OpenLDAP Proxy - user authentification problem

Sat, 12 Jan 2019 17:16:03 -0800 

Hi all,

I am trying to configure OpenLDAP proxy to proxy searches to my 2 (two) 
different AD servers. I am testing/trying to login as domain user to 
application that is configured to verify users against this proxy.

Context is :
        - allowed app users from AD1 will be placed to "AllowAPP group" on AD1 
- i.e. - CN=AllowAPP,OU=Groups,OU=Something,DC=domain,DC=xy
        - allowed app users from AD2 will be placed to "AllowAPP group" on AD2 
- i.e. -  CN=Allow,OU=App,OU=Group,DC=domain2,DC=local
        - these two groups are be placed in different OUs on both ADs (Active 
Directories) so special rewriting have to be done on both URIs

Problem is that I don't know how to correctly authentificate users. App 
configuration is that it will allow login only to user which is member of 
CN=AllowAPP,OU=Groups,DC=grouped,DC=all "virtual” group.
All working fine when I am searching group membership of users with ldapsearch. 
I can find members of both groups by searching virtual group mentioned upper.

I suspect there is problem with passing user credentials to one of AD servers 
that I am proxying to. I am using sAMAccountName as user login.

This is debug search base when I am trying to login from app :
        SRCH base="dc=grouped,dc=all" scope=2 deref=2 
filter="(?SAMACCOUNTNAME=test.user)”

This is error produced while I am trying to login as user :
        meta_back_search[0] match="" err=1 (Operations error) text="000004DC: 
LdapErr: DSID-0C09075A, comment: In order to perform this operation a 
successful bind must be completed on the connection., data 0, v1db1".

Am I doing something wrong? Can you advise? I am probably missing something 
that refers to validating users credentials..

Thanks, BR,
Martin

This is my configuration so far :

database                meta
suffix          "dc=grouped,dc=all”
rootdn          "cn=admin,dc=grouped,dc=all”
rootpw          "password”
readonly                yes
lastmod         off

uri ldap://AD1/dc=grouped,dc=all
suffixmassage   "dc=grouped,dc=all" "dc=domain,dc=xy"
idassert-bind bindmethod=simple
        binddn="CN=bind,CN=Users,dc=domain,dc=xy"
        credentials="password"
        mode=none
        flags=non-prescriptive

rewriteEngine on
chase-referrals yes
rewriteContext  default
rewriteContext searchBase
rewriteRule "CN=AllowAPP,OU=Groups,DC=grouped,DC=all$" 
"CN=AllowAPP,OU=Groups,OU=Something,DC=domain,DC=xy" "@"

uri ldap://AD2/dc=grouped,dc=all
suffixmassage "dc=grouped,dc=all" "dc=domain2,dc=local" 
idassert-bind bindmethod=simple
        binddn="CN=binduser,CN=Users,dc=domain2,dc=local"
        credentials=“password"
        mode=none
        flags=non-prescriptive

rewriteEngine on
chase-referrals yes
rewriteContext  default
rewriteContext searchBase
rewriteRule "CN=AllowAPP,OU=Groups,DC=grouped,DC=all$" 
"CN=Allow,OU=App,OU=Group,DC=domain2,DC=local" "@"

Reply via email to