[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Active directory and openldap



I'm trying to achieve the same objective but keep on meeting the following error:

Constraint violation
additional info: 0000216C: AtrErr: DSID-031D0AC0, #1:
0: 0000216C: DSID-031D0AC0, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)


Did you, by chance, met this error too? All the rest works nicely but this error keeps haunting me and the few info I found on the net didn't help.

Any help is welcome

Mark.Benson@propero.net wrote:

I don't know if this helps, but I have LDAP->AD replication working, but
there were a few problems to overcome including a slurpd mod.

This is based on a transformed replog on LDAP.

Passwords were the first challenge. The password attribute type in AD is
called unicodePWD and is a unicode representation of the plain text
password enclosed in double quotes ("secret"). The base64 representation of
the password secret is IgBzAGUAYwByAGUAdAAiAA=== see
http://support.microsoft.com/?kbid=269190 for more details.

This replication *must* be done using LDAP over SSL on say port 636. If you
try and set an AD password on plain LDAP (on say 389) it will fail (quite
right too!). Test this out using ldapmodify with -H
ldaps://your.ad.server:636. slurpd does LDAP over TLS/SSL using the
start_tls mechanism (tls=yes in the replica entry in slapd.conf). AFAIK
this doesn't work with AD because it doesn't support the start_tls extended
operation needed. This is why ldapsearch etc. with -Z fails with AD and
works with -H ldaps://your.ad.server:636.

To overcome this, I submitted a patch (to slapd and slurpd) that allows the
replica host to be specified as a URI ( replica
uri=ldaps://your.ad.server:636). I only submitted it yesterday!

I can now replicate LDAP ADD/MODIFY/DELETE to AD.

Mark Benson
Propero Ltd. UK.



|--------+------------------------------------>
|        |          Jerome Walter             |
|        |          <walter+openldap@efrei.fr>|
|        |          Sent by:                  |
|        |          owner-openldap-software@Op|
|        |          enLDAP.org                |
|        |                                    |
|        |                                    |
|        |          13/06/2003 07:40          |
|        |          Please respond to         |
|        |          walter+openldap           |
|        |                                    |
|--------+------------------------------------>
 >----------------------------------------------------------------------------------------------------------|
 |                                                                                                          |
 |       To:     OpenLDAP-software@OpenLDAP.org                                                             |
 |       cc:                                                                                                |
 |       Subject:     Re: Active directory and openldap                                                     |
 >----------------------------------------------------------------------------------------------------------|




On Wed, May 21, 2003 at 09:13:23AM -0700, Lon Tierney wrote:


What you will soon find is that you have to replicate all userPassword
values to AD in the clear - AD can not accept hashed or encrypted values.
So, if you store the passwords in the clear in your OpenLDAP server, you
should be fine.



Perhaps i don't get it, but having Trusted realm installed towards an Unix KDC, i have something like this in my AD ldif output :

altSecurityIdentities: Kerberos:walter@USERS.ES.EFREI.FR

You should understand that USERS.ES.EFREI.FR is the Unix (hem GNU/Linux)
KDC.

Having this, i am authenticating on the other KDC and get tickets from both
unix and AD realms without the need of the AD password for the user.

Don't we just need then to replicate _valid_ AD schema data into the LDAP
server of the AD DC to have the users working in the AD realm ?

I am also currently working on this and get stuck with the way to replicate
slapd data to AD server and/or the other way. Does someone did get this
working. It seems that University of Michigan has worked on this and setup
a
modified slurpd to get this working. Any info about this ? Anyone from
UMich
who could contribute ?

Best Regards,

Jerome Walter

--
-+--   Jérôme Walter -         I2 EFREI                            ----+-
Equipe Système - Efrei Robotique - Jap'Efrei - Erasmus Tutors
"The World is my country" - "Nihon no tomodachi desu"
EFREI System and Networking guide http://perso.efrei.fr/~walter/