[Date Prev][Date Next]
Re: Using OpenLDAP to point to AD as address book
"adp" <email@example.com> writes:
>> "adp" <firstname.lastname@example.org> writes:
>> > Okay, I have openldap-2.2.11 installed and running fine. I have a very
>> > minimal slapd configuration since all I'm doing is proxying for an AD
>> > directory.
>> > With or without binddn I can do an anon. search of AD fine. (That just
>> > returns the schema.) If I stop slapd then the anon connection fails
>> > (This is just to ensure I'm testing against the right server.)
>> > (I will worry about ACLs and whatnot later.) From reading the slapd-meta
>> > manpage I thought this would do it, but it appears that I'm wrong.
>> > Any ideas?
>> Ask the developer of AD to allow anonymous bind on searches.
> Darn. Let me ask one more time just so that I am totally clear on this.
> Even with slapd-meta, there is no way to use openldap as a front-end to AD
> so that I can do an anon. search against cn=Users to scan for names (cn, sn)
> and email addresses (mail) to serve as an address book that can be
> anonymously used?
It is the administrators task to create access rules. AFAIK AD per
default only allows access by authenticated users. (but that
discussion is OFF TOPIC here).
> In other words, my only option is to dump the values I want from AD into a
> openldap databases on a regularly basis and have users just search the local
> directory instead of serving as a proxy to AD.
No, it is just an administrative task.
> Wow, I totally misread slapd-meta. I was thinking that with binddn this
> would all work.
You may read the discussion on ACL's in man slapd-meta(5), and you
might consider wether pseudorootdn would be an alternative.
Dieter Kluenter | Systemberatung
Tel:040.64861967 | Fax: 040.64891521