[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP as a proxy for Active Directory (missing attributes)

To: Marius Flage <marius@flage.org>
Subject: Re: OpenLDAP as a proxy for Active Directory (missing attributes)
From: Jonathan Clarke <jonathan@phillipoux.net>
Date: Fri, 20 Aug 2010 15:07:14 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <4C6E7414.1060502@flage.org>
References: <4C6E7414.1060502@flage.org>
User-agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.2.8) Gecko/20100802 Lightning/1.0b2 Thunderbird/3.1.2

Hi,

On 20/08/2010 14:24, Marius Flage wrote:

I'm trying to set up OpenLDAP to act as a proxy for Active Directory.
OpenLDAP should be the internet-facing interface for all external
queries for the AD catalog. I've gotten the connection set up and I'm
able to retrieve and search for most important values. However, when I
try to get out the group membership of the different objects, I've
encountered some problems.

When doing a search directly towards Active Directory I can see the
memberOf attributes for the objects [1], but when I perform the very
same search through the proxy, those attributes have been
ignored/stripped away from the result [2].

[...]

So my question is basically; how can I get the memberOf attribute
included in my searches through OpenLDAP? Do I need to include the
schema or am I approaching this from the wrong angle? What needs to be
done to set up OpenLDAP as a complete transparent proxy towards Active
Directory - basically having it behave as it was the AD itself answering
whenever you query the proxy?

I have an OpenLDAP proxy running to AD, and I just checked that I cansee the memberOf attribute fine in search results. This is using thelatest 2.4.23, and no added schema.

OpenLDAP has a special feature whereby if it sees an unknown attributedescription in a search result from a proxied LDAP server, it adds apseudo-attribute definition to it's local schema. You can see theseattributes in CAPITALS in your search results.

So, in order for your OpenLDAP proxy to be able to return memberOfattributes, it first needs to know about them via a search result. Makesure your searches do not include filters on unknown attributes.

Also, I note that your slapd.conf contains a configuration for the"memberof" overlay over your ldap database. This seems unnecessary, anmay well cause problems. I suggest you remove it.


Hope this helps,
Jonathan
--
--------------------------------------------------------------
Jonathan Clarke - jonathan@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------

References:
- OpenLDAP as a proxy for Active Directory (missing attributes)
  - From: Marius Flage <marius@flage.org>

Prev by Date: Re: Openldap2.4.16 performance issue
Next by Date: Re: pass-through authentication
Index(es):
- Chronological
- Thread