I am attempting to set up a pass-through proxy to Active Directory, using ldap on Debian Wheezy. The slapd.conf file is below. I can bind just find by using lastname, first name:
ldapsearch -x -h localhost -b "OU=Site-Users,DC=mycompany,DC=local" -D "cn=LaCroix\, Jay,OU=My Group,OU=Site-Users,DC=mycompany,DC=local" -W "(sAMAccountName=jlacroix)" cn sAMAccountName
And that does work:
result: 0 Success
But what we really want to do is bind via the user name (sAMAccountName):
ldapsearch -x -h localhost -b "OU=Site-Users,DC=mycompany,DC=local" -D "cn=jlacroix,OU=My Group,OU=Site-Users,DC=mycompany,DC=local" -W "(sAMAccountName=jlacroix)" cn sAMAccountName
and that does not work:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
Note: Despite that error, my credentials ARE correct, as seen in the first example where binding works via Last Name, First Name.
I have been searching through examples for a number of weeks now, and no matter what I try, I can't seem to bind against sAMAccountName, only Last Name, First Name.
I can search for sAMAccountName when searching against AD directly, but not when using my ldap proxy.
Here is my /etc/ldap/slapd.conf:
# Import our schema
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/samaccountname.schema
moduleload back_ldap
moduleload back_bdb.la
moduleload rwm
# Support both LDAPv2 and LDAPv3
allow bind_v2
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 1
# Our slapd-ldap back end to connect to AD
database ldap
suffix ou=Site-Users,dc=mycompany,dc=local
subordinate
rebind-as-user yes
uri ldap://10.10.10.99:389
chase-referrals yes
readonly yes
#protocol-version 3
overlay rwm
rwm-map attribute uid sAMAccountName
rwm-map attribute mail proxyAddresses
binddn cn=ADreader
bindpw supersecretpassword
# Our primary back end
database bdb
suffix dc=mycompany,dc=local
rootdn cn=admin,dc=mycompany,dc=local
rootpw supersecretpassword
directory /var/lib/ldap
# Indexes for this back end
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uid eq,pres,sub