[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: openLDAP as a proxy for AD



>Thanks Alex for replying,

>...

>...

OK, a days work has led me to discover that while apt-get purge --auto-remove slapd ldap-utils does not actually purge slapd or ldap-utils, but appears to uninstall them and purge all their dependencies. I think this was behind my larger issues with openldap, apt-get purge slapd ldap-utils fixed that for me. I am now circling back around to my original problem.

 

to clarify, there are 2 servers.

 

DC Server - AD set up, internal users and groups and policy etc. All working fine.

ubuntu server - OpenLDAP set up, external users usernames and passwords. we need our various web apps to point to this for authentication and return users from either of the DSA's

 

backend of openLDAP currently set up like this (basically straight from a tutorial) -

 

# Load dynamic backend modules

dn: cn=module,cn=config

objectClass: olcModuleList

cn: module

olcModulepath: /usr/lib/ldap

olcModuleload: back_hdb

olcModuleload: back_ldap

 

 

# Database settings

dn: olcDatabase=hdb,cn=config

objectClass: olcDatabaseConfig

objectClass: olcHdbConfig

olcDatabase: {1}hdb

olcSuffix: dc=companyname,dc=local

olcDbDirectory: /var/lib/ldap

olcRootDN: cn=admin,dc=companyname,dc=local

olcRootPW: secret

olcDbConfig: set_cachesize 0 2097152 0

olcDbConfig: set_lk_max_objects 1500

olcDbConfig: set_lk_max_locks 1500

olcDbConfig: set_lk_max_lockers 1500

olcDbIndex: objectClass eq

olcLastMod: TRUE

olcDbCheckpoint: 512 30

olcAccess: to attrs=userPassword by dn="cn=admin,dc=companyname,dc=local" write by anonymous auth by self write by * none

olcAccess: to attrs=shadowLastChange by self write by * read

olcAccess: to dn.base="" by * read

olcAccess: to * by dn="cn=admin,dc=companyname,dc=local" write by * read

 

I am trying to get the proxy set up at dc=AD,dc=companyname,dc=local.

 

so far my slapd.conf is -

# AD server proxy

database ldap

suffix "dc=AD,dc=companyname,dc=local"

uri ldap://companyname.local/

idassert-bind bindmethod=simple

binddn="cn=admin,dc=companyname,dc=local"

credentials=secret

authzID="dn:cn=admin,dc=companyname,dc=local"

 

however on running slaptest I get

slapd.conf: line 4: <suffix> invalid DN 21 (Invalid syntax)

slaptest: bad configuration directory!

 

I tried suffix with and without the "s to no avail.

A side question which neither man slaptest nor google has answered for me thusfar, will slaptest add the configuration to slapd.d or overwrite it?

 

I do totally get that I am basically asking someone to do my job for me here, which is not a habit I like to cultivate but I would be eternally grateful if anyone could just point me in the right direction. I have done enough tech support to be frustrated to be on this side of the RTFM coin but I assure you I have trawled man pages, tutorials and forums before I came here.