[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP's Backend Rewrite Engine



Just in case this is useful to anyone. Here's the command I'm sending to proxy:

ldapsearch -x -Hldap://172.16.1.201 -Dcn=Administrator,ou=Administrators,dc=test,dc=com -bdc=test,dc=com -wpassword

I want the proxy to forward the bind request to "ldap://mixedmaster.mixeddomain.com/,"; which is where I want the bind to take place. I know the DN must be rewritten before the bind is attempted, but I'm just not sure how to use the rewrite engine...

Michael

Michael Gale wrote:

So, I decided to try the proxy approach, and I would like to rewrite a DN from this:

"cn=<user name>,cn=Administrators,dc=test,dc=com"

to this:

"cn=<user name>,cn=Users,dc=mixeddomain,dc=com"

I would like to perform a simple substitution where the user name from one DN gets copied to another. I am using a rewrite context for a client -> server operation, but I'm pretty sure the following is not right:

database ldap
rewriteEngine On
rewriteContext bindDn
rewriteRule "cn=(.*),cn=Administrators,dc=test,dc=com"
                    "cn=%1,cn=Users,dc=mixeddomain,dc=com"
rebind-as-user
uri ldap://mixedmaster.mixeddomain.com/

I'm a little lost as to what rules/contexts/uris are required in the "slapd.conf" file. Any help would be greatly appreciated.

Michael

Michael Gale wrote:

OpenLDAP Community,

We have two LDAP servers on our network. One is an OpenLDAP server, and the other is an Active Directory server. I have been investigating how to authenticate against Active Directory through the OpenLDAP server, and after several days of reading fragmented pieces of information, I am admittedly confused.

I have read about a couple of different options such as OpenLDAP's back-end or meta server, setting up a proxy, but I am still unsure which option to use. Regrettably, there is little cohesive information for establishing such a relationship, so I would love some advice. First let me describe this relationship between the two servers.

The OpenLDAP server will hold various bits of information about the users of our network, service configurations, etc. Basically, it contains the user name and small groupings of unrelated information. I want this server to be the only "point of contact" for our users and software. In other words, nobody needs to know about the Active Directory, except for the OpenLDAP server of course.

The Active Directory has user names and passwords. I am looking for a way to authenticate our users against the Active Directory. There are a few ground rules for this relationship:

1) I don't want services or users to contact the ADS server directly.
2) I don't want to synchronize passwords between the two servers.
3) I cannot replace the ADS with OpenLDAP.

Is there a preferred way to handle this situation? Can this be achieved through OpenLDAP?

Many thanks for your time,
Michael