[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP as proxy for Active Directory

On Fri, 2005-10-14 at 21:23 +0200, Jan Schmidt wrote:
> Hi list,
> I managed to setup OpenLDAP (2.2.23 on SuSE 9.3) as read-only proxy to our 
> Active Directory using
> the ldap/meta backend. Now I've found two annoying drawbacks.
> (1) One strange behaviour is, that a ldapsearch on the proxy returns only a 
> subset of the available
> attributes of the object. Same ldapsearch to the  Active Directory returns 
> the full set.

You need to define the attributes you want to see into slapd's schema.
Or, if you use a recent 2.3 (>=2.3.7), the so-called "proxied"
attributes (undefined attributes after they get first returned by a
search thru a proxy backend) will show up with minimal syntax checks.

> (2) Active Directory allows uid@domain as bindDN. While slapd is configured 
> to be a proxy it doesn't
> send the bindDN to the AD but parses it. This results in an error message:
> <= ldap_bv2dn(uid@domain)=-4 Decoding error
> bind: invalid dn (uid@domain)
> I tried to do the rewrite stuff mentioned in slapd-meta.5 but it doesn't work.

That cannot work because rewriting occurs __after__ the frontend
validated the incoming data.

> Can somebody give me some hints or has anyone got a fully functional 
> AD-proxy configuration?

Provided AD supports the proxyAuthz control (draft-weltman-ldapv3-proxy;
I'm not 100% sure), and provided you use 2.3.11 with a fix I just
committed to back-ldap (servers/slapd/back-ldap/bind.c 1.129 -> 1.130),
you can obtain what you need by using SASL bind plus idassert; you need
to setup SASL so that authentication is propagated to the AD; you should
ask some SASL expert what's the most appropriate means to obtain that.
Then you need to configure the proxy slapd.conf as:

database        ldap
suffix          "dc=domain"
uri             "ldap://ad.domain";

idassert-bind   bindmethod=simple


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497