3

I am attempting to set up a pass-through proxy to Active Directory, using ldap on Debian Wheezy. The slapd.conf file is below. I can bind just find by using lastname, first name:

ldapsearch -x -h localhost -b "OU=Site-Users,DC=mycompany,DC=local" -D "cn=LaCroix\, Jay,OU=My Group,OU=Site-Users,DC=mycompany,DC=local" -W "(sAMAccountName=jlacroix)" cn sAMAccountName

And that does work:

result: 0 Success

But what we really want to do is bind via the user name (sAMAccountName):

ldapsearch -x -h localhost -b "OU=Site-Users,DC=mycompany,DC=local" -D "cn=jlacroix,OU=My Group,OU=Site-Users,DC=mycompany,DC=local" -W "(sAMAccountName=jlacroix)" cn sAMAccountName

and that does not work:

ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

Note: Despite that error, my credentials ARE correct, as seen in the first example where binding works via Last Name, First Name.

I have been searching through examples for a number of weeks now, and no matter what I try, I can't seem to bind against sAMAccountName, only Last Name, First Name.

I can search for sAMAccountName when searching against AD directly, but not when using my ldap proxy.

Here is my /etc/ldap/slapd.conf:

# Import our schema
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/samaccountname.schema

moduleload      back_ldap
moduleload      back_bdb.la
moduleload      rwm 

# Support both LDAPv2 and LDAPv3
allow           bind_v2

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

loglevel        1   

# Our slapd-ldap back end to connect to AD

database        ldap
suffix          ou=Site-Users,dc=mycompany,dc=local
subordinate
rebind-as-user  yes 
uri             ldap://10.10.10.99:389
chase-referrals yes 
readonly        yes 
#protocol-version       3   

overlay         rwm 
rwm-map         attribute       uid     sAMAccountName
rwm-map         attribute       mail    proxyAddresses 

binddn cn=ADreader 
bindpw supersecretpassword

# Our primary back end 

database        bdb 
suffix          dc=mycompany,dc=local
rootdn          cn=admin,dc=mycompany,dc=local
rootpw          supersecretpassword 
directory       /var/lib/ldap

# Indexes for this back end 
index           objectClass                     eq,pres
index           ou,cn,mail,surname,givenname    eq,pres,sub
index           uid                             eq,pres,sub
Jay LaCroix
  • 31
  • 1
  • 1
  • 2

1 Answers1

4

You're "it works" example works because the DN of the object is cn=LaCroix\, Jay,OU=My Group,OU=Site-Users,DC=mycompany,DC=local. The second doesn't work because the DN of the object isn't cn=jlacroix,OU=My Group,OU=Site-Users,DC=mycompany,DC=local.

It's not that you're binding with the "Last Name, First Name", rather the CN of the object is set to " Last Name, First Name" and you're binding with the object's CN. You can't just put the sAMAccountName in as the CN and expect it to work. The object's CN is the object's CN.

Binding directly to AD with a bind DN of "DOMAIN\sAMAccountName" will work fine. I don't think OpenLDAP will handle that, thought. It's probably going to reject that syntax even though, from Active Directory's perspective, it will work fine.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Thanks, it's starting to make more sense. My goal is to get it to recognize sAMAccountName so that we can utilize it via ldap as a proxy to AD. The tutorial I followed is this one: http://windowsitpro.com/networking/integrate-active-directory-and-openldap My understanding (which may be wrong) is that it's supposed to pass the request to AD as a proxy. But that's not what it's doing. Using just DOMAIN\sAMAccountName doesn't work either, unfortunately. Thanks! – Jay LaCroix Nov 11 '14 at 21:08
  • For some wicked fun I just set this up on a test box. OpenLDAP's enforcement of the DN syntax for the bind DN is definitely what's causing the "DOMAIN\sAMAccountName" syntax not to work for you. That's a shame, because it probably would work if OpenLDAP would just pass the string through unmodified. – Evan Anderson Nov 11 '14 at 21:32