ok, I'll try again. I am using openldap 2.4.23 on RHEL6 server and trying to configure openldap to do simple user/password
authentication to our Microsoft AD servers. I can authenticate and do commandline ldap searches with my windows test account and
password ok. However, in trying to follow examples from the openldap.org website I cannot get it to work using the openldap config
files. All I get from the AD servers then are the anonymous bind results.
If anyone has an actual working configuration, I would really appreciate info on how they did it. I am under a typical last minute
deadline to get this going.
I am including latest slapd.conf iteration (there have been many :() for review.
thanks for any help/advice you might have.
John.
-----------------------------------------------------------------------------------------------
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
###TLSCipherSuite HIGH:MEDIUM:+SSLv2
#TLSCACertificateFile /usr/var/openldap-data/cacert.pem
# will do TLS after basic authentication working.
TLSVerifyClient never
sizelimit unlimited
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=corp,dc=ad,dc=parc,dc=com"
rootdn "cn=Manager,dc=corp,dc=ad,dc=parc,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}EwrR01/GdI4+sdOVzZcK6Y94QbIXIw0j
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
###sizelimit unlimited
directory /var/lib/ldap
# Indices to maintain
index objectClass eq
### debug logging
loglevel -1
moduleload translucent
overlay translucent
moduleload rwm
overlay rwm
uri ldap://blowfish.corp.ad.parc.com
lastmod off
#
idassert-bind bindmethod=simple
binddn="cn=ldapusr,OU=Pseudo_User_Accounts,OU=PARC_Users,DC=corp,DC=ad,DC=parc,DC=com"
credentials=XXX
authzID=dn:cn=ldapusr,OU=Pseudo_User_Accounts,OU=PARC_Users,DC=corp,DC=ad,DC=parc,DC=com
rwm-map objectclass * *
rwm-map attribute * *
