[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP Proxy to AD of User Objects with full/correct schema

On Wed, Nov 21, 2012 at 03:50:03PM -0500, Mailing Lists wrote:

> As I thought about it more, I realized we could use LDAP to centralize our
> Linux users, groups, and access to other LDAP-enabled applications. The point
> of all this is, that I don't need to proxy Active Directory (and its schema) in
> its entirety, I really just want to use it as a central repository for user
> info and authentication.
> So, I guess, my first question is: Is this a viable use case? All signs seem to
> point to yes, but I just want to make sure.

In principle, yes you can do this. In practice of course it
depends on the details... If you want AD to store all the
attributes needed by SAMBA and Linux clients, are you prepared
to add them to the AD schema? Will they conflict with something
that is already there? Remember that although AD provides an
LDAP interface, it is not entirely compliant with LDAP
standards - particularly with respect to schema.

> I currently have a proxy database configured that is successfully proxying/
> querying our AD infrastructure. From what I've read, OpenLDAP 2.3 and newer
> have the ability to proxy unknown schemas, but will be not be able to do any
> advanced filtering because the schema is unknown. My question is, given a full
> export of the AD schema from CN=Schema,CN=Configuration,DC=corp,DC=whatever,DC=
> com via LDIFDE, is there a way to leverage this to re-create parts of the AD
> schema so that OpenLDAP can perform native filtering? I'm primarily only
> interested in the user objects (ObjectClass=user).

You may need to do a bit of editing and reformatting on the
schema entries but in principle yes you can add AD-like schema
to OpenLDAP. You will have to watch out for schema that is
incompatible with the built-in standard schema, but you can
probably get close enough to do something useful.

> users. I've also seen the AD/Outlook Global Address List entry in the FAQ, but
> that involves editing the OpenLDAP provided .schema files. If possible, i'd
> like to keep all of these AD related schemas within their own files and keep
> the OpenLDAP provided ones untouched.

Makes sense.

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |