[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP as proxy for Active Directory
On Fri, 2005-10-14 at 21:23 +0200, Jan Schmidt wrote:
> Hi list,
>
> I managed to setup OpenLDAP (2.2.23 on SuSE 9.3) as read-only proxy to our
> Active Directory using
> the ldap/meta backend. Now I've found two annoying drawbacks.
>
> (1) One strange behaviour is, that a ldapsearch on the proxy returns only a
> subset of the available
> attributes of the object. Same ldapsearch to the Active Directory returns
> the full set.
You need to define the attributes you want to see into slapd's schema.
Or, if you use a recent 2.3 (>=2.3.7), the so-called "proxied"
attributes (undefined attributes after they get first returned by a
search thru a proxy backend) will show up with minimal syntax checks.
>
> (2) Active Directory allows uid@domain as bindDN. While slapd is configured
> to be a proxy it doesn't
> send the bindDN to the AD but parses it. This results in an error message:
> <= ldap_bv2dn(uid@domain)=-4 Decoding error
> bind: invalid dn (uid@domain)
> I tried to do the rewrite stuff mentioned in slapd-meta.5 but it doesn't work.
That cannot work because rewriting occurs __after__ the frontend
validated the incoming data.
>
> Can somebody give me some hints or has anyone got a fully functional
> AD-proxy configuration?
Provided AD supports the proxyAuthz control (draft-weltman-ldapv3-proxy;
I'm not 100% sure), and provided you use 2.3.11 with a fix I just
committed to back-ldap (servers/slapd/back-ldap/bind.c 1.129 -> 1.130),
you can obtain what you need by using SASL bind plus idassert; you need
to setup SASL so that authentication is propagated to the AD; you should
ask some SASL expert what's the most appropriate means to obtain that.
Then you need to configure the proxy slapd.conf as:
database ldap
suffix "dc=domain"
uri "ldap://ad.domain";
idassert-bind bindmethod=simple
binddn="cn=admin,dc=domain"
credentials="secret"
method=self
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497