[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Using OpenLDAP to point to AD as address book
Hi,
"adp" <dap99@i-55.com> writes:
>> "adp" <dap99@i-55.com> writes:
>> > Okay, I have openldap-2.2.11 installed and running fine. I have a very
>> > minimal slapd configuration since all I'm doing is proxying for an AD
>> > directory.
>> [...]
>> > With or without binddn I can do an anon. search of AD fine. (That just
>> > returns the schema.) If I stop slapd then the anon connection fails
> totally.
>> > (This is just to ensure I'm testing against the right server.)
[...]
>> > (I will worry about ACLs and whatnot later.) From reading the slapd-meta
>> > manpage I thought this would do it, but it appears that I'm wrong.
>>
>> > Any ideas?
>>
>> Ask the developer of AD to allow anonymous bind on searches.
>
> Darn. Let me ask one more time just so that I am totally clear on this.
>
> Even with slapd-meta, there is no way to use openldap as a front-end to AD
> so that I can do an anon. search against cn=Users to scan for names (cn, sn)
> and email addresses (mail) to serve as an address book that can be
> anonymously used?
It is the administrators task to create access rules. AFAIK AD per
default only allows access by authenticated users. (but that
discussion is OFF TOPIC here).
> In other words, my only option is to dump the values I want from AD into a
> openldap databases on a regularly basis and have users just search the local
> directory instead of serving as a proxy to AD.
No, it is just an administrative task.
> Wow, I totally misread slapd-meta. I was thinking that with binddn this
> would all work.
You may read the discussion on ACL's in man slapd-meta(5), and you
might consider wether pseudorootdn would be an alternative.
[...]
-Dieter
--
Dieter Kluenter | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de