[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP, PADL and querying multiple ADs

Thanks for the hint, Jonathan.

Is there anyone on this list who would call himself an (Open)LDAP expert
and would be available for paid consulting regarding this matter? Please
get in touch with me then!


> On 15/06/2010 16:39, Markus wrote:
>> Hello list,
>> I'm on SLES 11 and the mission is to allow Active Directory (AD) users
>> to
>> log in to Linux. The difficulty is that those users are stored in two
>> separate ADs which have no connection to each other. Both ADs are
>> running
>> on Windows 2003 R2 (or later) and I'm using the LDAP PADL NSS
>> (/etc/ldap.conf) implementation to map the UNIX attributes that are
>> stored
>> in the AD to local values (homedir, shell, UID/GID etc.). So far so
>> good,
>> everything works fine (getent passwd, PAM logins).
>> Now, when searching for a solution on how to query two ADs via LDAP at
>> the
>> same time it seems like OpenLDAP supports multiple LDAP search bases,
>> and
>> there was also a mentioning of the translucent overlay feature, so I
>> suppose using OpenLDAP I could fetch the UNIX attributes from both ADs
>> simultaneously.
> Yes, you can use OpenLDAP as a proxy to the two ADs via LDAP. Checkout
> the slapd-meta man page (meta is a backend that can take several remote
> LDAP proxy databases).
> The translucent overlay would allow you to store extra information on
> your OpenLDAP server that's not in the AD directories. It doesn't sound
> like this is necessary for you, but I may be wrong.
> Hope this helps,
> Jonathan
>> What completely puzzles me is the NSS/PAM configuration and how PADL NSS
>> and OpenLDAP interact respectively not interact:
>> - If I configure OpenLDAP (/etc/openldap/ldap.conf) instead of PADL NSS
>> (/etc/ldap.conf) how do I configure NSS/PAM for OpenLDAP? I need "getent
>> passwd" and "getent group" and of course PAM logins to work. E.g. getent
>> passwd has to give me back all users from BOTH ADs that have UNIX
>> attributes stored. But since there seems to be only the PADL NSS module
>> in
>> existance (/lib/libnss_ldap.so.2), I am clueless on how to integrate the
>> OpenLDAP variant. Shouldn't there be something like
>> /lib/libnss_openldap.so and shouldn't I be able to add something like
>> "passwd: compat openldap" to /etc/nsswitch.conf? I guess not, but I
>> don't
>> understand why.
>> - So that leaves me with the idea of *somehow* fetching the UNIX
>> attributes from both ADs via OpenLDAP, set up a local OpenLDAP server to
>> store this information in, and then using the PADL NSS module to query
>> it.
>> I'm not sure if this is the right approach or if this is even
>> technically
>> feasible. Is there maybe a easier way with less overhead (e.g. no
>> OpenLDAP
>> server required).
>> Thank you very much for any hints or pointers that you might share with
>> me! I'm really lost...
>> Best regards
>> Markus
> --
> --------------------------------------------------------------
> Jonathan Clarke - jonathan@phillipoux.net
> --------------------------------------------------------------
> Ldap Synchronization Connector (LSC) - http://lsc-project.org
> --------------------------------------------------------------