[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problems with slapd-ldap and overlays in using OpenLDAP as an LDAP proxy



On 8/6/07, Pierangelo Masarati  wrote:
> DePriest, Jason R. wrote:
> > I am a complete newbie with OpenLDAP.  I have worked with Windows NT
> > Domains and Active Directory for a long time.  I've also worked with
> > Microsoft ADAM and CA's eTrust Admin Directory.
> >
> > However, I am having trouble getting OpenLDAP to perform what I think
> > are basic functions.
> >
> > I have a Debian GNU/Linux Etch system with a 2.6.18 kernel.
> >
> > slapd reports a version of 2.3.30.
>
> slapd-ldap(5) saw some significant enhancement around 2.3.34 or so; I'd
> recommend to updated to the latest (2.3.37 right now).
>

I was able to get slapd 2.3.35 from Debian's testing tree.  The
unstable tree has the same version.
If I need to go higher, I can just compile it myself.

> >
> > I have slapd running and I am able to authenticate with the local admin account.
> >
> > What I want is for it to take requests for domain.com, ask the real
> > domain.com LDAP server (Active Directory) to handle it, then provide
> > the answer to the client.
> >
> > I want to have an OpenLDAP server in my DMZ proxy connections to my
> > internal network without actually storing any account information
> > locally (except for the local admin).
> >
> > I think this is the relevant configuration information (comments removed):
> > include         /etc/ldap/schema/core.schema
> > include         /etc/ldap/schema/cosine.schema
> > include         /etc/ldap/schema/nis.schema
> > include         /etc/ldap/schema/inetorgperson.schema
> > pidfile         /var/run/slapd/slapd.pid
> > argsfile        /var/run/slapd/slapd.args
> > loglevel        0
> > modulepath      /usr/lib/ldap
> > moduleload      back_bdb
> > moduleload      back_ldap
>
> moduleload rwm

Done.  I thought I had tried this, but apparently not.  Unless
something changed between 2.3.30 and 2.3.35

>
> > sizelimit 500
> > tool-threads 1
> > backend         bdb
> > checkpoint 512 30
> > database        ldap
> > lastmod         off
>
> ^^^ not needed

deleted this line

>
> > uri             "ldap://server.domain.com";
> > map attribute   uid     sAMAccountName
> > map attribute   cn      name
> > map attribute   mail    userPrincipalName
> > map objectclass account user
> > map attribute   *
> > idassert-bind   bindmethod=simple
> >                binddn="cn=<USER>,ou=<CONTAINER>,dc=domain,dc=com"
> >                credentials="<password>"
> >                method=self
> > chase-referrals yes
>
> ^^^ this might give undesired effects; only activate if strictly
> required, and after careful testing.

Commented this line out.

>
> > database        bdb
> > suffix          "dc=domain,dc=com"
> > rootdn          "cn=<USER>,ou=<CONTAINER>,dc=domain,dc=com"
> > directory       "/var/lib/ldap"
> > dbconfig set_cachesize 0 2097152 0
> > dbconfig set_lk_max_objects 1500
> > dbconfig set_lk_max_locks 1500
> > dbconfig set_lk_max_lockers 1500
> > index           objectClass eq
> > lastmod         on
> > access to attrs=userPassword,shadowLastChange
> >        by dn="cn=admin,dc=ftbco,dc=ftn,dc=com" write
> >        by anonymous auth
> >        by self write
> >        by * none
> > access to dn.base="" by * read
> > access to *
> >        by dn="cn=admin,dc=ftbco,dc=ftn,dc=com" write
> >        by * read
> >

[ cut out my errors from first post ]

>
> p.
>
>
>
> Ing. Pierangelo Masarati
> OpenLDAP Core Team
>
> SysNet s.r.l.
> via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> ---------------------------------------
> Office:  +39 02 23998309
> Mobile:  +39 333 4963172
> Email:   pierangelo.masarati@sys-net.it
> ---------------------------------------
>
>
>

slapd runs with no critical errors.  I can connect and bind with with
the local admin account.

I cannot seem to get it to reach out to the other LDAP server.  It
just searches itself and gives up when it cannot find what it is
looking for.

There are no errors, it just finds 0 matches.

I don't have rootDSE set anywhere.  Do I need that for this to work?

-Jason