[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP as proxy for Active Directory



The following is the config we are using in order to provide a read-only anonymous bind to our backend ADS directory.  In order for the rwm-mapping stuff to work without issues you must apply the changes Pierangelo made. Namely, update the following files from HEAD:

servers/slapd/overlays/rwm.c
servers/slapd/overlays/rwm.h
servers/slapd/overlays/rwmmap.c
servers/slapd/back-meta/map.c



------------- Begin config ---------------
defaultsearchbase "dc=mydomain,dc=com"
#######################################################################
# Database definitions
#######################################################################
database  ldap
uri       "ldap://ads.mydomain.com/";
lastmod   off
chase-referrals no
suffix    "dc=mydomain,dc=com"

acl-bind
	bindmethod=simple
	binddn="cn=aclbrowser,ou=users,dc=mydomain,dc=com"
	credentials="MyPassword"
	authzID="aclbrowser"

idassert-bind
	bindmethod=simple
	binddn="cn=attrbrowser,ou=users,dc=mydomain,dc=com"
	credentials="MyPassword"
	mode=none

# This controls what attribs can be accessed by the LDAP proxy.
# The last rwm-map line maps all other attributes to nothing.
overlay rwm
rwm-map objectclass  account user
rwm-map attribute    uid     sAMAccountname
rwm-map attribute    cn      name
rwm-map attribute    sn      sn
rwm-map attribute    mail    mail
rwm-map attribute    company company
rwm-map attribute    entry   entry
rwm-map attribute    *

access to dn.subtree="dc=mydomain,dc=com"
	by * read
-------------- End config ----------------

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org [mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Marc Grober
Sent: Friday, October 14, 2005 4:08 PM
To: openldap-software@OpenLDAP.org
Subject: Re: OpenLDAP as proxy for Active Directory

Could you detail the steps you took to set up the proxy.  we are trying to
accomplish the same kind of thing and I am knocking myself silly trying to
make this happen.....  does the proxy require the admin dn/password?

On Fri, 14 Oct 2005 21:23:57 +0200, Jan Schmidt wrote
> Hi list,
> 
> I managed to setup OpenLDAP (2.2.23 on SuSE 9.3) as read-only proxy 
> to our Active Directory using the ldap/meta backend. Now I've found 
> two annoying drawbacks.
> 
> (1) One strange behaviour is, that a ldapsearch on the proxy returns 
> only a subset of the available attributes of the object. Same 
> ldapsearch to the  Active Directory returns the full set.
> 
> (2) Active Directory allows uid@domain as bindDN. While slapd is 
> configured to be a proxy it doesn't send the bindDN to the AD but 
> parses it. This results in an error message: <= 
> ldap_bv2dn(uid@domain)=-4 Decoding error bind: invalid dn 
> (uid@domain) I tried to do the rewrite stuff mentioned in slapd-
> meta.5 but it doesn't work.
> 
> Can somebody give me some hints or has anyone got a fully functional 
> AD-proxy configuration?
> 
> Best regards,
>      Jan Schmidt
> 
> ---------------------------------------------------------------
> AG Anwendungen/Multimedia Rechenzentrum Universität Greifswald
> http://www.multimedia.uni-greifswald.de/
> Tel: +49 3834 861416 Fax: +49 3834 8680016