[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP as a Meta directory for eDirectory and Active Directory

I have a requirement to link up the contents of an AD and an eDir into a single meta dir.  I am testing all this on a small system.  The basic idea is that a user will be able to do a search on their uid and then bind to it.  Their account could be in either the AD or the eDir.  I would want to support both simple and digest-md5 binds.  Both eDir and AD support SASL digest md5 binds but AD does not allow simple binds.  I do not wish to change the back ends but just work with what is there. 

In my test system I have dc=blueloop,dc=net at the top with ou=edir and ou=ad to be mapped under the top level.  My gerdesj account has all the relavent rights in all cases.

I have gone around in circles on this several times!  I can do a browse of the edir container fine ie a search of the ou=edir,dc=blueloop,dc=net as anon returns stuff as I would expect.

This seems to work OK:
ldapsearch -h localhost '(objectclass=*)' -D "cn=gerdesj,ou=edir,dc=blueloop,dc=net" -b "ou=edir,dc=blueloop,dc=net" -x -W

Trying to use SASL fails:
ldapsearch -h localhost -b 'ou=edir,dc=blueloop,dc=net' '(objectclass=*)' -Y DIGEST-MD5 -U "dn:cn=gerdesj,ou=edir,dc=blueloop,dc=net"
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): user not found: no secret in database

This seems to imply to me that the OpenLDAP box is trying to auth me rather than passing this off to the system it is proxying.  Why ?

I would also like to make the AD side of things such that it will allow a simple anonymous connection to search and then allow through a simple bind 

I've read everything I can find but have run out of steam.  Thanks for any advice or pointers.


Here is a chunk out of my slapd.conf

##### eDir
#ldapsearch -h localhost -b 'ou=edir,dc=blueloop,dc=net' -s sub -x -D '' '(objectclass=*)'
database                ldap
suffix                  "ou=edir,dc=blueloop,dc=net"
uri                     "ldap://port.blueloop.net/";

overlay                 rwm
rwm-suffixmassage       "ou=edir,dc=blueloop,dc=net" "ou=users,o=blueloop"

##### AD
database                ldap
suffix                  "ou=ad,dc=blueloop,dc=net"
uri                     "ldap://baileys.blueloop.net/";

idassert-authzFrom      "dn:regex=.*"



overerlay               rwm
rwm-suffixmassage       "ou=ad,dc=blueloop,dc=net"   "ou=users,ou=blueloop,dc=blueloop,dc=net"

Registered Address : 7 Manor Buildings, North Perrott, Crewkerne, Somerset, TA18 7ST
Registered England & Wales - 3981322

This e-mail and any files attached with it are confidential and for the sole use of the intended recipient(s).  If you are not the intended recipient(s) you are prohibited from using, copying or distributing this or any information contained in it and should immediately notify the sender and delete the message from your system.

Internet communications are not secure and Blueloop Limited is not responsible for unauthorised use by third parties nor for alteration or corruption in transmission.  Furthermore, while Blueloop Limited have taken reasonable precautions to minimise the risk of software viruses, it cannot accept liability for any damage which you may suffer as a result of such viruses, and we therefore recommend you carry out your own virus checks on receipt of any e-mail.