[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP as a proxy/rewrite/remap to AD for nss_ldap


I have Active Directory server, OpenLDAP server and a client machine.
AD is based on Windows Server 2003, OpenLDAP is 2.3.43-3.el5 running on
CentOS 5 i386, client machine is as well CentOS 5.

Does OpenLDAP server in any version, allows me to rewrite/remap/merge
results from:

 - Active Directory
 - internal LDAP database (or any database)

to make them suitable to nss_ldap?

AD doesn't have all attributes which are needed by nss_ldap, so I
thought to keep internal LDAP database with missing information
(uidNumber, loginShell, etc) and merge, rewrite, remap or meta this
information, and then give that result to the nss_ldap.

I understand that it is possible to merge with slapd-meta different DIT
from different databased as a single DIT, but what I need here is to
merge attributes from one db, with second db (Active Directory), then
rewrite that, and finaly return result to the querying client.

What I mean is, is it possible to rewrite/remap results from AD which
look like that:

# (sAMAccountName=kucharskim)
dn: CN=kucharskim,CN=Users,DC=euops,DC=lan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: kucharskim
distinguishedName: CN=kucharskim,CN=Users,DC=euops,DC=lan
instanceType: 4
whenCreated: 20091117183353.0Z
whenChanged: 20091117183353.0Z
uSNCreated: 15484
uSNChanged: 15488
name: Mikolaj Kucharski
objectGUID:: PLah511UiUKib3pt8HCJ+g==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 129041574477164624
lastLogoff: 0
lastLogon: 129046275442578437
pwdLastSet: 129029564332783194
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA1MNb9pJhAvyslWmgfAcAAA==
accountExpires: 9223372036854775807
logonCount: 9
sAMAccountName: kucharskim
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=euops,DC=lan
memberOf: CN=testgroup,CN=ActiveDirectoryGroups,DC=euops,DC=lan

with pieces missing from another ldap db, to something like that:

# (uid=kucharskim)
dn: uid=kucharskim,ou=People,dc=ldapdomain,dc=lan
uid: kucharskim
cn: Mikolaj Kucharski
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 12561
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10207
gidNumber: 10207
homeDirectory: /home/kucharskim
gecos: Mikolaj Kucharski

# (memberUid=kucharskim)
dn: cn=testgroup,ou=Groups,dc=ldapdomain,dc=lan
objectClass: posixGroup
objectClass: top
cn: testgroup
gidNumber: 50201
memberUid: kucharskim
memberUid: ldapuser1
memberUid: ldapuser2

I see that this is something overly complicated, but I wanted to know is
that possible. If it is, could someone give me which version of OpenLDAP
supports it and where I can read how to implement that. Thank you.

best regards