[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using OpenLDAP to point to AD as address book

To: <openldap-software@OpenLDAP.org>
Subject: Re: Using OpenLDAP to point to AD as address book
From: "adp" <dap99@i-55.com>
Date: Sat, 24 Apr 2004 21:00:05 -0500
References: <00d701c41dae$52a0ee50$6401a8c0@yourqqh4336axf> <m3oeq1ei10.fsf@marin.l4b.de>

> > I have no problems using tools such as ldapsearch to view our AD after a
> > bind. But I wonder if I can setup a referral in OpenLDAP so that our
Unix
> > mail users can open their LDAP address book and see what the Exchange
users
> > already see. The big issue I see is that you have to bind to view
anything
> > in AD (other than the schema).
>
> > I'm using openldap-2.0.27-11.
>
> Update OpenLDAP and setup a meta or ldap backend to view your
> addressbook. For configuration see man slapd-meta(5) and man
> slapd-ldap(5)

This is exactly what I was looking for, thanks. I have one problem however
that I hope this group can help with.

Okay, I have openldap-2.2.11 installed and running fine. I have a very
minimal slapd configuration since all I'm doing is proxying for an AD
directory.

My database section so far:

database meta
suffix   "dc=abc,dc=com"
uri      ldap://abc-dc/dc=abc,dc=com
binddn          "cn=Administrator,cn=Users,dc=abc,dc=com"
bindpw          adminpass

I am using Administrator while testing. Don't worry, I won't use that in
production.

With or without binddn I can do an anon. search of AD fine. (That just
returns the schema.) If I stop slapd then the anon connection fails totally.
(This is just to ensure I'm testing against the right server.)

If I try to search a specific container, such as cn=Users, that fails. Well,
it doesn't fail so much as it doesn't return anything:

//////////////
# ldapsearch -x -b "cn=Users,dc=abc,dc=com" '(cn=Joe User)'
# extended LDIF
#
# LDAPv3
# base <cn=Users,dc=abc,dc=com> with scope sub
# filter: (cn=Joe User)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

//////////////

Now if I pass along the Administrator account and password it works:

//////////////
$ ldapsearch -x -b "cn=Users,dc=abc,dc=com" -D
"cn=Administrator,cn=Users,dc=abc,dc=com" -wadminpass '(cn=Joe User)'
# extended LDIF
#
# LDAPv3
# base <cn=Users,dc=abc,dc=com> with scope sub
# filter: (cn=Joe User)
# requesting: ALL
#

# Joe User, Users, abc.com
dn: CN=Joe User,CN=Users,DC=abc,DC=com
cn: Joe User
mail: joeuser@abc.com
givenName: Joe
distinguishedName: CN=Joe User,CN=Users,DC=abc,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
name: Joe User
sn: User

# search result
search: 2
result: 32 No such object

# numResponses: 2
# numEntries: 1

//////////////

Perhaps I am misunderstanding the binddn and bindpw?

I want to be able to connect to openldap from ldapsearch or any LDAP client
anonymously and search for mail addresses in the Users container in our AD.
(I will worry about ACLs and whatnot later.) From reading the slapd-meta
manpage I thought this would do it, but it appears that I'm wrong.

Any ideas?

Questin two:

Using a specific hostname (abc-dc, a DC for the network) is bad if abc-dc
goes down. Other than setting up RRDNS for our DCs just for this, is there a
way to configure this so that slapd will try another server (for example,
abc-dc2) if abc-dc is unavailable?

Follow-Ups:
- Re: Using OpenLDAP to point to AD as address book
  - From: Dieter Kluenter <dieter@dkluenter.de>

References:
- Using OpenLDAP to point to AD as address book
  - From: "adp" <dap99@i-55.com>
- Re: Using OpenLDAP to point to AD as address book
  - From: Dieter Kluenter <dieter@dkluenter.de>

Prev by Date: Re: syncrepl doesn't copy entries
Next by Date: RE: server side sorting & paging?
Index(es):
- Chronological
- Thread