[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AD proxy in OpenLDAP

To: openldap-technical@openldap.org
Subject: Re: AD proxy in OpenLDAP
From: "Christopher O'Kelly" <christopher.okelly@gmail.com>
Date: Thu, 5 Apr 2012 08:29:21 +1000
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=hLT6sBOi+LbVpLRqLiw+PQTee1yiqhkCSGv8idY55yQ=; b=Po4qdoROXODm0FR6wVJMvGfnSghJQjsRDc3LU5OscWtjT2hHPOZ43upsWEtjSNAkRD Q09hMvRrezyn7V4GkDjd5UnZy4D3dTIaD47Nqp2ANemJUDyzMEXcpt2uSCvtLcoMvqYJ XhnVmGNYBF09LAQU3bN5DjuXG+9UfITXx7UWW9GxdyBkW7cfpqeQQ3VqYmeu2VWLRw99 pQQPeCzr/yNeidC9lS2BTcawO1KCv1qCOtW1mYJF0sBbP7sX1p5pCffB1CGsl7/in95b OoK11KNaUOo2SE1CywyWkPeN/8Vlm0UptFjK2goj2JF2MN/voNuwf1GW6PEvocDEWqXB YnLg==

(feeling a tad silly, now that I have discovered I was not replying to the actual mailing list but to single people.)

OK so I have managed to get both the ldap and hdb databases to coexist, mostly through copying code straight from the ldapglue test in the OpenLDAP build files. The ldif file I use now for my backend is as follows -

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb
olcModuleload: back_ldap

dn: olcDatabase={1}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {1}ldap
olcSuffix: ou=internal,dc=companyname,dc=local
olcSubordinate: TRUE
olcDbURI: "ldap://companyname.local"
olcDbRebindAsUser: FALSE
olcDbChaseReferrals: TRUE

dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcSuffix: dc=companyname,dc=local
olcLastMod: TRUE
olcRootDN: cn=admin,dc=companyname,dc=local
olcRootPW: {SSHA}hashed password
olcDbDirectory: /var/lib/ldap
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: sn pres,eq,sub
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=minecorp,dc=local" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=companyname,dc=local" write by * read

I can search dc=companyname,dc=local fine, I see the users in this tree and the Internal OU. However I do not see any of the users from the AD linked to by this database. I know I can ldap search it from the server and get results, so I believe that either I need to construct my search differently or it is an authentication issue. As I read it, I need to use idassert-bind, specifying a user from AD with read access, and that user will be used to search AD.

I have a few questions leading from this -
The first is: does anyone know the syntax for idassert-bind as it applies to ldif files to be ldapadded to the RTC? As I read it, if it were slapd.conf I would want -

idassert-bind bindmethod=simple binddn="cn=proxy,ou=service accounts,ou=users,dc=companyname,dc=local" credentials="password" mode=self

but I am unsure how to structure this for RTC.

The second is - am I correct in thinking that, once this is all working, a search with (objectclass=*) on the dc=companyname,dc=local should return all the users in that branch as well as all the users in AD? Or will I need to craft my search differently to deal with the proxy?

The third is also just a confirmation - is idassert-bind meant for what I think it is? Should it contain a user not in the local DSA but in the one I am proxying to? Or have I misread?

Prev by Date: RE24 testing call #1 (2.4.31)
Next by Date: Re: LDAP entries missing from search results depending on search base.
Index(es):
- Chronological
- Thread