[Date Prev][Date Next]
OpenLDAP as a proxy for Active Directory (missing attributes)
- To: email@example.com
- Subject: OpenLDAP as a proxy for Active Directory (missing attributes)
- From: Marius Flage <firstname.lastname@example.org>
- Date: Fri, 20 Aug 2010 14:24:52 +0200
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; nb-NO; rv:22.214.171.124) Gecko/20100711 Lightning/1.0b1 Thunderbird/3.0.6
I've been banging my head against the wall with this project for the
last months and still haven't found a decent solution for my problem.
I'm trying to set up OpenLDAP to act as a proxy for Active Directory.
OpenLDAP should be the internet-facing interface for all external
queries for the AD catalog. I've gotten the connection set up and I'm
able to retrieve and search for most important values. However, when I
try to get out the group membership of the different objects, I've
encountered some problems.
When doing a search directly towards Active Directory I can see the
memberOf attributes for the objects , but when I perform the very
same search through the proxy, those attributes have been
ignored/stripped away from the result .
I've tried including schemas for Active Directory found on the internet
(like http://www.grotan.com/ldap/microsoft.schema), but if I try to
include this in OpenLDAP I get lots and lots of errors and I have to
start commenting out different attributes and objecttypes to get
OpenLDAP to start. Example of errors are stuff like:
/etc/ldap/schema/microsoft2.schema: line 30 objectclass: AttributeType
not found: "remoteSource"
And then I comment out the objectclass and retry. And this basically
goes on and on forever.
I've also tried just including the attribute I'm looking for, namely
memberOf, like so:
attributetype ( 1.2.840.1135126.96.36.199
And then I get the following error when I try to start slapd:
/etc/ldap/schema/activedirectory.schema: line 60 attributetype:
AttributeType inappropriate USAGE: "memberOf"
/etc/ldap/slapd.conf: line 15: <include> handler exited with 1!
So my question is basically; how can I get the memberOf attribute
included in my searches through OpenLDAP? Do I need to include the
schema or am I approaching this from the wrong angle? What needs to be
done to set up OpenLDAP as a complete transparent proxy towards Active
Directory - basically having it behave as it was the AD itself answering
whenever you query the proxy?
I'd be very grateful for whatever question or feedback I can get, since
this has been bothering me for a very long time now.
I've also included my slapd.conf file  and the schema  I've tried