[Date Prev][Date Next] [Chronological] [Thread] [Top]

AD proxy in OpenLDAP

Hi guys,


Posted a while back but didn't get far, just trying again to see if I can get this working. We have AD on our DC server, working fine, and a list of external clients in OpenLDAP, also working fine. We have a new web service that needs to authenticate against only one DSA, so I need to have the OpenLDAP DSA proxy to AD. The initial setup in OpenLDAP is -


dn: cn=module,cn=config

objectClass: olcModuleList

cn: module

olcModulepath: /usr/lib/ldap

olcModuleload: back_hdb

olcModuleload: back_ldap


dn: olcDatabase=hdb,cn=config

objectClass: olcDatabaseConfig

objectClass: olcHdbConfig

olcDatabase: {1}hdb

olcSuffix: dc=companyname,dc=local

olcDbDirectory: /var/lib/ldap

olcRootDN: cn=admin,dc=companyname,dc=local

olcRootPW: secret

olcDbConfig: set_cachesize 0 2097152 0

olcDbConfig: set_lk_max_objects 1500

olcDbConfig: set_lk_max_locks 1500

olcDbConfig: set_lk_max_lockers 1500

olcDbIndex: objectClass eq

olcLastMod: TRUE

olcDbCheckpoint: 512 30

olcAccess: to attrs=userPassword by dn="cn=admin,dc=companyname,dc=local" write by anonymous auth by self write by * none

olcAccess: to attrs=shadowLastChange by self write by * read

olcAccess: to dn.base="" by * read

olcAccess: to * by dn="cn=admin,dc=companyname,dc=local" write by * read


the ldap backend I have added with ldapadd is -


olcDatabase: ldap

olcSuffix: dc=internal,dc=companyname,dc=local

olcDbDirectory: /var/lib/ldap

uri: ldap://companyname.local

acl-bind: bindmethod=simple binddn="CN=proxy,OU=Service Accounts,OU=Users,OU=MyBusiness,DC=companyname,DC=local" credentials=secret.


When I attempt to search on dc=companyname,dc=local I get results. When I attempt to search AD directly from the server running OpenLDAP I get results. However if I search dc=internal,dc=companyname,dc=local pointed at OpenLDAP I get No Such Object (32).


I believe this could be related to one of two things, however I have been unable to find the fix (I have read the slapd, slapd-ldap, slapd-relay, slapd-pbind manpages, as well as numerous tutorials). I believe it is either that I am missing the schema files for AD or that I am incorrect in putting the LDAP backend in a seperate dc (internal). On AD the base suffix is also just dc=companyname, dc=local, I put the LDAP backend in this suffix as the rest of the directory is already in dc=companyname,dc=local in OpenLDAP and I wished for it to be separate, I don't know if this has caused the issue. As for the scema files, I used Apache directory studio to export the cn=schema branch from AD into an LDIF file and attempted to add it using ldapadd, the result was

adding new entry "CN=Schema,CN=Configuration,DC=companyname,DC=local"

ldap_add: Undefined attribute type (17)

        additional info: instanceType: attribute type undefined


I have been trying to figure out this issue for weeks and I am at my wits end. I am seriously at the point of contemplating trying to find someone I can pay to show me the fix.