[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using OpenLDAP to point to AD as address book

To: "Dieter Kluenter" <dieter@dkluenter.de>
Subject: Re: Using OpenLDAP to point to AD as address book
From: "adp" <dap99@i-55.com>
Date: Sun, 25 Apr 2004 08:57:34 -0500
Cc: <openldap-software@OpenLDAP.org>

> "adp" <dap99@i-55.com> writes:
> > Okay, I have openldap-2.2.11 installed and running fine. I have a very
> > minimal slapd configuration since all I'm doing is proxying for an AD
> > directory.
> [...]
> > With or without binddn I can do an anon. search of AD fine. (That just
> > returns the schema.) If I stop slapd then the anon connection fails
totally.
> > (This is just to ensure I'm testing against the right server.)
>
> search on rootDSE should allow anonymous bind.

I looked this up and see what you mean.

http://www.techgalaxy.net/Docs/Dev/LDAPv3%20RootDSE%20Overview.htm

> > If I try to search a specific container, such as cn=Users, that fails.
Well,
> > it doesn't fail so much as it doesn't return anything:
> [...]
>
> > Perhaps I am misunderstanding the binddn and bindpw?
>
> Yes. binddn and bindpw are for slapd internal operations only.

The manpage seems to imply (to me at least) that the binddn is used when
checking the directory for ACL purposes. I guess I just misread that.

> > I want to be able to connect to openldap from ldapsearch or any LDAP
client
> > anonymously and search for mail addresses in the Users container in our
AD.
> > (I will worry about ACLs and whatnot later.) From reading the slapd-meta
> > manpage I thought this would do it, but it appears that I'm wrong.
>
> > Any ideas?
>
> Ask the developer of AD to allow anonymous bind on searches.

Darn. Let me ask one more time just so that I am totally clear on this.

Even with slapd-meta, there is no way to use openldap as a front-end to AD
so that I can do an anon. search against cn=Users to scan for names (cn, sn)
and email addresses (mail) to serve as an address book that can be
anonymously used?

In other words, my only option is to dump the values I want from AD into a
openldap databases on a regularly basis and have users just search the local
directory instead of serving as a proxy to AD.

Wow, I totally misread slapd-meta. I was thinking that with binddn this
would all work.

> > Using a specific hostname (abc-dc, a DC for the network) is bad if
abc-dc
> > goes down. Other than setting up RRDNS for our DCs just for this, is
there a
> > way to configure this so that slapd will try another server (for
example,
> > abc-dc2) if abc-dc is unavailable?
>
> You may define multiple uris's for back-meta.

I saw that, but didn't follow up on it. Thanks for the information.

Follow-Ups:
- Re: Using OpenLDAP to point to AD as address book
  - From: Dieter Kluenter <dieter@dkluenter.de>

Prev by Date: Re: Using OpenLDAP to point to AD as address book
Next by Date: proxycache and rewrite rules
Index(es):
- Chronological
- Thread