[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using rewrite and map (slapo-rwm) to unify subordinate OpenLDAP with Active Directory

<quote who="Andrew Kay">
> Gavin,
>
> Thanks for your reply.  Apologies for the delay in replying, I've been
> away from a computer for the past two days.

Did you see Howards reply?

"You need to configure the rwm overlay so that it only applies to the
main DB. You do this by explicitly configuring the position of the glue
overlay, putting it above the rwm overlay:

database ldap
suffix dc=xyz,dc=com
...
overlay rwm
...
overlay glue
"

>
> The database portion of my configuration file is currently:
>
> database        bdb
> suffix          "ou=Extranet, ou=XYZ, dc=xyz, dc=com"
> subordinate
> rootdn          "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com"
> rootpw          secret
> directory       /usr/local/var/openldap-data
> index           objectClass eq
>
> database        ldap
> suffix          "ou=XYZ, dc=xyz, dc=com"
> uri             "ldap://dc1";
>
> acl-bind
>         bindmethod=simple
>         binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com"
>         credentials="secret"
>
> idassert-bind
>         bindmethod=simple
>         binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com"
>         credentials="secret"
>         mode=none
>         authzId="dn:cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com"
>
> idassert-authzFrom "dn.children:ou=XYZ, dc=xyz, dc=com"
>
> overlay         rwm
> rwm-map		objectclass inetOrgPerson user
> rwm-map		objectclass groupOfNames group
> rwm-map		attribute uid sAMAccountname
> rwm-map		attribute cn name
> rwm-map		attribute sn sn
> rwm-map		attribute mail mail
> rwm-map		attribute member member
> rwm-map		attribute *
>
> If I run a query against a user from the AD portion of the directory:
>
> extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz,
> dc=com" -W -b "ou=Users, ou=XYZ, dc=xyz, dc=com" "(cn=Andrew Kay)"
> ...
>
> # Andrew Kay, Users, XYZ, xyz.com
> dn: cn=Andrew Kay,ou=Users,ou=XYZ,dc=xyz,dc=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> sn: Kay
> cn: Andrew Kay
> uid: Andrew
> mail: andrew.kay@xyz.com
>
> ...
> extranet:~#
>
> The AD user is successfully mapped to an inetOrgPerson, if I run a
> query against a user from the OpenLDAP portion of the directory where
> the user is already an inetOrgPerson:
>
> extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz,
> dc=com" -W -b "ou=Extranet, ou=XYZ, dc=xyz, dc=com" "(cn=John Smith)"
> ...
>
> # John Smith, Users, Extranet, XYZ, xyz.com
> dn: cn=John Smith,ou=Users,ou=Extranet,ou=XYZ,dc=xyz,dc=com
> objectClass: inetOrgPerson
> sn: Smith
>
> ...
> extranet:~#
>
> The result is missing the uid field.  If it comment out all rwm
> directives in the configuration and perform the same query (after
> restarting OpenLDAP), I get the following:
>
> extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz,
> dc=com" -W -b "ou=Extranet, ou=XYZ, dc=xyz, dc=com" "(cn=John Smith)"
> ...
>
> # John Smith, Users, Extranet, XYZ, xyz.com
> dn: cn=John Smith,ou=Users,ou=Extranet,ou=XYZ,dc=xyz,dc=com
> objectClass: inetOrgPerson
> cn: John Smith
> sn: Smith
> uid: john.smith
> userPassword:: am9obi5zbWl0aA==
>
> ...
> extranet:~#
>
> If I query the AD portion of the directory I recieve the unaltered
> user, with AD schema attributes such as SAMAccountName.
>
>
> Andrew
>