Background info:
CentOS 7 3.10.0-327.18.2.el7.x86_64
This server will be used as a proxy to Active Directory.
Currently it seems as if ldapsearch
does not care about /etc/openldap/slapd.conf and will not bind unless I pass the bindDN and password directly using -D and -w.
I did a fresh install of OpenLDAP-servers
Edited slapd.conf with the following:
### Schema includes ###########################################################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
## Module paths ##############################################################
modulepath /usr/lib64/openldap/
moduleload back_ldap
moduleload rwm
## Support both LDAPv2 and LDAPv3
allow bind_v2
# Main settings ###############################################################
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
### Database definition (Proxy to AD) #########################################
database ldap
readonly yes
protocol-version 3
rebind-as-user yes
uri "ldap://10.0.0.90:389"
suffix "DC=secretdomain,DC=com"
idassert-bind bindmethod=simple
binddn="CN=MropenLDAP,OU=Administration,DC=secretdomain,DC=com"
credentials=topsecretpass
mode=none
idassert-authzFrom "*"
overlay rwm
rwm-map attribute uid sAMAccountName
rwm-map attribute mail proxyAddresses
### Logging ###################################################################
logfile /var/log/slapd/slapd.log
loglevel 1
Ran: slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
Made sure ownership and permissions are correct then restarted slapd.
The following does not work:
ldapsearch -H ldap://10.0.0.90 -x -b "OU=Administration,DC=secretdomain,DC=com" -v -LLL "(samaccountname=someusername)"
ldapsearch -H ldap://10.0.0.90 -x -b "OU=Administration,DC=secretdomain,DC=com" -v -LLL
It gives me this error:
ldap_initialize( ldap://10.0.0.90:389/??base )
filter: (objectclass=*)
requesting: All userApplication attributes
Operations error (1)
Additional information: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1
However, when I pass the bind account DN directly it works . I checked that both of these pieces of information are identical from the /etc/openldap/slapd.conf file:
ldapsearch -H ldap://10.0.0.90 -x -b "OU=Administration,DC=secretdomain,DC=com" -v -LLL -D "CN=MropenLDAP,OU=Administration,DC=secretdomain,DC=com" "(samaccountname=someusername)" -w topsecretpass
Best Answer
ldapsearch
doesn't useslapd.conf
it usesldap.conf
(or a number of other places as outlined below).Binddn
cannot usefully be set in the global ldap.conf file as it's considered a user-only option an thus ignored if found there.