I am attempting to set up a pass-through proxy to Active Directory, using ldap on Debian Wheezy. The slapd.conf file is below. I can bind just find by using lastname, first name:
ldapsearch -x -h localhost -b "OU=Site-Users,DC=mycompany,DC=local" -D "cn=LaCroix\, Jay,OU=My Group,OU=Site-Users,DC=mycompany,DC=local" -W "(sAMAccountName=jlacroix)" cn sAMAccountName
And that does work:
result: 0 Success
But what we really want to do is bind via the user name (sAMAccountName):
ldapsearch -x -h localhost -b "OU=Site-Users,DC=mycompany,DC=local" -D "cn=jlacroix,OU=My Group,OU=Site-Users,DC=mycompany,DC=local" -W "(sAMAccountName=jlacroix)" cn sAMAccountName
and that does not work:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
Note: Despite that error, my credentials ARE correct, as seen in the first example where binding works via Last Name, First Name.
I have been searching through examples for a number of weeks now, and no matter what I try, I can't seem to bind against sAMAccountName, only Last Name, First Name.
I can search for sAMAccountName when searching against AD directly, but not when using my ldap proxy.
Here is my /etc/ldap/slapd.conf:
# Import our schema
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/samaccountname.schema
moduleload back_ldap
moduleload back_bdb.la
moduleload rwm
# Support both LDAPv2 and LDAPv3
allow bind_v2
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 1
# Our slapd-ldap back end to connect to AD
database ldap
suffix ou=Site-Users,dc=mycompany,dc=local
subordinate
rebind-as-user yes
uri ldap://10.10.10.99:389
chase-referrals yes
readonly yes
#protocol-version 3
overlay rwm
rwm-map attribute uid sAMAccountName
rwm-map attribute mail proxyAddresses
binddn cn=ADreader
bindpw supersecretpassword
# Our primary back end
database bdb
suffix dc=mycompany,dc=local
rootdn cn=admin,dc=mycompany,dc=local
rootpw supersecretpassword
directory /var/lib/ldap
# Indexes for this back end
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uid eq,pres,sub
Best Answer
You're "it works" example works because the DN of the object is
cn=LaCroix\, Jay,OU=My Group,OU=Site-Users,DC=mycompany,DC=local
. The second doesn't work because the DN of the object isn'tcn=jlacroix,OU=My Group,OU=Site-Users,DC=mycompany,DC=local
.It's not that you're binding with the "Last Name, First Name", rather the CN of the object is set to " Last Name, First Name" and you're binding with the object's CN. You can't just put the
sAMAccountName
in as the CN and expect it to work. The object's CN is the object's CN.Binding directly to AD with a bind DN of "DOMAIN\sAMAccountName" will work fine. I don't think OpenLDAP will handle that, thought. It's probably going to reject that syntax even though, from Active Directory's perspective, it will work fine.