Hello, It's running. Thank you for you help
For information you find bellow the correct slapd.conf slapd.conf ---------- include /etc/openldap/schema/core.**schema include /etc/openldap/schema/cosine.**schema include /etc/openldap/schema/**inetorgperson.schema include /etc/openldap/schema/nis.**schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCipherSuite HIGH:-SSLv2 TLSCACertificateFile /etc/openldap/cacerts/cacerts.**crt TLSCertificateFile /etc/openldap/cacerts/**ldapproxy.example.ch.crt TLSCertificateKeyFile /etc/openldap/cacerts/**ldapproxy.example.ch.key loglevel -1 disallow bind_anon # AD database ldap suffix "dc=activedir,dc=example,dc=**ch" uri "ldaps://dc1-test.example.ch/ <http://dc1-test.example.ch/>" readonly on rebind-as-user lastmod off *idassert-bind bindmethod=simple* * binddn="CN=LDAPAccess,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch"* * credentials=secret* * mode=none* *idassert-authzFrom "*"* access to attrs=displayname,sn,**givenname,mail,telephoneNumber by dn.exact="CN=Test User,OU=TST,OU=USERS,DC=**activedir,DC=example,DC=ch" read by group.exact="CN=Grp_Users_UG,**OU=Gina,OU=Applications,DC=**acti vedir,DC=example,DC=ch" read by * none # The users must see the entry itself access to attrs=entry by dn.exact="CN=Test User,OU=TST,OU=USERS,DC=**activedir,DC=example,DC=ch" read by group.exact="CN=Grp_Users_UG,**OU=Gina,OU=Applications,DC=**acti vedir,DC=example,DC=ch" read by * none # Other attributes, others users have no access access to * by * none #-----------------------------**------------------------------** ------------------------------**---------------------- slapd.conf end 2013/6/7 Howard Chu <[email protected]> > Dysan 67 wrote: > >> Hello, >> I have a problem with acl and group. >> I configured a proxy slapd and add acl (see slapd.conf below) >> > > Read the slapd-ldap(5) manpage. Since your remote server is AD you must > configure explicit Bind credentials for any access of the remote server. In > this case, back-ldap cannot look up the remote group memberships because > you have failed to configure acl-bind. > > Run slapd with -d7 and it will be obvious that this is the problem. > > When I run a ldapsearch command with user 'Test User' the attributes are >> displayed. It's Ok >> >> But when I run the same ldapsearch command with user 'Synchro1 User' the >> message 'Insufficient access (50)' are displayed. It's not ok >> The user 'Synchro1 User' is member of >> CN=Grp_Users_UG,OU=Gina,OU=**Applications,DC=activedir,DC=**example,DC=ch >> >> Are you an idea ? >> Thank you for you help >> Dysan >> >> My environment >> --------------------- >> ldapproxy server is CentOS release 5.9 (Final) openldap version 2.3.43 >> dc1-test Windows Server 2008 R2 (Domain Controler) >> >> Ldapsearch command >> ------------------- >> $ ldapsearch -x -LLL -H >> ldaps://ldapproxy.example.ch:**636<http://ldapproxy.example.ch:636> >> <http://ldapproxy.example.ch:**636 <http://ldapproxy.example.ch:636>> >> -D "CN=Test >> >> User,OU=TST,OU=USERS,DC=**activedir,DC=example,DC=ch" -W -b >> "dc=activedir,dc=example,dc=**ch" -s sub cn=* >> Enter LDAP Password: >> dn: ........ >> ... >> >> $ ldapsearch -x -LLL -H >> ldaps://ldapproxy.example.ch:**636<http://ldapproxy.example.ch:636> >> <http://ldapproxy.example.ch:**636 <http://ldapproxy.example.ch:636>> >> -D "CN=Synchro1 >> >> User,OU=TST,OU=USERS,DC=**activedir,DC=example,DC=ch" -W -b >> "dc=activedir,dc=example,dc=**ch" -s sub cn=* >> Enter LDAP Password: >> Insufficient access (50) >> >> slapd.conf >> ---------- >> include /etc/openldap/schema/core.**schema >> include /etc/openldap/schema/cosine.**schema >> include /etc/openldap/schema/**inetorgperson.schema >> include /etc/openldap/schema/nis.**schema >> allow bind_v2 >> >> pidfile /var/run/openldap/slapd.pid >> argsfile /var/run/openldap/slapd.args >> TLSCipherSuite HIGH:-SSLv2 >> TLSCACertificateFile /etc/openldap/cacerts/cacerts.**crt >> TLSCertificateFile /etc/openldap/cacerts/**ldapproxy.example.ch.crt >> TLSCertificateKeyFile /etc/openldap/cacerts/**ldapproxy.example.ch.key >> >> loglevel -1 >> disallow bind_anon >> >> # AD >> database ldap >> suffix "dc=activedir,dc=example,dc=**ch" >> uri "ldaps://dc1-test.example.ch/ < >> http://dc1-test.example.ch/>" >> >> readonly on >> rebind-as-user >> lastmod off >> >> access to attrs=displayname,sn,**givenname,mail,telephoneNumber >> by dn.exact="CN=Test User,OU=TST,OU=USERS,DC=**activedir,DC=example,DC=ch" >> read >> by >> group.exact="CN=Grp_Users_UG,**OU=Gina,OU=Applications,DC=** >> activedir,DC=example,DC=ch" >> read >> by * none >> >> # The users must see the entry itself >> access to attrs=entry >> by dn.exact="CN=Test User,OU=TST,OU=USERS,DC=**activedir,DC=example,DC=ch" >> read >> by >> group.exact="CN=Grp_Users_UG,**OU=Gina,OU=Applications,DC=** >> activedir,DC=example,DC=ch" >> read >> by * none >> >> # Other attributes, others users have no access >> access to * >> by * none >> #-----------------------------**------------------------------** >> ------------------------------**---------------------- >> slapd.conf end >> > > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP > http://www.openldap.org/**project/<http://www.openldap.org/project/> >
