Hi,
(Apologies if anybody has already received this, I sent the message
before subscribing to the list and later discovered that it may not be
relayed if I wasn't a subscriber.)
I am trying to configure OpenLDAP such that it acts as a subordinate
to an Active Directory server to allow applications to seamlessly
authenticate users against both directories via the OpenLDAP server
(some users will be in OpenLDAP, some in AD). The directory suffixes
are set up as follows, for example:
Active Directory dc=xyz, dc=com
OpenLDAP ou=Extranet, dc=xyz, dc=com (subordinate)
I have successfully configured OpenLDAP such that a query with a base
"dc=xyz, dc=com" will return results from both directories.
I now want to add a rewrite rule to entries from the AD directory such
that Microsoft object classes (user and group) are transformed into
inetOrgPerson and groupOfNames respectively. Also, I'd like the
SAMAccountName attribute to be mapped to an attribute named uid. I
followed the example of using the rwm overlay here:
http://www.openldap.org/lists/openldap-software/200510/msg00256.html
I was then able to perform a query on the uid attribute against the AD
directory, the entry was returned rewritten as an inetOrgPerson as I
had expected.
However, I am no longer able to perform a query on the uid attribute
against the subordinate OpenLDAP directory (base "ou=Extranet, dc=xyz,
dc=com") as, AFAIK, the rewrite rule is removing it from the query,
results or both.
Is it possible to only apply such rewrite rules to entries within the
AD directory, and leave entries stored in the OpenLDAP subordinate
directory untouched, or is there a better way to approach this
problem?