Re: AD proxy in OpenLDAP

[masarati@aero.polimi.it]

> Hi guys,

Despite the manuals reading you claim, I see many unrelated errors in your
configuration/operations.

> Posted a while back but didn't get far, just trying again to see if I can
> get this working. We have AD on our DC server, working fine, and a list of
> external clients in OpenLDAP, also working fine. We have a new web service
> that needs to authenticate against only one DSA, so I need to have the
> OpenLDAP DSA proxy to AD. The initial setup in OpenLDAP is -
>
> dn: cn=module,cn=config
> objectClass: olcModuleList
> cn: module
> olcModulepath: /usr/lib/ldap
> olcModuleload: back_hdb
> olcModuleload: back_ldap
>
> dn: olcDatabase=hdb,cn=config
> objectClass: olcDatabaseConfig
> objectClass: olcHdbConfig
> olcDatabase: {1}hdb
> olcSuffix: dc=companyname,dc=local
> olcDbDirectory: /var/lib/ldap
> olcRootDN: cn=admin,dc=companyname,dc=local
> olcRootPW: secret
> olcDbConfig: set_cachesize 0 2097152 0
> olcDbConfig: set_lk_max_objects 1500
> olcDbConfig: set_lk_max_locks 1500
> olcDbConfig: set_lk_max_lockers 1500
> olcDbIndex: objectClass eq
> olcLastMod: TRUE
> olcDbCheckpoint: 512 30
> olcAccess: to attrs=userPassword by dn="cn=admin,dc=companyname,dc=local"
> write by anonymous auth by self write by * none
> olcAccess: to attrs=shadowLastChange by self write by * read
> olcAccess: to dn.base="" by * read
> olcAccess: to * by dn="cn=admin,dc=companyname,dc=local" write by * read
>
> the ldap backend I have added with ldapadd is -
>
> olcDatabase: ldap
> olcSuffix: dc=internal,dc=companyname,dc=local
> olcDbDirectory: /var/lib/ldap

"olcDbDirectory" has nothing to do with back-ldap

> uri: ldap://companyname.local

"uri" is not a valid attribute type; you probably mean "olcDbURI".

> acl-bind: bindmethod=simple binddn="CN=proxy,OU=Service
> Accounts,OU=Users,OU=MyBusiness,DC=companyname,DC=local"
> credentials=secret.

"acl-bind" is not a valid attribute type; you probably mean
"olcDbACLBind".  However, the latter is is only effective in internal
operations, not in user operations.

> When I attempt to search on dc=companyname,dc=local I get results. When I
> attempt to search AD directly from the server running OpenLDAP I get
> results. However if I search dc=internal,dc=companyname,dc=local pointed
> at OpenLDAP I get No Such Object (32).
>
> I believe this could be related to one of two things, however I have been
> unable to find the fix (I have read the slapd, slapd-ldap, slapd-relay,
> slapd-pbind manpages, as well as numerous tutorials). I believe it is
> either that I am missing the schema files for AD or that I am incorrect in
> putting the LDAP backend in a seperate dc (internal). On AD the base
> suffix is also just dc=companyname, dc=local, I put the LDAP backend in
> this suffix as the rest of the directory is already in
> dc=companyname,dc=local in OpenLDAP and I wished for it to be separate, I
> don't know if this has caused the issue. As for the scema files, I used
> Apache directory studio to export the cn=schema branch from AD into an
> LDIF file and attempted to add it using ldapadd, the result was
> adding new entry "CN=Schema,CN=Configuration,DC=companyname,DC=local"
> ldap_add: Undefined attribute type (17)
>         additional info: instanceType: attribute type undefined

Your instance of slapd is clearly missing the definition of the
"instanceType" attribute.

> I have been trying to figure out this issue for weeks and I am at my wits
> end. I am seriously at the point of contemplating trying to find someone I
> can pay to show me the fix.

OpenLDAP's test suite is full of examples of using back-ldap (e.g.
test028, test029, test047 and others); I would start from there, reading
the resulting slapd.conf and the corresponding cn=config tree to
understand how a working configuration should be.

p.