[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: OpenLDAP as proxy for Active Directory
- To: <openldap-software@OpenLDAP.org>
- Subject: RE: OpenLDAP as proxy for Active Directory
- From: "Wanek, Daniel J." <dwanek@state.nd.us>
- Date: Mon, 17 Oct 2005 08:19:28 -0500
- Content-class: urn:content-classes:message
- Thread-index: AcXRJ2ON1VRKCN37Tv2Occnrb6hC6gB9HfcA
- Thread-topic: OpenLDAP as proxy for Active Directory
The following is the config we are using in order to provide a read-only anonymous bind to our backend ADS directory. In order for the rwm-mapping stuff to work without issues you must apply the changes Pierangelo made. Namely, update the following files from HEAD:
servers/slapd/overlays/rwm.c
servers/slapd/overlays/rwm.h
servers/slapd/overlays/rwmmap.c
servers/slapd/back-meta/map.c
------------- Begin config ---------------
defaultsearchbase "dc=mydomain,dc=com"
#######################################################################
# Database definitions
#######################################################################
database ldap
uri "ldap://ads.mydomain.com/";
lastmod off
chase-referrals no
suffix "dc=mydomain,dc=com"
acl-bind
bindmethod=simple
binddn="cn=aclbrowser,ou=users,dc=mydomain,dc=com"
credentials="MyPassword"
authzID="aclbrowser"
idassert-bind
bindmethod=simple
binddn="cn=attrbrowser,ou=users,dc=mydomain,dc=com"
credentials="MyPassword"
mode=none
# This controls what attribs can be accessed by the LDAP proxy.
# The last rwm-map line maps all other attributes to nothing.
overlay rwm
rwm-map objectclass account user
rwm-map attribute uid sAMAccountname
rwm-map attribute cn name
rwm-map attribute sn sn
rwm-map attribute mail mail
rwm-map attribute company company
rwm-map attribute entry entry
rwm-map attribute *
access to dn.subtree="dc=mydomain,dc=com"
by * read
-------------- End config ----------------
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org [mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Marc Grober
Sent: Friday, October 14, 2005 4:08 PM
To: openldap-software@OpenLDAP.org
Subject: Re: OpenLDAP as proxy for Active Directory
Could you detail the steps you took to set up the proxy. we are trying to
accomplish the same kind of thing and I am knocking myself silly trying to
make this happen..... does the proxy require the admin dn/password?
On Fri, 14 Oct 2005 21:23:57 +0200, Jan Schmidt wrote
> Hi list,
>
> I managed to setup OpenLDAP (2.2.23 on SuSE 9.3) as read-only proxy
> to our Active Directory using the ldap/meta backend. Now I've found
> two annoying drawbacks.
>
> (1) One strange behaviour is, that a ldapsearch on the proxy returns
> only a subset of the available attributes of the object. Same
> ldapsearch to the Active Directory returns the full set.
>
> (2) Active Directory allows uid@domain as bindDN. While slapd is
> configured to be a proxy it doesn't send the bindDN to the AD but
> parses it. This results in an error message: <=
> ldap_bv2dn(uid@domain)=-4 Decoding error bind: invalid dn
> (uid@domain) I tried to do the rewrite stuff mentioned in slapd-
> meta.5 but it doesn't work.
>
> Can somebody give me some hints or has anyone got a fully functional
> AD-proxy configuration?
>
> Best regards,
> Jan Schmidt
>
> ---------------------------------------------------------------
> AG Anwendungen/Multimedia Rechenzentrum Universität Greifswald
> http://www.multimedia.uni-greifswald.de/
> Tel: +49 3834 861416 Fax: +49 3834 8680016