[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Still unable to configure glue and rwm overlay correctly
Hi,
I am attempting to configure OpenLDAP such that it acts as a
subordinate to a Microsoft Active Directory server, and presents a
unified directory tree to any applications. The directory tree I am
aiming for is as follows:
ou=XYZ, dc=xyz, dc=com Microsoft Active Directory
ou=Extranet, ou=XYZ, dc=xyz, dc=com OpenLDAP bdb database (subordinate)
I was previously having problems with the rewrite rules required to
ensure that user and group objects within AD were transformed into
inetOrgPerson and groupOfName objects that are being stored in the
"ou=Extranet, ou=XYZ, dc=xyz, dc=com", thanks to Howard Chu's response
I have altered my configuration file and the rewriting now only occurs
to the directory entries stored within the AD portion.
The database section of my configuration file is now as follows:
database bdb
suffix "ou=Extranet, ou=XYZ, dc=xyz, dc=com"
rootdn "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com"
rootpw secret
directory /usr/local/var/openldap-data
index objectClass eq
database ldap
suffix "ou=XYZ, dc=xyz, dc=com"
uri "ldap://dc1";
acl-bind
bindmethod=simple
binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com"
credentials="secret"
idassert-bind
bindmethod=simple
binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com"
credentials="secret"
mode=none
authzId="dn:cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com"
idassert-authzFrom "dn.children:ou=XYZ, dc=xyz, dc=com"
overlay rwm
rwm-map objectclass inetOrgPerson user
rwm-map objectclass groupOfNames group
rwm-map attribute uid sAMAccountname
rwm-map attribute cn name
rwm-map attribute sn sn
rwm-map attribute mail mail
rwm-map attribute member member
rwm-map attribute *
overlay glue
glue-sub "ou=Extranet, ou=XYZ, dc=xyz, dc=com"
With the above configuration, while the rewrite only occurs to
directory entries stored within the AD portion, the functionality I
expected from the glue overlay no longer appears.
If I perform a search with a base "ou=XYZ, dc=xyz, dc=com" entries
from the "ou=Extranet, ou=XYZ, dc=xyz, dc=com" portion of the
directory are not retrieved, unless I explicility set the search base
to that portion. Obviously in order to unify the two databases I
would wish entries from the "ou=Extranet, ou=XYZ, dc=xyz, dc=com"
portion of the directory to be included along with entries from the AD
portion when the search base is "ou=XYZ, dc=xyz, dc=com".
I am running OpenLDAP version 2.3.30.
I'd greatly appreciate any help I could get in achieving the correct
glue configuration.
Andrew
Below is an example showing how unless the search base is explicitly
set to the "ou=Extranet, ou=XYZ, dc=xyz, dc=com" portion of the
directory, the entries are not retrieved:
extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ,
dc=xyz, dc=com" -W -b "ou=XYZ, dc=xyz, dc=com" "(uid=john.smith)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=XYZ, dc=xyz, dc=com> with scope subtree
# filter: (uid=john.smith)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ,
dc=xyz, dc=com" -W -b "ou=Extranet, ou=XYZ, dc=xyz, dc=com"
"(uid=john.smith)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=Extranet, ou=XYZ, dc=xyz, dc=com> with scope subtree
# filter: (uid=john.smith)
# requesting: ALL
#
# John Smith, Users, Extranet, XYZ, xyz.com
dn: cn=John Smith,ou=Users,ou=Extranet,ou=XYZ,dc=xyz,dc=com
objectClass: inetOrgPerson
cn: John Smith
sn: Smith
uid: john.smith
userPassword:: am9obi5zbWl0aA==
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
extranet:~#