Hi everyone, I have been testing and debugging a lot lately and cannot come to a solution, maybe you can help.
I recently installed a new OpenLDAP Server (Debian Jessy) (OpenLDAP Version 2.4.40) which is used to proxy parts of the Active Directory. However, from time to time it is not able to get Entries (does not answer to querys but returns success) from the Active Directory. What I see in the logs is the following: Jun 10 11:37:38 openldap-proxy slapd[41657]: conn=1166 op=1 ldap_back_retry: retrying URI="ldaps://dc.ourdomain.com" DN="cn=ldap-binder,ou=serviceaccounts,dc= ourdomain,dc=com" Jun 10 11:37:38 openldap-proxy slapd[41657]: Error: ldap_back_is_proxy_authz returned 0, misconfigured URI? First of all, the URI is correct and the System works well during most of the time(except for this error), those "errors" only happen from time to time. The Strange thing is, that this new LDAP Server is running via the exactly same configuration as another OpenLDAP-Server which has been running over 2 Years now and the old OpenLDAP Server (Debian Wheezy) (OpenLDAP Version 2.4.31) does also show the first Log Entry from time to time (the ldap_back_retry one), But does not show the ldap_back_is_proxy_authz error afterwards. Furthermore it does also always return the right answer. For Debugging reasons I tried Wiresharking the Domain Controller, TCP-Dumping the LDAP-Server and the Client. The Traffic looks okay, in case of that error the OpenLDAP Server simply is asking the Domain Controller which returns Success but no results. Might it be Possible that the LDAP-Bind from the OpenLDAP System to the Active Directory expired and the OpenLDAP is not able to re-establish a new bind via the current Query? Since once this error occurs, the query right after the error works and then it takes some time until that error occurs again and due to the fact that in the older OpenLDAP Version it is working, could it be a Bug in the new OpenLDAP Version? I also looked in the Logs of the Domain Controller, everything is fine there. Furthermore I installed test OpenLDAP Systems (Centos[yum], OpenBSD[pkg] and one via compilation from sources via minimal module configuration) (2.4.40) and tried the same configuration there, same Problem. While googling and searching for a solution I stumbled across a guy having the same problem, reporting this 2013 to this mailing list. Someone suggested to add the Active Directory Schema to the OpenLDAP, which I did and which did not solve this issue. I tried adding the full schema as well as adding only Attributes and Object classes that are used. Problem still persists. Anyone of you has any suggestions? Does anyone have similar problems? Thank you for your time. Best Regards, Dominique Voest
