[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-ldap as proxy to active directory



On 12/16/2011 03:35 PM, Liam Gretton wrote:
On 15/12/2011 14:57, Juan Miscaro wrote:
So do I need to get the actual schema from AD and try to import it or
is there something more easily available? It doesn't seem like I'm
doing something exotic here. Others must have confronted such a
situation. Right? :)

You'd think so. I've hit the same problem recently.

You can't import the MS AD schema directly, it uses syntaxes that
OpenLDAP doesn't understand. The OpenLDAP documentation suggests that
adding new syntaxes requires changes to the source code, so it's not
trivial to solve.

I found a workaround which may be useful to you. OpenLDAP won't return
attributes for an unknown schema initially, but if you do a single
search for an attribute it does understand, subsequent searches can be
made on the ones for which there's no schema.

On my OpenLDAP AD proxy, as soon as slapd has started I do a trivial
search for a 'cn' attribute for a known record. After that, it's
possible to search on sAMAccountName or other attributes without any
problems.

You don't need 99% of what you said.  All you need is:

- find out what operations your clients need to do (i.e. what attributes, e.g. sAMAccountName, in what filter types, e.g. equality, presence, etc. will be used by your clients)

- define those attributes with appropriate matching rules in slapd's schema; this requires nothing but a few lines like

attributeType ( <oid>
   NAME <name>
   SYNTAX <syntax>
   [ EQUALITY <equalityrule> ] )

You don't need to create all the schema, only the portions that are needed. If an attribute uses a syntax that OpenLDAP's slapd does not support (yet), you can use the closest one. Usually, anything that needs not be case insensitive can be octet string, which has an equality rule.

If you think there are (standard track) syntaxes that AD supports and OpenLDAP misses, feel free to file a request for enhancement using the ITS (<http://www.openldap.org/its/>). Adding that type of support can be pretty trivial, as syntaxes may require minimal code that can be placed in a module and loaded run-time.

p.

--
Pierangelo Masarati
Associate Professor
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano