[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Proxy to Active Directory: lost field
On Wed, 25 Mar 2009 16:49:20 +0100
Pierangelo Masarati <ando@sys-net.it> wrote:
> Bogdan B. Rudas wrote:
> > Hello.
> >
> > I use OpenLDAP as proxy for M$ AD.
> > The problem is: I can set filter only by some fileds like CN or
> > Name. I can't query AD by sAMAccountName via proxy
> > Also I can't see many AD-specific fileds while browsing AD via
> > OpenLDAP proxy.
> >
> >
> > Request to proxy:
> >
> > ldapsearch -M -LLL -H ldap://localhost:389 -x -D
> > "cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w
> > password -x -b "dc=domain,dc=company,dc=com"
> > '(sAMAccountName=bogdan.rudas)' sAMAccountName
> >
> > Return nothing.
> >
> > Request directly to AD LDAP:
> >
> > ldapsearch -M -LLL -H ldap://ADserver.domain.company.com:1234 -x -D
> > "cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w
> > password -x -b "dc=domain,dc=company,dc=com"
> > '(sAMAccountName=bogdan.rudas)' cn
> >
> > Returns:
> >
> > dn: CN=Bogdan Rudas.......skipped....
> > cn: Bogdan Rudas
> >
> >
> > Yet another request to proxy:
> >
> > ldapsearch -M -LLL -H ldap://ADserver.domain.company.com:1234 -x -D
> > "cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w
> > password -x -b "dc=domain,dc=company,dc=com" '(name=Bogdan Rudas)'
> > cn sAMAccountName
> >
> > dn: cn=Bogdan Rudas.......skip.....
> > cn: Bogdan Rudas
> > SAMACCOUNTNAME: bogdan.rudas
> >
> > Slapd version 2.4.11-1
> > Running on Debian 5.0 amd64
> >
> > OpenLDAP config:
> >
> > include /etc/ldap/schema/core.schema
> > include /etc/ldap/schema/cosine.schema
> > include /etc/ldap/schema/inetorgperson.schema
> > pidfile /var/run/slapd/slapd.pid
> > argsfile /var/run/slapd/slapd.args
> >
> > modulepath /usr/lib/ldap
> > moduleload back_ldap
> >
> >
> > access to dn.base="" by * read
> > access to *
> > by self read
> > by users read
> > by anonymous auth
> >
> > loglevel 256
> >
> > ######################################################
> > # database definitions
> > ######################################################
> >
> > database ldap
> > suffix "dc=intra,dc=nival,dc=com"
> > uri "ldap://ADserver.domain.company.com:1234"
> > acl-bind bindmethod=simple
> > binddn="cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com"
> > credentials=password
> > chase-referrals yes
>
> Your proxy knows nothing about those schema items, that's why they
> are ignored by slapd. You need to extract that information from AD,
> format it according to slapd's syntax for "attributeType" and
> "objectClass" keyworks in slapd.conf(5) and pre-load them muck like
> you do with other schema items (the "include <file>.schema" lines
> above).
>
> p.
>
Hello!
Thank you for your response.
I made custom schema with - I get values with Apache Directory Studio
attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
Now I can see this field in LDAP browser, but still can't do searches
using this filed.
There so much objectclasses in AD, how can I determine which of them I
really need? I used slapd -d 1 and -d 512 - both was like a woodoo
magick for me because I don't know for what should I look.