Q: Requesting parent OU doesn't seem to work right with Meta-Backend OU as child

["Zalewski, Marvyn-Stephano" <marvyn-stephano.zalewski@immonet.de>]

Hey guys,

I got a huge problem here. I’ve been trying to merge users from a local LDAP (ou=local-users,ou=accounts,dc=domain: which authenticates against a remote active directory (which is not ldap://remote.site) with sasl) with local users who use a local stored password and with users from a remote active directory without storing them locally.

Let’s say i have the following structure:

Local-LDAP (ldap://localhost):

• dc=domain
  • ou=accounts
    • ou=local-users (with sasl)
    • ou=remote-users (Meta-Backend Proxy to ldap://remote.site – ou=accounts,dc=remote-domain)
    • ou=users (without sasl; password is stored locally)

Remote-AD (ldap://remote.site):

• dc=remote-domain
  • ou=accounts
    • <All Users are stored in this OU>

The local LDAP structure works as expected. When i request ou=accounts,dc=domain i get all users located in ou=local-users and ou=users. 

And now i point out the problem:

I only get the object ou=remote-users without the users from ou=accounts,dc=remote-domain so the ou=remote-users seems to be empty. But when i explicit request the full DN of ou=remote-users (ou=remote-user,ou=accounts,dc=domain) i get the full list of all users located in ou=accounts,dc=remote-domain.

Here’s my slapd.conf:

#######################################################################

# Global Directives:

#######################################################################

# Schema and objectClass definitions

include         /etc/ldap/schema/core.schema

include         /etc/ldap/schema/cosine.schema

include         /etc/ldap/schema/inetorgperson.schema

# Where the pid file is put. The init.d script

# will not stop the server if you change this.

pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server

argsfile        /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values

logfile         /etc/ldap/slapd.log

loglevel        1

sasl-host       localhost

sasl-secprops   none

#######################################################################

# Dynamic Module Directives

#######################################################################

# Base Path and individual modules.

modulepath      /usr/lib/ldap

moduleload      back_hdb.so

moduleload      refint.so

moduleload      memberof.so

moduleload      back_meta.so

moduleload      rwm.so

# Defining referral integrity module to make sure the group relations are automatically updated. NOTE: Only when a 'delete' or 'edit' command has been issued.

overlay         refint

refint_attributes member uniqueMember seeAlso

refint_nothing cn=EMPTY

# Defining memberof module which make sure to update the group affiliation for each user. NOTE: Added an own attribute to all users named: 'memberOf' which contains all groups.

overlay         memberof

#######################################################################

# Database Directives:

#######################################################################

database        meta

suffix          "ou=remote-users,ou=accounts,dc=domain"

readonly        off

lastmod         off

uri            "ldap://remote.site/ou=remote-users,ou=accounts,dc=domain"

suffixmassage   "ou=remote-users,ou=accounts,dc=domain“ „ou=accounts,dc=remote-domain"

idassert-bind   bindmethod=simple

   binddn=„cn=root,dc=remote-domain"

   credentials=„root"

   mode=none

   flags=non-prescriptive

idassert-authzFrom „dn.exact:cn=root,dc=remote-domain"

database        hdb

directory       /var/lib/ldap

suffix          „dc=domain"

rootdn          "cn=root,dc=domain"

rootpw          root

index           objectclass eq

index           uid eq,sub

lastmod         off

readonly        off

My Search Results at parent OU:

#### ldapsearch -M -a always -D "cn=root,dc=domain" -w root -b "ou=accounts,dc=domain“ dn

# extended LDIF

#

# LDAPv3

# base <ou=accounts,dc=domain> with scope subtree

# filter: (objectclass=*)

# requesting: dn

# with manageDSAit control

#

# accounts, domain

dn: ou=accounts,dc=domain

# local-users, accounts, domain

dn: ou=local-users,ou=accounts,dc=domain

# frank, local-users, accounts, domain

dn: cn=frank,ou=local-users,ou=accounts,dc=domain

# remote-users, accounts, domain

dn: ou=remote-users,ou=accounts,dc=domain

# users, accounts, domain

dn: ou=users,ou=accounts,dc=domain

# peter, users, accounts, domain

dn: cn=peter,ou=users,ou=accounts,dc=domain

My Search Results at child and proxied OU:

#### ldapsearch -M -a always -D "cn=root,dc=domain" -w root -b „ou=remote-accounts,ou=accounts,dc=domain“ dn

# extended LDIF

#

# LDAPv3

# base <ou=remote-users,ou=accounts,dc=domain> with scope subtree

# filter: (objectclass=*)

# requesting: dn

# with manageDSAit control

#

# remote-users, accounts, domain

dn: ou=remote-users,ou=accounts,dc=domain

dn: cn=albert,ou=remote-users,ou=accounts,dc=domain

I hope you guys can help me out.

If you have further question, please leave a mail.

Kind regards,

Marvyn :)