not use conf files, and like I said I am a noob, so I don't know how to adapt this to the new config method.. :-(.
Cheers
Erik
Yeah, and I tried this one, but this info is "old" I think?
This page was last modified on 27 August 2015, at 18:07.
The openLDAP 2.44 does not use conf files, and like I said I am a noob, so I don't know how to adapt this to the new config method.. :-(.
Cheers
Erik
the conf file method is deprecated, but still usable
http://www.openldap.org/doc/admin24/slapdconfig.html
Alternatively, there is the option for an LDAP backend http://www.openldap.org/doc/admin24/backends.html#LDAP
http://www.openldap.org/doc/admin24/slapdconfig.html
Alternatively, there is the option for an LDAP backend http://www.openldap.org/doc/admin24/backends.html#LDAP
ASKER
Hi, I tried it again with https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD.
I can access the LDAP (no account needed??) , but nothing useful comes back?
------------------snippet- ---------- ---------- -
c:\> ldapsearch.exe -x -h 10.200.5.100 "(objectclass=*)"
attempting to connect:
connect success
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
----end snippet----------
And I don't see anything happening at the nscd side either (nslcd -d).
Most pages go about AUTH proxy setup, the only thing I need is to verify is user exist in GC and to see if it has a valid mailbox (account)?
Cheers
Erik
I can access the LDAP (no account needed??) , but nothing useful comes back?
------------------snippet-
c:\> ldapsearch.exe -x -h 10.200.5.100 "(objectclass=*)"
attempting to connect:
connect success
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
----end snippet----------
And I don't see anything happening at the nscd side either (nslcd -d).
Most pages go about AUTH proxy setup, the only thing I need is to verify is user exist in GC and to see if it has a valid mailbox (account)?
Cheers
Erik
ASKER
I got NSLCD working! it bind succesfully to the AD.
But a ldapsearch still returns nada, and I don't see anything happening in the debug of nslcd when I do requests....
So I guess I do a booboo with the connection between the slapd and nslcd?
Cheers
Erik
But a ldapsearch still returns nada, and I don't see anything happening in the debug of nslcd when I do requests....
So I guess I do a booboo with the connection between the slapd and nslcd?
Cheers
Erik
Softerra is muuch better at detecting LDAP trees...
ASKER
I wonder which SLAPD.conf the LAPD service is using. I have made mine in /etc.....
If I look with search I only see the " local" admin account.....
If I look with search I only see the " local" admin account.....
Are you seeing any traffic to the AD DC ?
it might be simplest to test with LDAP on 389 before moving to LDAPS
it might be simplest to test with LDAP on 389 before moving to LDAPS
ASKER
No, no traffic, that is what puzzles me.
I am running on 389 for now, i had the same idea.. :-)
I can walk the ldap tree direct with the ldapsearch with the account that i assigned to the NSLCD. al works then.
I am running on 389 for now, i had the same idea.. :-)
I can walk the ldap tree direct with the ldapsearch with the account that i assigned to the NSLCD. al works then.
Are you able to telnet to port 389 on the DC from the server that you have installed OpenLDAP on ?
it should look something like
it should look something like
user@host:~$ telnet dc.internal.domain.com 389
Trying 10.100.100.10...
Connected to dc.internal.domain.com.
Escape character is '^]'.
ASKER
Yes,
as I stated before, the NLSCD connect to the DC from the LDAP server.
---- snippet -----------------
nslcd: DEBUG: NSS_LDAP nss-pam-ldapd 0.9.4
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X _TLS_REQUI RE_CERT,ne ver)
nslcd: DEBUG: CFG: threads 5
nslcd: DEBUG: CFG: uid nslcd
nslcd: DEBUG: CFG: gid 113
nslcd: DEBUG: CFG: uri ldap://10.10.10.10:389
nslcd: DEBUG: CFG: ldap_version 3
nslcd: DEBUG: CFG: binddn ldap@testdomain.com
nslcd: DEBUG: CFG: bindpw ***
nslcd: DEBUG: CFG: base ou=qchm,dc=testdomain,dc=c om
nslcd: DEBUG: CFG: scope sub
nslcd: DEBUG: CFG: deref never
nslcd: DEBUG: CFG: referrals yes
nslcd: DEBUG: CFG: filter aliases (objectClass=nisMailAlias)
nslcd: DEBUG: CFG: filter ethers (objectClass=ieee802Device )
nslcd: DEBUG: CFG: filter group (&(objectClass=group)(gidN umber=*))
nslcd: DEBUG: CFG: filter hosts (objectClass=ipHost)
nslcd: DEBUG: CFG: filter netgroup (objectClass=nisNetgroup)
nslcd: DEBUG: CFG: filter networks (objectClass=ipNetwork)
nslcd: DEBUG: CFG: filter passwd (&(&(objectClass=person)(u idNumber=* ))(unixHom eDirectory =*))
nslcd: DEBUG: CFG: filter protocols (objectClass=ipProtocol)
nslcd: DEBUG: CFG: filter rpc (objectClass=oncRpc)
nslcd: DEBUG: CFG: filter services (objectClass=ipService)
nslcd: DEBUG: CFG: filter shadow (&(&(objectClass=person)(u idNumber=* ))(unixHom eDirectory =*))
nslcd: DEBUG: CFG: map group userPassword "*"
nslcd: DEBUG: CFG: map passwd uid sAMAccountName
nslcd: DEBUG: CFG: map passwd userPassword "*"
nslcd: DEBUG: CFG: map passwd gecos displayName
nslcd: DEBUG: CFG: map passwd homeDirectory unixHomeDirectory
nslcd: DEBUG: CFG: map shadow uid sAMAccountName
nslcd: DEBUG: CFG: map shadow userPassword "*"
nslcd: DEBUG: CFG: map shadow shadowLastChange pwdLastSet
nslcd: DEBUG: CFG: map shadow shadowMin "${shadowMin:--1}"
nslcd: DEBUG: CFG: map shadow shadowMax "${shadowMax:--1}"
nslcd: DEBUG: CFG: map shadow shadowWarning "${shadowWarning:--1}"
nslcd: DEBUG: CFG: map shadow shadowInactive "${shadowInactive:--1}"
nslcd: DEBUG: CFG: map shadow shadowExpire "${shadowExpire:--1}"
nslcd: DEBUG: CFG: map shadow shadowFlag "${shadowFlag:-0}"
nslcd: DEBUG: CFG: bind_timelimit 10
nslcd: DEBUG: CFG: timelimit 0
nslcd: DEBUG: CFG: idle_timelimit 0
nslcd: DEBUG: CFG: reconnect_sleeptime 1
nslcd: DEBUG: CFG: reconnect_retrytime 10
nslcd: DEBUG: CFG: ssl off
nslcd: DEBUG: CFG: tls_reqcert never
nslcd: DEBUG: CFG: pagesize 1000
nslcd: DEBUG: CFG: nss_min_uid 0
nslcd: DEBUG: CFG: nss_nested_groups no
nslcd: DEBUG: CFG: validnames /^[a-z0-9._@$()]([a-z0-9._ @$() \~-]*[a-z0-9._@$()~-])?$/i
nslcd: DEBUG: CFG: ignorecase no
nslcd: DEBUG: CFG: cache dn2uid 15m 15m
nslcd: version 0.9.4 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: initgroups("nslcd",113) done
nslcd: DEBUG: setgid(113) done
nslcd: DEBUG: setuid(108) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=1127 uid=0 gid=0
nslcd: [8b4567] <group/member="nslcd"> DEBUG: myldap_search(base="ou=qch m,dc=testd omain,dc=c om", filter="(&(&(&(objectClass =person)(u idNumber=* ))(unixHom eDirectory =*))(sAMAc countName= nslcd))")
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_initialize(ldap://10. 10.10.10:3 89)
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_P ROTOCOL_VE RSION,3)
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_D EREF,0)
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_T IMELIMIT,0 )
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_T IMEOUT,0)
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_N ETWORK_TIM EOUT,0)
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_R EFERRALS,L DAP_OPT_ON )
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_R ESTART,LDA P_OPT_ON)
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_simple_bind_s("ldap@t estdomain. com","***" ) (uri="ldap://10.10.10.10:3 89")
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [8b4567] <group/member="nslcd"> DEBUG: myldap_search(base="ou=qch m,dc=testd omain,dc=c om", filter="(&(&(objectClass=g roup)(gidN umber=*))( memberUid= nslcd))")
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_result(): end of results (0 total)
----end snippet----------
And a ldapsearch works fine to the LDAP server, but the answers are weird....as if it reads from a differtent ldap database (internal?)
Cheers
Erik
as I stated before, the NLSCD connect to the DC from the LDAP server.
---- snippet -----------------
nslcd: DEBUG: NSS_LDAP nss-pam-ldapd 0.9.4
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X
nslcd: DEBUG: CFG: threads 5
nslcd: DEBUG: CFG: uid nslcd
nslcd: DEBUG: CFG: gid 113
nslcd: DEBUG: CFG: uri ldap://10.10.10.10:389
nslcd: DEBUG: CFG: ldap_version 3
nslcd: DEBUG: CFG: binddn ldap@testdomain.com
nslcd: DEBUG: CFG: bindpw ***
nslcd: DEBUG: CFG: base ou=qchm,dc=testdomain,dc=c
nslcd: DEBUG: CFG: scope sub
nslcd: DEBUG: CFG: deref never
nslcd: DEBUG: CFG: referrals yes
nslcd: DEBUG: CFG: filter aliases (objectClass=nisMailAlias)
nslcd: DEBUG: CFG: filter ethers (objectClass=ieee802Device
nslcd: DEBUG: CFG: filter group (&(objectClass=group)(gidN
nslcd: DEBUG: CFG: filter hosts (objectClass=ipHost)
nslcd: DEBUG: CFG: filter netgroup (objectClass=nisNetgroup)
nslcd: DEBUG: CFG: filter networks (objectClass=ipNetwork)
nslcd: DEBUG: CFG: filter passwd (&(&(objectClass=person)(u
nslcd: DEBUG: CFG: filter protocols (objectClass=ipProtocol)
nslcd: DEBUG: CFG: filter rpc (objectClass=oncRpc)
nslcd: DEBUG: CFG: filter services (objectClass=ipService)
nslcd: DEBUG: CFG: filter shadow (&(&(objectClass=person)(u
nslcd: DEBUG: CFG: map group userPassword "*"
nslcd: DEBUG: CFG: map passwd uid sAMAccountName
nslcd: DEBUG: CFG: map passwd userPassword "*"
nslcd: DEBUG: CFG: map passwd gecos displayName
nslcd: DEBUG: CFG: map passwd homeDirectory unixHomeDirectory
nslcd: DEBUG: CFG: map shadow uid sAMAccountName
nslcd: DEBUG: CFG: map shadow userPassword "*"
nslcd: DEBUG: CFG: map shadow shadowLastChange pwdLastSet
nslcd: DEBUG: CFG: map shadow shadowMin "${shadowMin:--1}"
nslcd: DEBUG: CFG: map shadow shadowMax "${shadowMax:--1}"
nslcd: DEBUG: CFG: map shadow shadowWarning "${shadowWarning:--1}"
nslcd: DEBUG: CFG: map shadow shadowInactive "${shadowInactive:--1}"
nslcd: DEBUG: CFG: map shadow shadowExpire "${shadowExpire:--1}"
nslcd: DEBUG: CFG: map shadow shadowFlag "${shadowFlag:-0}"
nslcd: DEBUG: CFG: bind_timelimit 10
nslcd: DEBUG: CFG: timelimit 0
nslcd: DEBUG: CFG: idle_timelimit 0
nslcd: DEBUG: CFG: reconnect_sleeptime 1
nslcd: DEBUG: CFG: reconnect_retrytime 10
nslcd: DEBUG: CFG: ssl off
nslcd: DEBUG: CFG: tls_reqcert never
nslcd: DEBUG: CFG: pagesize 1000
nslcd: DEBUG: CFG: nss_min_uid 0
nslcd: DEBUG: CFG: nss_nested_groups no
nslcd: DEBUG: CFG: validnames /^[a-z0-9._@$()]([a-z0-9._
nslcd: DEBUG: CFG: ignorecase no
nslcd: DEBUG: CFG: cache dn2uid 15m 15m
nslcd: version 0.9.4 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: initgroups("nslcd",113) done
nslcd: DEBUG: setgid(113) done
nslcd: DEBUG: setuid(108) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=1127 uid=0 gid=0
nslcd: [8b4567] <group/member="nslcd"> DEBUG: myldap_search(base="ou=qch
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_initialize(ldap://10.
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_P
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_D
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_T
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_T
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_N
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_R
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_R
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_simple_bind_s("ldap@t
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [8b4567] <group/member="nslcd"> DEBUG: myldap_search(base="ou=qch
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_result(): end of results (0 total)
----end snippet----------
And a ldapsearch works fine to the LDAP server, but the answers are weird....as if it reads from a differtent ldap database (internal?)
Cheers
Erik
ASKER
Hi,
testing from the LDAP server itself to the DC with ldapsearch, I need to add the -b option to see the data?
What could be the cause of that, which config file is missing something?
Cheers
Erik
testing from the LDAP server itself to the DC with ldapsearch, I need to add the -b option to see the data?
What could be the cause of that, which config file is missing something?
Cheers
Erik
ASKER
Digging onwards, I noticed that I cannot bind to the LDAP from another machine...? How do I find out which user it wants?
(I did not set up one...). Or how do I setup a local user that can connect to the ldap so it can proxy the request to the AD?
(I did not set up one...). Or how do I setup a local user that can connect to the ldap so it can proxy the request to the AD?
ASKER
Hi again,
I got a little further, I see openLDAP accept the request from the client , but I see this error in the log?
------
res_errno: 1, res_error: <000004DC: LdapErr: DSID-0C090752, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580>, res_matched: <>
------
Looking at the https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD , should NSLCD take care of this, or am I barking up the wrong tree here?
Cheers
Erik
I got a little further, I see openLDAP accept the request from the client , but I see this error in the log?
------
res_errno: 1, res_error: <000004DC: LdapErr: DSID-0C090752, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580>, res_matched: <>
------
Looking at the https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD , should NSLCD take care of this, or am I barking up the wrong tree here?
Cheers
Erik
ASKER
So, no one have any clues anymore what I could have missed?
You need to have edited slapd.conf, nlscd.conf and pam_ldap.conf to suit your AD
ASKER
Yeah, I did as far as I can tell? tried it 4 times from scratch (fresh install) but still no luck......??
It should be a “simple” thing, just check a mail account through ldap proxy against the GC of the Windows 2008R2 AD.
Straight check against the LDAP of that AD works fine, but not through the LDAP proxy itself.
Cheers
Erik
It should be a “simple” thing, just check a mail account through ldap proxy against the GC of the Windows 2008R2 AD.
Straight check against the LDAP of that AD works fine, but not through the LDAP proxy itself.
Cheers
Erik
if you run a packet capture on the DC that you have configured in the several config files, what traffic do you see from the server running openldap when you attempt to query openldap ?
ASKER
Thanks for the quick response
no traffic when I do a ldapsearch to the LDAP proxy I am trying to build.
Result from ldapsearch is then: ldap_bind: Invalid DN syntax (34)
When doing a exact same ldapsearch from same clinet direct to AD (same parameters, only -H is different) I have successful result (result: 0 Success).
I feel I am close, but no cigar... :-)
Cheers Erik
no traffic when I do a ldapsearch to the LDAP proxy I am trying to build.
Result from ldapsearch is then: ldap_bind: Invalid DN syntax (34)
When doing a exact same ldapsearch from same clinet direct to AD (same parameters, only -H is different) I have successful result (result: 0 Success).
I feel I am close, but no cigar... :-)
Cheers Erik
time to go searching through logs...
ASKER
Hi,
Yes, that would be the logical next step, I agree. But there I don't see anything out of the ordinary. Which logs would you suggest on the openLDAP server, Just to see if I am looking at the right ones?
Cheers
Erik
Yes, that would be the logical next step, I agree. But there I don't see anything out of the ordinary. Which logs would you suggest on the openLDAP server, Just to see if I am looking at the right ones?
Cheers
Erik
ASKER
Finally got it to work, although it makes no sense :-)
Ldapsearch from a client needs to use the DN format the oldfashion way ("cn=xxxx,dc=xxxx") , while the nslcd.conf connects with UPN.
Took me ages to figure that on out.....
But thanks anyways guys for giving me food-for-thought!
Cheers
Erik
Ldapsearch from a client needs to use the DN format the oldfashion way ("cn=xxxx,dc=xxxx") , while the nslcd.conf connects with UPN.
Took me ages to figure that on out.....
But thanks anyways guys for giving me food-for-thought!
Cheers
Erik
ASKER
This is the right start to get a AD proxy. But connect wise, client needs to connect with DN (cn=xxx,dc=xxx) while the NSLCD.CONF needs to connect with UPN name (xx@xxx.xx).
you must be looking for ldap.conf, a client conf file
Easiest corner to start with is (OpenLDAP-based) Softerra LDAP explorer client (dont be lured to use AD authentication)
Unlike common LDAP servers that can resolve LDAP login name to CN, for AD you need to resolve login name and log in uding full CN (DN=com,DN=rxample,OU=IT,.
What you need is:
LDAP server IP or name (AD GD service most likely)
Log-in DN (AD user)
Password for that DN (it'spassword)
LDAP query to return true/false on valid mail address