[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AD proxy in OpenLDAP

(feeling a tad silly, now that I have discovered I was not replying to the actual mailing list but to single people.)

OK so I have managed to get both the ldap and hdb databases to coexist, mostly through copying code straight from the ldapglue test in the OpenLDAP build files. The ldif file I use now for my backend is as follows -

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb
olcModuleload: back_ldap

dn: olcDatabase={1}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {1}ldap
olcSuffix: ou=internal,dc=companyname,dc=local
olcSubordinate: TRUE
olcDbURI: "ldap://companyname.local"
olcDbRebindAsUser: FALSE
olcDbChaseReferrals: TRUE

dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcSuffix: dc=companyname,dc=local
olcLastMod: TRUE
olcRootDN: cn=admin,dc=companyname,dc=local
olcRootPW: {SSHA}hashed password
olcDbDirectory: /var/lib/ldap
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: sn pres,eq,sub
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=minecorp,dc=local" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=companyname,dc=local" write by * read

I can search dc=companyname,dc=local fine, I see the users in this tree and the Internal OU. However I do not see any of the users from the AD linked to by this database. I know I can ldap search it from the server and get results, so I believe that either I need to construct my search differently or it is an authentication issue. As I read it, I need to use idassert-bind, specifying a user from AD with read access, and that user will be used to search AD.

I have a few questions leading from this - 
The first is: does anyone know the syntax for idassert-bind as it applies to ldif files to be ldapadded to the RTC? As I read it, if it were slapd.conf I would want -

idassert-bind    bindmethod=simple binddn="cn=proxy,ou=service accounts,ou=users,dc=companyname,dc=local" credentials="password" mode=self

but I am unsure how to structure this for RTC.

The second is - am I correct in thinking that, once this is all working, a search with (objectclass=*) on the dc=companyname,dc=local should return all the users in that branch as well as all the users in AD? Or will I need to craft my search differently to deal with the proxy?

The third is also just a confirmation - is idassert-bind meant for what I think it is? Should it contain a user not in the local DSA but in the one I am proxying to? Or have I misread?