[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd-ldap as proxy to active directory

Good day.

I would like to use the slapd-ldap backend as a proxy to Active
Directory (Windows Server 2008 R2).

Firstly, AD can be queried directly:

$ ldapsearch -LLL -D "cn=John Doe,cn=users,dc=support,dc=com" -w okay
-H ldap://ad.support.com -b cn=users,dc=support,dc=com
'(sAMAccountName=jdoe)' cn sAMAccountName

dn: CN=John Doe,CN=Users,DC=support,DC=com
cn: John Doe
sAMAccountName: jdoe

Now, I have the following in slapd:

dn: cn=module{1},cn=config
objectClass: olcModuleList
cn: module{1}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_ldap

dn: olcDatabase={2}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {2}ldap
olcDbURI: ldap://ad.support.com
olcDbRebindAsUser: TRUE
olcDbChaseReferrals: TRUE
olcSuffix: cn=users,dc=support,dc=com

But when querying via the slapd instance I don't get anything back:

$ ldapsearch -D "cn=John Doe,cn=users,dc=support,dc=com" -w okay -H
ldap://slapd.example.com -b cn=users,dc=support,dc=com
'(sAMAccountName=jdoe)' cn sAMAccountName

# extended LDIF
# LDAPv3
# base <cn=users,dc=support,dc=com> with scope subtree
# filter: (sAMAccountName=jdoe)
# requesting: cn sAMAccountName

# search result
search: 2
result: 32 No such object

# numResponses: 1

I can query my normal/local DIT fine (even while authenticating as the
remote AD user, which looks weird):

$ ldapsearch -D "cn=John Doe,cn=users,dc=support,dc=com" -w okay -H
ldap://slapd.example.com -b dc=example,dc=com '(ou=People)' cn

# extended LDIF
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (ou=People)
# requesting: cn

# People, example.com
dn: ou=People,dc=example,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

What am I missing?  TIA.