[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP Metadirectory

To: openldap-technical@openldap.org
Subject: Re: OpenLDAP Metadirectory
From: Thomas Stegbauer <thomas.stegbauer@stegbauer.info>
Date: Wed, 16 Apr 2014 12:41:19 +0200 (CEST)
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=stegbauer.info; s=feb2013; t=1397644883; bh=7Y5DEMLknIOxXq+TEXZmYSepk3uv5zJOudnSpx3CmF4=; h=Date:From:To:In-Reply-To:References:Subject; b=QNiRSNJYdQOSnWqfcEKCSJJrXwoLd9kXr+3OdCJp7KMsiK4FwpPVuoUIBdQ2wumUd oHaUViQbVapm8QvKdc5NM5ZYQhOEe7gxsiE1SmQQG4e7KkcgMd78u0DgZNb69Nrn04 pxKkT91CGJbIK/dwN3/UMJapIsDdQhtRIKJOyN9Y=
In-reply-to: <61162663.162363.1397170993218.JavaMail.zimbra@stegbauer.info>
References: <61162663.162363.1397170993218.JavaMail.zimbra@stegbauer.info>
Thread-index: UfBpRMWLK8X4QGgCl+9p/IYteJ3XzhOEjeVX
Thread-topic: OpenLDAP Metadirectory

Hi, 

i have in my company two ActiveDirectories. 
as i have an application which has only the possiblity to query one LDAP-server for authentication i thought about a metadirectory as described here: 
http://ltb-project.org/wiki/documentation/general/sasl_delegation 
and here 
https://www.memolinux.info/doku.php?id=unix:ldap:openldapads&s=meta#backend/meta 

so i started 
with openldap 2.4.31 from debian 7.4. 

my starting configuration looks like below: 

what i was missing from the docu, i need a schema, where sAMAccountName, proxyAddresses and so on is defined. so i created the msad.schema as described here: 
http://serverfault.com/questions/151688/configuring-openldap-as-a-active-directory-proxy 

now i don't get an error when i startup slapd. 
but when i do an search to the metadirectory for example: "ldapsearch -x -D cn=manager,dc=meta -b dc=meta uid=testuser", i see in the wireshark 
-the bindreques 
-the searchrequest within DC=D6200,DC=comp,DC=com 
-but the search criteria looks like this: 
(!(objectclass=*)) not (objectclass=*) 
which finds nothing. 
and gives me 0 results. 

also i found:
http://www.openldap.org/lists/openldap-technical/201206/msg00168.html
But what here unclear, what schema definitions do i need with this?

could someone point me to my error, as i am nearly blind for comparing. 
Thomas 


slapd.conf 
==========
# Schema and objectClass definitions 
include /etc/ldap/schema/core.schema 
include /etc/ldap/schema/cosine.schema 
include /etc/ldap/schema/nis.schema 
include /etc/ldap/schema/inetorgperson.schema 
include /etc/ldap/schema/misc.schema 
include /etc/ldap/schema/msad.schema 

pidfile /var/run/slapd/slapd.pid 
loglevel 99 

# Where the dynamically loaded modules are stored 
modulepath /usr/lib/ldap 
moduleload back_hdb 
moduleload back_ldap 
moduleload back_meta 
moduleload rwm 

access to * 
by * read 

# Database 
database meta 
suffix "dc=meta" 
rootdn "cn=Manager,dc=meta" 
rootpw secret 

# LDAP 1 
uri "ldap://192.168.0.2:3268/ou=vzp,dc=meta"; 

lastmod off 
suffixmassage "ou=vzp,dc=meta" "DC=D6200,DC=comp,DC=com" 
idassert-bind bindmethod=simple 
binddn="CN=Meta,CN=Users,DC=D6200,DC=comp,DC=com" 
credentials="secret" 
mode=none 
flags=non-prescriptive 
idassert-authzFrom "dn.exact:cn=Manager,dc=meta" 

overlay rwm 
rwm-map objectclass account user 
rwm-map attribute mail proxyAddresses 
rwm-map attribute uid sAMAccountName 
rwm-map attribute cn name 
rwm-map attribute * 

# LDAP 2 
uri ldap:// 192.168.13.2 :3268/ou=azp,dc=meta 
lastmod off 
suffixmassage "ou=azp,dc=meta" "DC=d5820,DC=muc,DC=com" 
idassert-bind bindmethod=simple 
binddn="CN=Meta,CN=Users,DC=d5820,DC=muc,DC=com" 
credentials="secret" 
mode=none 
flags=non-prescriptive 
idassert-authzFrom "dn.exact:cn=Manager,dc=meta" 

overlay rwm 
rwm-map objectclass account user 
rwm-map attribute mail proxyAddresses 
rwm-map attribute uid sAMAccountName 
rwm-map attribute cn name 
rwm-map attribute *

Prev by Date: attribute for storing SSH RSA host keys
Next by Date: bug(?) with initial/seed syncrepl
Index(es):
- Chronological
- Thread