[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openLDAP as a proxy for AD

Chris O'Kelly wrote:
Hi guys,

Read the slaptest(8) manpage. Set up your slapd.conf as desired and then convert to slapd.d format.

Read the slapo-pbind(8) manpage. If all you need is web authentication you may not need to bother with full proxy configuration.

I have been trying for a few weeks to integrate 2 directories. One is an AD
directory which holds internal employees and is used for windows domain
logins/policy etc. The other is an openLDAP directory I set up myself last
week which contains external users (not employed by the company but need
access to various web applications we serve). As some of our web applications
do not support chaining multiple authentication sources we are trying to get
all the AD content available in OpenLDAP, so we can use that for web app
authentication and AD for Windows Domain stuff.

Before this I have basically no experience with LDAP (if I don't count adding
and removing the odd user or group from AD). As a result I went into this
project rather optimistically, having read great stuff about syncrepl and how
easy it is to set up replication to openLDAP. By now I am guessing most people
have guessed the realisation I came to when I tried to go down that path,
being that AD doesn't play nicely with others and syncrepl is not going to
help here.

Since then I have been doing a good deal of RTFMing and JFGIing and I believe
what I need to do is to use the back-ldap database type to set up a proxy.
Unfortunately that's where I hit a dead end. Every tutorial I can find seems
to relate to slapd.conf, whereas I am setup with RTC in the slapd.d directory.
In attempting to get around this I have been doing things like adding olc to
the beginning of pretty much everything I would put into slapd.conf, saving as
a .ldif and ldapadding it. After a while of trial and error runs I discovered
what modules needed to be loaded and what not in order to complete the ldapadd
without error, but still saw no change, searching found the results in
OpenLDAP but never the ones in AD.

In desperation, today I apt-get purged OpenLDAP and its dependencies and
reinstalled it. I deleted the basic configuration loaded into slapd.d and set
up a slapd.conf file as best I could with the setup I needed plus the
back-ldap stuff I had found in tutorials. I successfully slaptested it but I
am hitting the exact same problem, and the changes I have made since then seem
to have only succeeded in breaking OpenLDAP to the point where I was no longer
able to connect to it with Apache Directory Studio.

So now I have purged the lot again, and I suppose I am looking for some help
as to where to go from here. OpenLDAP is running on Ubuntu and the ldif I have
been trying to add for the proxy is-

olcDatabase: ldap

olcSuffix: dc=companyname,dc=local

olcSubordinate: yes

olcRebind-as-user: yes

olcUri: "ldap://companyname.local/";

olcChase-referrals: yes

Thanks in advance to anyone who can help!

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/