[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Still unable to configure glue and rwm overlay correctly

Andrew Kay wrote: 
Hi,

I am attempting to configure OpenLDAP such that it acts as a
subordinate to a Microsoft Active Directory server, and presents a
unified directory tree to any applications.  The directory tree I am
aiming for is as follows:

ou=XYZ, dc=xyz, dc=com Microsoft Active Directory
ou=Extranet, ou=XYZ, dc=xyz, dc=com OpenLDAP bdb database (subordinate)

I was previously having problems with the rewrite rules required to
ensure that user and group objects within AD were transformed into
inetOrgPerson and groupOfName objects that are being stored in the
"ou=Extranet, ou=XYZ, dc=xyz, dc=com", thanks to Howard Chu's response
I have altered my configuration file and the rewriting now only occurs
to the directory entries stored within the AD portion.

The database section of my configuration file is now as follows:

    database        bdb
    suffix          "ou=Extranet, ou=XYZ, dc=xyz, dc=com"
    rootdn          "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com"
    rootpw          secret
    directory       /usr/local/var/openldap-data
    index           objectClass eq

    database        ldap
    suffix          "ou=XYZ, dc=xyz, dc=com"
    uri             "ldap://dc1";

    acl-bind
            bindmethod=simple
            binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com"
            credentials="secret"

    idassert-bind
            bindmethod=simple
            binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com"
           credentials="secret"
           mode=none
            authzId="dn:cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com"

    idassert-authzFrom "dn.children:ou=XYZ, dc=xyz, dc=com"

    overlay         rwm

    rwm-map    objectclass inetOrgPerson user
    rwm-map objectclass groupOfNames group
    rwm-map attribute uid sAMAccountname
    rwm-map attribute cn name
    rwm-map attribute sn sn
    rwm-map attribute mail mail
    rwm-map attribute member member
    rwm-map attribute *

    overlay glue

    glue-sub "ou=Extranet, ou=XYZ, dc=xyz, dc=com"

With the above configuration, while the rewrite only occurs to
directory entries stored within the AD portion, the functionality I
expected from the glue overlay no longer appears.

If I perform a search with a base "ou=XYZ, dc=xyz, dc=com" entries
from the "ou=Extranet, ou=XYZ, dc=xyz, dc=com" portion of the
directory are not retrieved, unless I explicility set the search base
to that portion.  Obviously in order to unify the two databases I
would wish entries from the "ou=Extranet, ou=XYZ, dc=xyz, dc=com"
portion of the directory to be included along with entries from the AD
portion when the search base is "ou=XYZ, dc=xyz, dc=com".

I am running OpenLDAP version 2.3.30.

I'd greatly appreciate any help I could get in achieving the correct
glue configuration.

"glue-sub" is not a valid config keyword. You still have to use the "subordinate" keyword. It appears that you haven't read slapd.conf(5).

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/