ldap/AD proxy: Unable to bind using sAMAccountName, but last name and first name is able to bind
You're "it works" example works because the DN of the object is cn=LaCroix\, Jay,OU=My Group,OU=Site-Users,DC=mycompany,DC=local
. The second doesn't work because the DN of the object isn't cn=jlacroix,OU=My Group,OU=Site-Users,DC=mycompany,DC=local
.
It's not that you're binding with the "Last Name, First Name", rather the CN of the object is set to " Last Name, First Name" and you're binding with the object's CN. You can't just put the sAMAccountName
in as the CN and expect it to work. The object's CN is the object's CN.
Binding directly to AD with a bind DN of "DOMAIN\sAMAccountName" will work fine. I don't think OpenLDAP will handle that, thought. It's probably going to reject that syntax even though, from Active Directory's perspective, it will work fine.
![Jay LaCroix](https://lh4.googleusercontent.com/--wPts_s9d70/AAAAAAAAAAI/AAAAAAAABuo/upOw4q5jNc4/photo.jpg?sz=256)
Jay LaCroix
Updated on September 18, 2022Comments
-
Jay LaCroix almost 2 years
I am attempting to set up a pass-through proxy to Active Directory, using ldap on Debian Wheezy. The slapd.conf file is below. I can bind just find by using lastname, first name:
ldapsearch -x -h localhost -b "OU=Site-Users,DC=mycompany,DC=local" -D "cn=LaCroix\, Jay,OU=My Group,OU=Site-Users,DC=mycompany,DC=local" -W "(sAMAccountName=jlacroix)" cn sAMAccountName
And that does work:
result: 0 Success
But what we really want to do is bind via the user name (sAMAccountName):
ldapsearch -x -h localhost -b "OU=Site-Users,DC=mycompany,DC=local" -D "cn=jlacroix,OU=My Group,OU=Site-Users,DC=mycompany,DC=local" -W "(sAMAccountName=jlacroix)" cn sAMAccountName
and that does not work:
ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
Note: Despite that error, my credentials ARE correct, as seen in the first example where binding works via Last Name, First Name.
I have been searching through examples for a number of weeks now, and no matter what I try, I can't seem to bind against sAMAccountName, only Last Name, First Name.
I can search for sAMAccountName when searching against AD directly, but not when using my ldap proxy.
Here is my /etc/ldap/slapd.conf:
# Import our schema include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/samaccountname.schema moduleload back_ldap moduleload back_bdb.la moduleload rwm # Support both LDAPv2 and LDAPv3 allow bind_v2 pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 1 # Our slapd-ldap back end to connect to AD database ldap suffix ou=Site-Users,dc=mycompany,dc=local subordinate rebind-as-user yes uri ldap://10.10.10.99:389 chase-referrals yes readonly yes #protocol-version 3 overlay rwm rwm-map attribute uid sAMAccountName rwm-map attribute mail proxyAddresses binddn cn=ADreader bindpw supersecretpassword # Our primary back end database bdb suffix dc=mycompany,dc=local rootdn cn=admin,dc=mycompany,dc=local rootpw supersecretpassword directory /var/lib/ldap # Indexes for this back end index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uid eq,pres,sub
-
Jay LaCroix over 9 yearsThanks, it's starting to make more sense. My goal is to get it to recognize sAMAccountName so that we can utilize it via ldap as a proxy to AD. The tutorial I followed is this one: windowsitpro.com/networking/… My understanding (which may be wrong) is that it's supposed to pass the request to AD as a proxy. But that's not what it's doing. Using just DOMAIN\sAMAccountName doesn't work either, unfortunately. Thanks!