Re: Using OpenLDAP to point to AD as address book

[Dieter Kluenter <dieter@dkluenter.de>]

Hi,

"adp" <dap99@i-55.com> writes:

>> "adp" <dap99@i-55.com> writes:
>> > Okay, I have openldap-2.2.11 installed and running fine. I have a very
>> > minimal slapd configuration since all I'm doing is proxying for an AD
>> > directory.
>> [...]
>> > With or without binddn I can do an anon. search of AD fine. (That just
>> > returns the schema.) If I stop slapd then the anon connection fails
> totally.
>> > (This is just to ensure I'm testing against the right server.)
[...]
>> > (I will worry about ACLs and whatnot later.) From reading the slapd-meta
>> > manpage I thought this would do it, but it appears that I'm wrong.
>>
>> > Any ideas?
>>
>> Ask the developer of AD to allow anonymous bind on searches.
>
> Darn. Let me ask one more time just so that I am totally clear on this.
>
> Even with slapd-meta, there is no way to use openldap as a front-end to AD
> so that I can do an anon. search against cn=Users to scan for names (cn, sn)
> and email addresses (mail) to serve as an address book that can be
> anonymously used?

It is the administrators task to create access rules. AFAIK AD per
default only allows access by authenticated users. (but that
discussion is OFF TOPIC here).

> In other words, my only option is to dump the values I want from AD into a
> openldap databases on a regularly basis and have users just search the local
> directory instead of serving as a proxy to AD.

No, it is just an administrative task. 

> Wow, I totally misread slapd-meta. I was thinking that with binddn this
> would all work.

You may read the discussion on ACL's in man slapd-meta(5), and you
might consider wether pseudorootdn would be an alternative.

[...]

-Dieter

-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de