[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-technical
Subject:    LdapErr: DSID-0C090627 with translucent proxy and AD
From:       Petteri Heinonen <petteri.j.heinonen () kolumbus ! fi>
Date:       2009-07-22 7:19:30
Message-ID: 21212225.828241248247171073.JavaMail.petteriheinonen () kolumbus ! fi
[Download RAW message or body]


Hello list, I've been trying to setup a translucent proxy to display a modified \
version of our ActiveDirectory (Server 2003) to Linux clients. The ultimate goal is \
to be able to transparently add UID, default shell etc. parameters missing in AD by \
default. Usage of Services for Unix is not possible this time because of "company \
policies". Config file is like this:

# Default realm
sasl-realm company.com

# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
loglevel 504

# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_hdb
moduleload back_ldap
moduleload accesslog
moduleload translucent

# The maximum number of entries that is returned for a search operation
sizelimit 500

# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1

backend hdb

database hdb

# The base of your directory in database #1
suffix "dc=company,dc=com"

# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn "cn=admin,dc=company,dc=com"
rootpw {SSHA}blaablaa

# Where the database file are physically stored for database #1
directory "/var/lib/ldap"

# Indexing options for database #1
index objectClass eq

# Save the time that the entry gets modified, for database #1
lastmod off

overlay translucent
uri ldap://ad1.company.com:389
acl-bind binddn="CN=ldapuser,OU=tools,DC=company,DC=com" credentials="verysecure"


Now, if I do a search with rootdn cn=admin,dc=company,dc=com, proxy binds to AD as \
ldapuser and search is successful. But, if I use a user existing in AD only, for \
example like this:

ldapsearch -x -W -D "CN=Some User,OU=Users,DC=company,DC=com" -b "CN=Some \
User,OU=Users,DC=company,DC=com"

I get:

# extended LDIF
#
# LDAPv3
# base <CN=Some User,OU=Users,DC=company,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope
ration a successful bind must be completed on the connection., data 0, vece

# numResponses: 1


I monitored the traffic using wireshark, and from there I can see that binding is \
actually successful. What fails is the search request after that:

0.000361 10.65.31.26 -> 10.65.26.34 LDAP bindRequest(1) "cn=Some \
User,ou=Users,dc=company,dc=com" simple 0.002285 10.65.26.34 -> 10.65.31.26 LDAP \
bindResponse(1) success 0.002297 10.65.31.26 -> 10.65.26.34 TCP 43898 > ldap [ACK] \
Seq=79 Ack=23 Win=5888 Len=0 TSV=67497094 TSER=69277767 0.003840 10.65.31.26 -> \
10.65.26.34 LDAP searchRequest(4) "Some User,ou=Users,dc=company,dc=com" wholeSubtree \
0.004067 10.65.26.34 -> 10.65.31.26 LDAP searchResDone(4) operationsError (00000000: \
LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind \
must be completed on the connection., data 0, vece)

OpenLDAP version is the one with Debian Lenny: slapd/lenny uptodate 2.4.11-1

Any suggestions how to continue? Is this some AD related quirk or possibly a problem \
problem related to how OpenLDAP does binding?

Regards, Petteri Heinonen



[prev in list] [next in list] [prev in thread] [next in thread]