[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problems with slapd-ldap and overlays in using OpenLDAP as an LDAP proxy

To: "DePriest, Jason R." <jrdepriest@gmail.com>
Subject: Re: problems with slapd-ldap and overlays in using OpenLDAP as an LDAP proxy
From: Pierangelo Masarati <ando@sys-net.it>
Date: Mon, 06 Aug 2007 21:30:59 +0200
Cc: openldap-software@openldap.org
In-reply-to: <31b7d2790708061216uab25df7gd3aa625053925088@mail.gmail.com>
References: <31b7d2790708061216uab25df7gd3aa625053925088@mail.gmail.com>
User-agent: Mail/News 1.5.0.8 (X11/20061210)

DePriest, Jason R. wrote:
> I am a complete newbie with OpenLDAP.  I have worked with Windows NT
> Domains and Active Directory for a long time.  I've also worked with
> Microsoft ADAM and CA's eTrust Admin Directory.
> 
> However, I am having trouble getting OpenLDAP to perform what I think
> are basic functions.
> 
> I have a Debian GNU/Linux Etch system with a 2.6.18 kernel.
> 
> slapd reports a version of 2.3.30.

slapd-ldap(5) saw some significant enhancement around 2.3.34 or so; I'd
recommend to updated to the latest (2.3.37 right now).

> 
> I have slapd running and I am able to authenticate with the local admin account.
> 
> What I want is for it to take requests for domain.com, ask the real
> domain.com LDAP server (Active Directory) to handle it, then provide
> the answer to the client.
> 
> I want to have an OpenLDAP server in my DMZ proxy connections to my
> internal network without actually storing any account information
> locally (except for the local admin).
> 
> I think this is the relevant configuration information (comments removed):
> include         /etc/ldap/schema/core.schema
> include         /etc/ldap/schema/cosine.schema
> include         /etc/ldap/schema/nis.schema
> include         /etc/ldap/schema/inetorgperson.schema
> pidfile         /var/run/slapd/slapd.pid
> argsfile        /var/run/slapd/slapd.args
> loglevel        0
> modulepath      /usr/lib/ldap
> moduleload      back_bdb
> moduleload      back_ldap

moduleload rwm

> sizelimit 500
> tool-threads 1
> backend         bdb
> checkpoint 512 30
> database        ldap
> lastmod         off

^^^ not needed

> uri             "ldap://server.domain.com";
> map attribute   uid     sAMAccountName
> map attribute   cn      name
> map attribute   mail    userPrincipalName
> map objectclass account user
> map attribute   *
> idassert-bind   bindmethod=simple
>                binddn="cn=<USER>,ou=<CONTAINER>,dc=domain,dc=com"
>                credentials="<password>"
>                method=self
> chase-referrals yes

^^^ this might give undesired effects; only activate if strictly
required, and after careful testing.

> database        bdb
> suffix          "dc=domain,dc=com"
> rootdn          "cn=<USER>,ou=<CONTAINER>,dc=domain,dc=com"
> directory       "/var/lib/ldap"
> dbconfig set_cachesize 0 2097152 0
> dbconfig set_lk_max_objects 1500
> dbconfig set_lk_max_locks 1500
> dbconfig set_lk_max_lockers 1500
> index           objectClass eq
> lastmod         on
> access to attrs=userPassword,shadowLastChange
>        by dn="cn=admin,dc=ftbco,dc=ftn,dc=com" write
>        by anonymous auth
>        by self write
>        by * none
> access to dn.base="" by * read
> access to *
>        by dn="cn=admin,dc=ftbco,dc=ftn,dc=com" write
>        by * read
> 
> Running this with: slapd -g openldap -u openldap -d 16383
> 
> Give a few errors such as:
> line 44 (checkpoint 512 30)
> /etc/ldap/slapd.conf: line 44: unknown directive <checkpoint> inside
> backend database definition (ignored).
> and
> /etc/ldap/slapd.conf: line 51: rewrite/remap capabilities have been
> moved to the "rwm" overlay; see slapo-rwm(5) for details (hint: add
> "overlay rwm" and prefix all directives with "rwm-").
> 
> Adding the requested overlay line and changing the map to rwm-map
> doesn't help.  I may be adding it in the wrong place.
> I always get:
> line 31 (overlay rwm)
> overlay "rwm" not found
> /etc/ldap/slapd.conf: line 31: <overlay> handler exited with 1!
> 
> with the line number obviously different for the different places I've tried it.
> 
> Yet, the rwm files are right where they should be:
> root@ebizsrvb:/etc/ldap# ls -l /usr/lib/ldap/rwm*
> lrwxrwxrwx 1 root root    17 2007-04-16 12:18
> /usr/lib/ldap/rwm-2.3.so.0 -> rwm-2.3.so.0.2.18
> -rw-r--r-- 1 root root 33020 2007-03-08 23:45 /usr/lib/ldap/rwm-2.3.so.0.2.18
> -rw-r--r-- 1 root root   891 2007-03-08 23:45 /usr/lib/ldap/rwm.la
> lrwxrwxrwx 1 root root    17 2007-04-16 12:18 /usr/lib/ldap/rwm.so ->
> rwm-2.3.so.0.2.18
> 
> Please tell me what simple step I am messing up?

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

Follow-Ups:
- Re: problems with slapd-ldap and overlays in using OpenLDAP as an LDAP proxy
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: problems with slapd-ldap and overlays in using OpenLDAP as an LDAP proxy
  - From: "DePriest, Jason R." <jrdepriest@gmail.com>

References:
- problems with slapd-ldap and overlays in using OpenLDAP as an LDAP proxy
  - From: "DePriest, Jason R." <jrdepriest@gmail.com>

Prev by Date: problems with slapd-ldap and overlays in using OpenLDAP as an LDAP proxy
Next by Date: Re: problems with slapd-ldap and overlays in using OpenLDAP as an LDAP proxy
Index(es):
- Chronological
- Thread